LATEST UPDATE: October 28 with updating listing of known HOWDECRYPT e-mail subjects.
Ransomware is an infection (typically known as malware or a crypto-virus) that locks a computer system, encrypts the files on the machine, and demands a payment to criminal elements in order to de-encrypt the files and release the computer. The HOWDECRYPT virus (also known as the how_decrypt virus) is the most prolific type of ransomware to date, similar to the older CryptorBit and CryptoDefense, which targets all versions of the Microsoft Windows Operating System. The impacted Windows versions include Windows XP, Windows Vista, Windows 7, and Windows 8. When infected with the HOWDECRYPT virus, the infection will scan your computer and encrypt any data file it finds regardless of the file type or extension.
The HOWDECRYPT virus will create a HowDecrypt.txt file and a HowDecrypt.gif in every Windows folder that HOWDECRYPT encrypts. The GIF and TXT files that download alongside the HOWDECRYPT virus will contain instructions to access a fraudulent payment website to pay the fake ransom. The message displayed by the HOWDECRYPT virus is utilized in order to scare victims into paying an unnecessary ransom.
The message displayed on the common HOWDECRYPT screen is listed below: All files including videos, photos, and documents on your computer are encrypted. Encryption was produced using a unique public key generated for this computer. To decrypt files, you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a sevrec server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody will be able to restore files.
The HOWDECRYPT cryptovirus infection can be contracted via suspicious emails and downloads including freeware, shareware, codecs, torrents and more. It is also promoted in malicious advertisements from sites like Facebook, and in some search results.
To determine if you have this virus, look for the files listed below either on the local PCs and/or on the server itself. The files will either be the three HOWDECRYPT or DECRYPT Files.
HOWDECRYPT GIF Image HOWDECRYPT HTML Document HOWDECRYPT Test Document or DECRYPT GIF Image DECRYPT HTML Document DECRYPT Test Document
*** Merely removing these three files does not remove the infection! If these files exist it is likely the infection has damaged your system and is continuing to encrypt files.
If you are seeing files similar to HowDecrypt.txt or HowDecrypt.gif, or you are unable to open files, you are likely infected. Cease using your system immediately. If possible, disconnect your system from your network by removing the network cable or turning off wireless. Typically any money paid will NOT result in a decryption. Rather, the methods used for sending the payment will open you up to identity theft or outright theft of your bank accounts and credit card info. We cannot stress this enough: If you are infected with HOWDECRYPT malware, do not pay the fine, make contact with the hacker, or click any links or available navigation buttons! Please disconnect your system from your network and contact us at ESG immediately upon finding any of the infected file traces.
Preventing an infection involves staying away from untrusted ads, links, e-mails, and websites. Avoid opening e-mails with any of the subject lines shown in our list below, and avoid attachments that you are not expecting. Reduce or eliminate the time employees spend on sites like Facebook and MSN where ads can contain dangerous links because the service does a poor job of policing their advertisers. Additionally, consider the following management and automation solutions in order of priority for your systems and users:
While we do not recommend clients to attempt to clean their systems by themselves, we understand that some may want to try or may want to have an understanding of the cleaning process. The following information is provided for education only and does not constitute and endorsement of self-cleaning. Once you become aware of the virus, to self-clean you would take these steps:
Earlier in this post we discussed how you can avoid ransomware issues. However, should you get infected with ransomware the only way to avoid data loss and to ensure that viruses like this one do not significantly disrupt your business is through a solid backup plan. It is imperative that you conduct daily backups or engage us at ESG to handle your backups for you. Having a nightly backup or at least a full weekly/monthly backup will minimize the amount of data lost to a ransomware infection and enable ESG to assist you in quickly getting back to near your original state.
Without a backup of your files, should you get infected it is unlikely that ESG or any firm can recover your damaged files.