In short: To protect data from ransomware viruses, you can use an encrypted disk based on a crypto-container, a copy of which must be kept in the cloud storage.
- The analysis of cryptolockers showed that they only encrypt documents and the file container from the encrypted disk is not of interest to Cryptolockers.
- The files inside such a crypto container are inaccessible to the virus when the disk is disconnected.
- And since the Encrypted Disk turns on only at the moment when it is necessary to work with files, there is a high probability that the cryptolocker will not have time to encrypt it or will find itself before that moment.
- Even if a cryptolocker encrypts files on such a disk, you can easily restore a crypto disk container backup from the cloud storage, which is automatically created every 3 days or more often.
- Storing a copy of your disk container in the cloud is safe and easy. The data in the container is securely encrypted, which means Google or Dropbox will not be able to look inside. Due to the fact that a crypto container is one file, by uploading it to the cloud, you actually upload all the files and folders that are inside it.
- A crypto-container can be protected not only with a long password, but also with a rutoken type electronic key with a very strong password.
Ransomware viruses such as Locky, TeslaCrypt, CryptoLocker and WannaCry cryptolocker are designed to extort money from the owners of infected computers, which is why they are also called ransomware. After infecting a computer, the virus encrypts files of all known programs (doc, pdf, jpg ...) and then extorts money for their reverse decryption. The injured party will likely have to pay a couple of hundred dollars to decrypt the files, as this is the only way to get the information back.
If the information is very expensive, the situation is hopeless, and it is complicated by the fact that the virus includes a countdown and is able to self-destruct without giving you the opportunity to return the data if you think for a very long time.
Benefits of Rohos Disk Encryption to protect information from crypto-viruses:
- Creates a Crypto container to securely protect files and folders.
The on-the-fly encryption principle and strong AES 256-bit encryption algorithm are used. - Integrates with Google Drive, Dropbox, Cloud Mail.ru, Yandex Disk.
Rohos Disk allows these services to periodically scan the crypto container and upload only changes to the encrypted data to the cloud, so the cloud stores several revisions of the crypto disk. - Rohos Disk Browser utility allows you to work with a crypto disk so that other programs (including viruses) do not have access to this disk.
Crypto container Rohos Disk
Rohos Disk creates a crypto container and a drive letter for it in the system. You work with such a disk as usual, all data on it is automatically encrypted.
When the crypto disk is disabled, it is inaccessible to all programs, including ransomware viruses.
Integration with cloud storage
Rohos Disk allows you to place a crypto container in the cloud storage service folder and periodically start the process of synchronizing a crypto container.
Supported services: Google Drive, Dropbox, Cloud Mail.ru, Yandex Disk.
If the crypto-disk was enabled, a virus infection occurred and the virus began to encrypt data on the crypto-disk, you have the opportunity to restore the image of the crypto-container from the cloud. For information - Google Drive and Dropbox are able to track changes in files (revisions), store only changed parts of the file and therefore allow you to restore one of the versions of the crypto container from the recent past (usually 30-60 days, depending on the free space on Google Drive) ...
Rohos Disk Browser utility
Rohos Disk Browser allows you to open a crypto container in explorer mode without making the disk available at the driver level for the entire system.
The advantages of this approach:
- Disk information is displayed only in Rohos Disk Browser
- No other application can access the data from the disk.
- Rohos Disk Browser user can add a file or folder, open a file and do other operations.
Complete data protection against malware:
- The files are not available to other programs, including Windows components.
On April 12, 2017, information appeared about the rapid spread of a ransomware virus called WannaCry, which can be translated as "I want to cry." Users have questions about updating Windows from the WannaCry virus.
The virus on the computer screen looks like this:
The bad WannaCry virus that encrypts everything
The virus encrypts all files on the computer and demands a ransom to the Bitcoin wallet in the amount of $ 300 or $ 600 to supposedly decrypt the computer. Computers in 150 countries of the world were infected, the most affected is Russia.
Megafon, Russian Railways, the Ministry of Internal Affairs, the Ministry of Health and other companies have come face to face with this virus. Among the victims are ordinary Internet users.
Almost everyone is equal before the virus. The difference, perhaps, is that in companies the virus spreads throughout local network within the organization and instantly infects as many computers as possible.
The WannaCry virus encrypts files on computers running Windows. Back in March 2017, Microsoft released MS17-010 updates for various versions of Windows XP, Vista, 7, 8, 10.
It turns out that those who have automatic update Windows are out of the risk zone for the virus, because they received the update in a timely manner and were able to avoid it. I don’t presume to say that it really is so.
Figure: 3. Message when installing update KB4012212
Updating KB4012212 after installation required a laptop reboot, which I didn't really like, because I don't know how this could end, but where should the user go? However, the reboot went fine. This means that we live quietly until the next virus attack, and that such attacks will be - alas, there is no reason to doubt.
In any case, it is important to have a place to recover from. operating system and your files.
Windows 8 update from WannaCry
For a laptop with licensed Windows 8, update KB 4012598 was installed, because
Is there a protection against the ransomware today? No. As sad as it may sound, it really is. There is no real protection and, apparently, there will not be. But don't be upset, there are a number of simple rules that can be followed to reduce the risk of infection on your computer. Before I give a list of recommendations, I want to say in advance that in this article I am not advertising any antivirus programs, but simply describing my own experience, since this malware has been caught twice in the office. After these cases, we got a list of recommendations.
