Tag Archives: Sophos

Ransomware: the (Unfortunately Not) Missing .LNK

Paul Ducklin describes in some detail the rising tide of ransomware arriving by email attachment in the form of a .LNK file, and how this bit of trickery works: Beware of ransomware hiding in shortcuts. It’s by no means a new approach to distributing malware, but evidently still successful, not least because ‘LNK files don’t follow the View file name extensions setting in File Explorer, and … they can show up with an icon that is at odds with their real behaviour…’

Fortunately, Paul includes a series of useful tips that mitigate your exposure to this particular malicious behaviour although it doesn’t block it completely. Including this one:

  • Never open LNK files that arrive by email. We can’t think of any situation in which you would need, or even want, to use a LNK file that came via email. The name and icon will probably be misleading, so keep your eyes peeled for the tiny arrow that Windows shows at the bottom left of the icon.”

As true now as it was years ago…

David Harley

Ducklin and Mustaca on Locky

Sorin Mustaca remarks that he’s sick and tired of seeing so many people affected by the current wave of ransomware attacks. He’s not alone there…

His article About ransomware, Google malvertising and Fraud is worth reading for the description of how Locky spam may try to convince you to enable macros “if the data encoding is incorrect.”

If you need more information, though, Paul Ducklin’s article for Sophos is characteristically informative and insightful: “Locky” ransomware – what you need to know

David Harley

Paul Ducklin on ransomware options

These days, I don’t think you can have too many articles about what to do when you’re hit with ransomware, especially articles written by someone as knowledgeable as Paul Ducklin.

Got ransomware? What are your options?

He includes sections on:

  • Shortcuts to recovery
  • Longcuts to recovery
  • Cracking the encryption

And those cover most of the recovery options, which is what most people will probably want to know. Unfortunately, those options aren’t always there, hence the downbeat tone of the ‘What to do’ section:

What we are saying is that if you really need your files back, and you haven’t taken any precautions such as backing up, then you don’t really have any choice but to pay.

We’d rather you didn’t pay up, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)

I’m afraid I’m totally in agreement with that. However, he does follow up with a list of ‘useful ransomware precautions’, and we can never make too many of those recommendations either. This is certainly a case where prevention is a much better option than cure. In brief, his recommendations include, if I can summarize:

  • Good backup strategy
  • Disable macros
  • Consider viewer apps
  • Distrust attachments
  • Don’t routine run with admin privileges
  • ‘Patch early, patch often’

David Harley

Paul Ducklin on Cryptowall

Added to the ransomware resources page: link to an article for Sophos by Paul Ducklin on Ransomware evolution: Another brick in the CryptoWall. As you’d expect, good info on Cryptowall specifically, but also links to info on other ransomware. But also a link to a paper well worth your consideration on how ransomware evolved from 2014 to 2015.

David Harley

Congratulations, Graham

Congrats to Graham Cluley of Sophos, who walked away from the Computer Weekly blog awards with not just one, but three awards:

IT Security blog of the year – http://www.sophos.com/blogs/gc/

Twitter user of the year – @gcluley

Overall Best blog – yes, same blog.

As a part-time blogger (on several sites!) myself, I have a fair idea of how much work it takes to produce a consistently high-quality blog, and I can only say that these awards were richly deserved.

However, this will not stop me making rude remarks here and on the ESET blog about his karaoke performances.

Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET

Also blogging at: