PadCrypt is the newest strain of ransomware to be discovered. The features that make this ransomware unique simplify the restore process to encourage victims to pay to recover their encrypted files. Unlike previous versions of ransomware, PadCrypt provides a link to “LiveChat” on the ransom note, enabling victims to get help from the attackers regarding how to make the ransom payments. In addition, the malware downloads and installs an uninstall program. When the uninstaller is executed, it uninstalls the malware, removing all ransom notes and files associated with it. Though uninstalling it does not help to recover the already encrypted files, combined with payment it restores the victim’s systems.
Ransomware is malware that encrypts the victim’s files and demands a ransom payment, in an untraceable digital currency called Bitcoin, to receive the decryption key. If ransom is not paid within the specified time period, the price to recover the files increases. After a longer time period, failure to pay results in the permanent deletion of the key. Up to this date, the most significant ransomware threat targeting individuals and businesses in the United States is CryptoWall. Being infected with ransomware is most often the result of clicking on a malicious link in a phishing email or opening a malicious email attachment, but ransomware can also be delivered when victims click on malicious advertisements on websites. Previous versions of ransomware provided information about how to purchase Bitcoins, and some provided web-based chat via the payment website, but there was no live support chat window included in the ransomware.
Like the majority of ransomware, PadCrypt is delivered via emails. PadCrypt emails contain a link that delivers a .zip archive. When decompressed, it reveals a file called “DPD_11394029384.pdf.scr.“ This file appears to be a .pdf – even having a .pdf icon. However, the double file extension reveals that it actually is a .scr file. This type of file is a screen saver file, an executable file that can display text animations, play slide shows, animation or videos. However, when a file with this extension is delivered via email, it may contain executable code that can be a worm or virus. Executable code provides instructions that the computer carries out. In the case of PadCrypt and other ransomware, the executable code encrypts files and deletes shadow volume data to prevent HDD recovery software from recouping copies of the unencrypted files. It also provides a .txt file on your desktop that contains the ransom instructions, and then a ransom screen with instructions on how to make the .8 bitcoin payment (equivalent to $350), telling you that you have 96 hours to make the payment. (What doesn’t make sense is that the screen also says the price, in the event of non-payment, will multiply on 01/01/1970.)
What can your company do to minimize the chance of being compromised by ransomware and suffering from the resulting downtime?
- Use a firewall and spam filter to block suspicious sites and attachments
- Enable popup blockers or at least avoid clicking on popups
- Train users to look at file formats before downloading attachments
- Train users to hover over links before clicking to determine whether they are linked to legitimate sites
- Do not run computers in Administrator mode to minimize the spread of malware if you’re infected
- Be sure that your company has recent backups – of both files and operating system – that are stored offsite or in the cloud
- Test your backups to make sure that they can be restored
If ransomware gets past your precautions and you see a text or HTML ransomware message, immediately disconnect from the Internet. The next steps, to avoid paying the ransom, include removing the ransomware from your computer and then restoring your data from backup. Big Idea Technology recommends using an image-based backup business continuity solution that quickly helps you to restore files, applications and operating systems in the event of a disaster, minimizing downtime. Call us to learn how we can help to protect your business from the crippling effects of ransomware and other disasters.