So, the first step is to make sure you have an up-to-date antivirus with fresh databases on board. My colleagues and I have experimented with various products of antivirus companies, based on the results obtained, I can safely say that the best result was shown by the distribution kit from Kaspersky Lab. We worked with Kaspesky Endpoint Security for Business Standard. The number of responses to the ransomware was over 40%. Therefore, feel free to install an antivirus, do not disdain such programs.
The second point is to prohibit the launch of programs from the% AppData% folder. Again, it is not a fact that the ransomware is working from this folder, but as a preventive measure it justifies itself by reducing the number of possible attack vectors. The malware can also run from:
- % TEMP%
- % LOCALAPPDATA%
- % USERPROFILE%
- % WinDir%
- % SystemRoot%
The most important point and a red thread through the entire article is the point about what is necessary and extremely important to do backups... If you can safely use the free cloud to store data at home, then not everyone has this opportunity in the workplace. If you're a sysadmin, come up with and run a backup. If you are outside the IT department, check with your system administrator about having a critical data backup. You can also duplicate them in the cloud. Fortunately, there are a lot of free options: Yandex Disk, Mail cloud, DropBox, Google Disk and others.
It is practically impossible to protect oneself from the ransomware by technical means. Therefore, the first line of defense in this case is the user himself. Only knowledge and care can help to avoid infection. Most importantly, never follow links or open attachments in emails from senders unknown to you. Otherwise, with a high degree of probability, you risk losing your data.
Check the return address in the letter and the attachment very carefully. If you are expecting a letter with an attachment from a friend or business partner, when you receive such a letter, make sure that the letter is from the one you expect from. It may take some time, but the time spent on verification can ultimately save you a day of data recovery.
If you have the slightest suspicion of a compromising letter, immediately contact your IT service. Believe me, they will only thank you for this.
Several types of ransomware use command servers on the Tor network. Before starting encryption, they download the virus body from these servers. The Tor network has a number of exit nodes on the “big” internet, which are called nodes. There are public nodes, and there are hidden ones. As part of preventive measures, you can block known exit nodes on your router, if it allows it, in order to complicate the work of the virus as much as possible. A list of such addresses can be found on the Internet, now there are about seven thousand of them.
Of course, everything described above does not give any guarantees that you will not be included in the list of victims, but these recommendations will help reduce the risk of infection. Until a real protection against the ransomware has been developed, our main weapon is attentiveness and caution.
-
More than 200,000 computers have already been infected!
The main targets of the attack were aimed at the corporate sector, followed by telecommunications companies in Spain, Portugal, China and England.
-
The biggest blow was dealt to Russian users and companies. Including Megafon, Russian Railways and, according to unconfirmed information, the Investigative Committee and the Ministry of Internal Affairs. Sberbank and the Ministry of Health also reported about attacks on their systems.
For decrypting the data, the attackers demand a ransom from 300 to 600 dollars in bitcoins (about 17,000-34,000 rubles).
How to install the official Windows 10 ISO without using the Media Creation Tool
Interactive map of infection (CLICK ON MAP) 
Ransom window 
Encrypts files of the following extensions
Despite the purpose of the virus to attack the corporate sector, the average user is also not immune from WannaCry penetration and possible loss of access to files.
-
Instructions for protecting your computer and data in it from infection:
1. Install the Kaspersky System Watcher application, which is equipped with a built-in function to roll back changes resulting from the actions of the ransomware, which nevertheless managed to bypass the protection means.
2. Users of Kaspersky Lab's anti-virus software are advised to check that the System Monitor function is enabled.
3. For users of ESET NOD32 antivirus software for Windows 10, the function of checking for new available OS updates has been introduced. In the event that you took care in advance and you had it turned on, then all the necessary new windows updates will be installed and your system will be completely protected from this WannaCryptor virus and other similar attacks.
4. Also, users of ESET NOD32 products have such a function in the program as detecting unknown threats. This method is based on the use of behavioral, heuristic technologies.
If a virus behaves like a virus, it is most likely a virus.
Since May 12, the technology of the ESET LiveGrid cloud system has been very successful in repelling all the attacks of the attacks of this virus, and all this happened even before the signature databases were updated.
5. ESET technologies provide security, including devices with past windows systems XP, Windows 8 and Windows Server 2003 ( we recommend that you stop using data from outdated systems). Due to a very high level of threat for these operating systems, Microsoft decided to release updates. Download them.
6. To minimize the threat of harm to your PC, you need to urgently update your windows versions 10: Start - Settings - Update & Security - Check for Updates (otherwise: Start - All Programs - Windows Update - Search for Updates - Download and Install).
7. Install the official patch (MS17-010) from Microsoft, which fixes an SMB server error that a virus can penetrate. This server is involved in this attack.
8. Check that all available security tools are up and running on your computer.
9. Perform a virus scan of the entire system. When exposed a malicious attack named MEM: Trojan.Win64.EquationDrug.gen, reboot the system.
And once again, I recommend that you check that the MS17-010 patches are installed.
Currently, specialists from Kaspersky Lab, ESET NOD32 and other anti-virus products are actively working on writing a program for decrypting files that will help users of infected PCs to restore access to files.
