Afraid to use flash drives after ransomware attack

[Molianne]

Hi,

I'm not sure if this is the right thread to post this in, and if it's not, I'm sorry; maybe it would have belonged better in "General PC Help"... But I'm really looking for an answer I can't seem to find. Here goes my situation:

I've suffered a ransomware attack on my work computer a few weeks ago. The ransom has been paid and we got my files back (and a backup plan has been set up so we don't find ourselves stuck in that same situation should it happen again). The decrypted files were put back on the computer after it's been wiped clean and all is well on that side.

What bothers me though is that I have no idea when or how that virus entered my computer and how long it took to encrypt my files (hours? days? months??). I know that ransomwares can travel through the computer to infect any external drives that could have been connected to it, and I have connected a few USB flash drives in the weeks before getting the stupid "what happened to your files" message. So I'm wondering: how do I know whether or not those USB flash drives are infected? How can I even safely verify that??

Because if they are indeed infected, the virus is just going to travel to the computer and start its dirty work again, right? Or if a few (or all) files on the drives are crypted, would they be able to start the viral process again or do they need the "main" virus file to do so (which was on my work computer; your anti-malware found it)? Then again, could the main virus file have copied itself on my drives? Ugh, so many questions (I'm sorry!)... I haven't connected the drives to any computer since the attack because of the fear it could all just happen again (should it be on my personal or work computer).

Would you have an answer or a solution for me? Or am I just over paranoid about it?

Thanks a lot in advance!

~Molianne

[David H. Lipman]

The vast majority of ransomware are trojans, not viruses.  They don't self replicate and thus do not autonomously spread.  Presently ransomware trojans are not spread as AutoRun Worms which spread through the use of Flash Drives and Removable Read/Write Media.  However that condition may change.  Since Ransomware are trojans they need assistance to spread.  They are mostly using Social Engineering techniques which is a Human Exploit as well as exploiting software vulnerabilities.  The most common methodology seen Today is by malicious email and their attachments.  They use Social Engineering as a "hook" to get you to open the attachment and examine what they purport to be a document but is in reality a malicious script or a document that is specially crafted to be malicious.  Chances are very likely that your employer received one of these malicious emails and an employee did not use proper caution and opened the attachment and ultimately was infected with the Ransomware.  I don't know how your employer is setup so I can't list all the ways to help mitigate the issue when it comes to malicious email.

One should disable AutoRun/AutoPlay on the computer.  If this is a work computer then it is incumbent upon your employer to do that by policy.  There are many other computer policies that should be invoked but since you are an employee, not the employer, I won't list them.  Your employer needs to seek professional help in mitigating malware threats and enforcing a data backup regiment that would make the ransomware less of a threat.

As for Flash Drives and Removable Read/Write Media in general, one should have an anti virus application that is set to automatically scan  Flash Drives and Removable Read/Write Media as well as block the execution of files through the AutoRun/AutoPlay capability.

One should not worry about one kind of malware such as those performing cryptovirology ( such as ransomware ).  One should be concerned about ALL malware and the various methods of ingress they may use.  If you apply a good broad-spectrum defense posture to protect yourself against all malware then the likelihood of one malware type getting through is greatly lessened.  I compare this to securing one home.  If you lock and bolt the front door, they burglar main gain entrance through a window.  However if you look at all the ingress points in the home and secure all points of entry, that threat is greatly diminished.

 

Edited April 24, 2016 by David H. Lipman
Spelling and Grammar

[Molianne]

HI David,

Thank you so much for your answer, I get it better now! And sorry about the virus vs trojan terminology, it was my French slang taking over me...! The employer/work side is all covered now. This is the second attack that happened to the owner so the IT team (professionals) did what needed to be done (at least to my knowledge).

I'm usually good at working out what's legit and what is not in terms of malware (incoming emails, websites, weird looking links and the likes) and my personnal computer has been kept free of malware for years now; this is why it angered me SO much to catch the worst of them all, and especially at work. The IT guy told be that if I'd have been in a more quiet place, I probably would have heard the computer "working" while my files were being encrypted... But I'm wondering, how long does it takes? They can't all be encrypted within seconds... So say for my almost full 1To external hard drive; if my files are being encrypted over a week period, and if I copy one somewhere else, would I be able to read the file if I haven't had the message for the ransom yet? I'm sorry, I think I'm rambling here...

My last question would be: would you recommend MCShield as a flash drive anti-malware? Or can Malwarebyte Anti-Malware be set to do that?

Thanks again!!

~Molianne

[David H. Lipman]

It takes some time to encrypt files.  The time it takes is a function of; media speed, CPU, quantity of files and target data file size.  However I am not sure you would have heard the computer "working".  You would not have foreknowledge and thus you would assume it was just a normal busy process.  The hard disk activity light may be constantly on but there too you would assume it was just a normal busy process.  It would be a background process not unlike any other.  If the system uses a Solid State Drive ( SSD ) there are no sounds to begin with.  Only a disk activity light.

I don't think I can quantify a time but a week to encrypt 1TB seems a bit long.  But I really don't know.  As for data being encrypted, it is a function of the ransomware sub-type ( such as Locky and CryptoWall ) and the availability of the data.  If it is a Mapped Drive ( a Drive Letter assigned to a NT Share )  that is available at the time of the malicious process then that can be targeted.  Any Read/Write media available at the time of the process may be targeted.  Data that is Offline can not be targeted. If a backup device is read/write media ( such as a an external hard disk or Flash Drive ) it should be disconnected or turned-off when it is not in operation.  It should be noted that the majority of ransomware wipes-out the Volume Shadow Copy cache of data.

I can't speak to MCShield  because I am not acquainted to the product.

What is the anti virus application that you are presently using ?

Edited April 24, 2016 by David H. Lipman
spelling

[Molianne]

OK, got it, thanks!

In regards to my external hard drive, it is indeed turned off when I'm not using it. It is a mapped drive (I assigned it the K letter for instance), so I've taken the habit to shut it down just so I wouldn't mess anything up (or in case of a malware).

Anyway.

I used to have a Kaspersky antivirus running (real-time protection) a few years ago, but I found it to slow down the comptuer too much so I didn't buy it again the following year. I've been using Malwarebytes Anti-Malware to run scans periodically for quite some time now and only recently downloaded Malwarebytes Anti-Exploit as an extra layer. Other than that, I try to "just be careful" even though I do know it is absolutely not the best strategy.

~Molianne

[David H. Lipman]

Kaspersky is a very good anti virus application with settings that protect Flash Drives and removable media.  I suggest going back to that in conjunction with Malwarebytes' Anti-Malware Pro.

If you think that Kaspersky software slows the PC down too much, I suggest Avira AntiVir in conjunction with Malwarebytes' Anti-Malware Pro.

 

[David H. Lipman]

Is there anything else Molianne ?

 

[Molianne]

I think I'm all set. I've taken note of your advice regarding anti virus applications you suggested and will look onto that in the very near future.

Thank you so so much for your replies; you've successfully reassured me and helped me understand better how ransomwares work. I'm less worried about plugging back in my flash drives (still haven't done it yet though), because if I understood right, the trojan "root" ( ?) should not have copied itself on them, so it won't be spreading and begin the encryption process all over again, which was my main concern. If some files are already encrypted on one of them, so be it, I'll just delete them and go on with my day without worry.

So once again, thank you, thank you, thank you!

~Molianne

[David H. Lipman]

My pleasure and YW

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!