Online Support Computing Ltd

Ransomware Watch: MSIL/Samas Destroys your Backups

Ransomware Watch: MSIL/Samas Destroys your Backups

If you’re not familiar, in our Ransomware Watch series we look at the different strains of malware that encrypt data before holding it to ransom.

The MSIL/Samas outbreak in recent weeks has sparked fast-growing concern amongs leading security firms as well as the FBI.

The alarming difference between MLIS/Samas and a typical strain of Ransomware is that it seeks to infect entire networks, not just single PCs.

Why is it so dangerous?

Using a programme called JexBoss, fraudsters can easily find out of date JBoss software on servers, which would allow them to remotely install the Ransomware. It can also be spread via email attachments.

Because it encrypts data across the entire network, it also finds local backups and encrypts them, so restoration of data from these are impossible.

The cyber-criminals behind the virus have also been know to target industries that rely on the use of data on their networks.  This includes Finance, Property, Charities, Healthcare and others.

How to avoid Ransomware

Anti-virus software might pick up emails with dodgy attachments, but if someone can remotely access your server and install the Ransomware remotely then there’s not a lot you can do.  This is why it’s very important that you have the most up-to-date software.

As we’ve described in our previous CryptoWall post, we recommend avoiding the following to help steer clear of infection:

  • Any emails with attachments which looks like an invoice, complaint or purchase order or from an address you don’t recognise.  Always verify with the sender that this is a genuine email before you decide to open the attachment.
  • Any emails with .ZIP attachments.  This is how the Cryptowall attachments are usually displayed.  Check it with the sender to verify it.
  • Any emails with .exe attachments. These will almost definitely be a virus – never open. Usually they will hide a .exe file within a zip file. You can check the file extension to make sure.
  • Using personal email accounts – If using web-based email accounts like gmail, hotmail, Yahoo!, etc. – any email needs to be checked meticulously as these will not have the same level of protection as company email accounts.  If you need to check your personal emails, we would recommend using your mobile phone.

You’ve been infected, what can you do?

It’s not easy to decrypt data without paying for a key.  The easiest way to get your data back is to wipe the machine and restore from a backup.  Tape and USB backups slow and unreliable, so you will lose roughly 50% of your data.  If your backups are stored somewhere on your network, they will be encrypted too.

The only other saving grace is if you have secure off-site backups.