Ransomware and HOWDECRYPT Protections

Ransomware and HOWDECRYPT Protections

LATEST UPDATE: October 28 with updating listing of known HOWDECRYPT e-mail subjects.

What is ‘ransomware’ and what is the HOWDECRYPT infection?

Ransomware is an infection (typically known as malware or a crypto-virus) that locks a computer system, encrypts the files on the machine, and demands a payment to criminal elements in order to de-encrypt the files and release the computer. The HOWDECRYPT virus (also known as the how_decrypt virus) is the most prolific type of ransomware to date, similar to the older CryptorBit and CryptoDefense, which targets all versions of the Microsoft Windows Operating System.  The impacted Windows versions include Windows XP, Windows Vista, Windows 7, and Windows 8. When infected with the HOWDECRYPT virus, the infection will scan your computer and encrypt any data file it finds regardless of the file type or extension.

Specifics on the HOWDECRYPT virus

The HOWDECRYPT virus will create a HowDecrypt.txt file and a HowDecrypt.gif in every Windows folder that HOWDECRYPT encrypts. The GIF and TXT files that download alongside the HOWDECRYPT virus will contain instructions to access a fraudulent payment website to pay the fake ransom.  The message displayed by the HOWDECRYPT virus is utilized in order to scare victims into paying an unnecessary ransom.

The message displayed on the common HOWDECRYPT screen is listed below:
All files including videos, photos, and documents on your computer are encrypted. Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key.  The single copy of the private key, which will allow you to decrypt the files, located on a sevrec server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody will be able to restore files.

How does HOWDECRYPT virus get onto a computer?

The HOWDECRYPT cryptovirus infection can be contracted via suspicious emails and downloads including freeware, shareware, codecs, torrents and more.  It is also promoted in malicious advertisements from sites like Facebook, and in some search results.

To determine if you have this virus, look for the files listed below either on the local PCs and/or on the server itself. The files will either be the three HOWDECRYPT or DECRYPT Files.

HOWDECRYPT GIF Image
HOWDECRYPT HTML Document
HOWDECRYPT Test Document
or
DECRYPT GIF Image
DECRYPT HTML Document
DECRYPT Test Document

*** Merely removing these three files does not remove the infection!  If these files exist it is likely the infection has damaged your system and is continuing to encrypt files.

I think I have an infection, what do I do?

If you are seeing files similar to HowDecrypt.txt or HowDecrypt.gif, or you are unable to open files, you are likely infected.  Cease using your system immediately.  If possible, disconnect your system from your network by removing the network cable or turning off wireless.  Typically any money paid will NOT result in a decryption.  Rather, the methods used for sending the payment will open you up to identity theft or outright theft of your bank accounts and credit card info.  We cannot stress this enough: If you are infected with HOWDECRYPT malware, do not pay the fine, make contact with the hacker, or click any links or available navigation buttons!  Please disconnect your system from your network and contact us at ESG immediately upon finding any of the infected file traces.

How do I protect myself from ransomware?

Preventing an infection involves staying away from untrusted ads, links, e-mails, and websites.  Avoid opening e-mails with any of the subject lines shown in our list below, and avoid attachments that you are not expecting.  Reduce or eliminate the time employees spend on sites like Facebook and MSN where ads can contain dangerous links because the service does a poor job of policing their advertisers.  Additionally, consider the following management and automation solutions in order of priority for your systems and users:

  • Have ESG install Symantec.cloud on every system including your server(s).. do not leave an open door for the infection to utilize
  • Purchase a layered backup solution from ESG or make sure your self-handled backup are running properly
  • Implement ESG Internet Filtering to protect your systems/users from malicious websites and reduce lost time due to employees surfing non-work-related sites
  • Add layers of protection to your e-mail through opt-in spam filtering like Sendio from ESG
  • Disable unneeded network shares and remove any shares that are read/write open to ‘everyone’ as these can allow the infection to spread or hide

I want to try to clean my system myself, what can I do?

While we do not recommend clients to attempt to clean their systems by themselves, we understand that some may want to try or may want to have an understanding of the cleaning process.  The following information is provided for education only and does not constitute and endorsement of self-cleaning.  Once you become aware of the virus, to self-clean you would take these steps:

  1. Remove the system from your network as soon as possible.  If the infection is on a server have all users shut down their workstations/laptops.
  2. Right click on one of the decrypt files and go to properties. While in properties, go to the security tab. Click on advanced button on the bottom right. Click on the ownership tab at the top of the advanced menu. That will determine the ownership of the virus and give you a clue as to which user account has allowed the infection to occur.
  3. Power off the infected system and deal with it last.
  4. Go to every PC on the network (or in your home) and do a search for those three files.. verify who has the virus and who doesn’t. Whoever does have it will need to be removed from the network.
  5. With the infected machine(s) identified, each one will need to be cleaned/erased using Safe Mode and tools such as Symantec.cloud, MalwareBytes, rkill, and a rebuild with the Windows operating system disks.
  6. Once these steps are taken, or during the process, delete the decrypt files from the network drive.
  7. Depending on the severity of the infected files, a restore from a monthly full or daily partial backup may be needed.

The current list of known email subjects that contain the virus include:

USPS – Your package is available for pickup(Parcel 173145820507) USPS – Missed package delivery (“USPS Express Services” <service-notification@usps.com >)
USPS – Missed package delivery FW: Invoice <random number>
ADP payroll: Account Charge Alert ACH Notification (“ADP Payroll” <*@adp.com>)
ADP Reference #09903824430 Payroll Received by Intuit
Important – attached form FW: Last Month Remit
McAfee Always On Protection Reactivation Scanned Image from a Xerox WorkCentre
Scan from a Xerox WorkCentre Scanned from Xerox
Annual Form – Authorization to Use Privately Owned Vehicle on State Business Fwd: IMG01041_6706015_m.zip
My resume New Voicemail Message
Voice Message from Unknown (675-685-3476) Voice Message from Unknown Caller (344-846-4458)
Important – New Outlook Settings Scan Data
FW: Payment Advice – Advice Ref:[GB293037313703]/ACH credits/Customer Ref:[pay run 14/11/13] Payment Advice – Advice Ref:[GB2198767]
New contract agreement. Important Notice – Incoming Money Transfer
Notice of underreported income Notice of unreported income – Last months reports
Payment Overdue – Please respond FW: Check copy
Payroll Invoice USBANK
Corporate eFax message from “random phone #” – 8 pages (random phone # & number of pages) Past due invoices
FW: Case FH74D23GST58NQS Symantec Endpoint Protection: Important System Update – requires immediate action

Daily backup of your data is the only remedy against data loss!

Earlier in this post we discussed how you can avoid ransomware issues.  However, should you get infected with ransomware the only way to avoid data loss and to ensure that viruses like this one do not significantly disrupt your business is through a solid backup plan.  It is imperative that you conduct daily backups or engage us at ESG to handle your backups for you. Having a nightly backup or at least a full weekly/monthly backup will minimize the amount of data lost to a ransomware infection and enable ESG to assist you in quickly getting back to near your original state.

Without a backup of your files, should you get infected it is unlikely that ESG or any firm can recover your damaged files.