Sunday, November 13, 2016

My guess for next gen malware encryption

I am going to make a bet that the next generation of file encryption malware is going to be a lost nastier.  Your best defence is:

  • Backups.  Keep multiple backups and not connected to any network after your backups are done.  Don't just do backups, test them!  Too many times someone approaches me saying they need help as they tried to restore files from backups and they don't work;
  • Up-to-date software.  When patches comes out for your operating system and applications install them ASAP.  Most of the time those patches are due to holes and the hackers are already using them.  It does not matter what O/S you use, Windows, Linux, OS/X all need to be up-to-date;
  • Home routers.  Keep them up-to-date also.  Sometimes your ISP will patch their routers, ASK them to keep their hardware up-to-date;
  • Good anti-virus software and keep them up-to-date;
  • Do and not opening up attachments from emails that you didn't ask for is also a good step;
  • Good web surfing habits.  Sometimes a site will pop-up 'You need to update or install this program to view'.  Don't trust any site doing this.  Most of the time it is for Flash and people think 'Oh, I am out-of-date again' and click install.  NEVER DO THAT, go directly to the source of the program and check.  If it is out-of-date install from the maker directly and not from a web site.
Unfortunately the writers of these nasty programs won't stop there.  They have been using ad-malware and then getting into legit sites serving ads and try to infect you when you view their "ads" and try to bypass asking your permission to install.

Right now when your system is infected and your files are encrypted some people recommended to turn back the system clock so time does not expire. Right now that works, but, I suspect not for very long.  The writers of these programs know that "trick" and I suspect they are working on how to counter that.  I see them saving the system clock information and the network time information at time of infection.  With that they know exactly when they installed on your system.  They also can determine the basic time differential between your system and the network.  If they then compare that information the next time it runs the program may just nuke your files if the date on system clock is less than their time-stamp.  Also, if they are really nasty they will also nuke the files if they cannot make a connection to the network to verify the time.  When they can make a connection they will use the time differential to see if you played with the system clock.  I would also be willing to bet that they will advertise what they did and why so that fact will spread around that playing with your system clock or unplugging from the network will nuke your files.  I don't know if (or when) that will happen, but, it will make your backups much more important as the only way to restore your system is to do a total wipe and restore.

No comments: