18.3.15 Warning – watch those email attachments!

Recently there have been two instances of Gisborne networks being hit with malicious software known as Cryptoware 3.0.

What does Cryptoware do?

Cryptoware once active on a user’s computer, proceeds to attack all files on network shares; these are the disk letters above C: that you see when you look in My Computer.  Files are encrypted with AES keys – these are virtually impossible to break – and are rendered unusable.  The types of files attacked include all MS Office files – word documents, spreadsheets etc – PDFs, Quickbooks, CAD files and may more.  Such an attack would have disastrous consequences for any business.

The creators of Cryptoware leave messages throughout the attacked folders informing users that their data has been ‘protected by encryption.’  The user is then instructed to pay a ransom.  Once paid, decryption keys are provided to unencrypt the files again.  The ransom is a significant amount and anecdotes on the internet suggest that the keys don’t always work.


What does an attacked site have to do?

Options for are an attacked site are: pay the ransom or lose most data or go to backups – if they haven’t been damaged too.


What about antivirus?

Of the two businesses attacked that we are aware of, one had no virus protection but the other did.  In the second case, the virus protection stepped in and stopped the attack but not before a significant number of files were damaged.

The final (and best) line of defence is still you the user.


How can you help protect against attacks?

In all reported cases, the Cryptoware files are installed by a process which starts with opening an attachment in an email or following a link in an email.  Email is the source of Cryptoware attacks.

You should  apply these rules when handling email:

  • Don’t open attachments or follow links in emails from people you don’t know.  The mails will often have relevant subject lines and appear to originate from courier companies, government agencies, banks and other legitimate organisations.  Preferably these emails should remain unopened and be binned immediately.
  • Don’t open attachments or follow links in emails from people you do know unless you have ascertained that the attachment or link is genuine.   If the sender’s network is affected, they may send you malicious mail unwittingly  .
  • Try to avoid sending mails with attachments to other users in your own network.
  • The instructions above are doubly important if you are a member of a mail group which has its address published on the web.Don’t ignore pop up messages from your virus checker.  If it tells you that an item is dangerous or suspect, let it delete or quarantine it – this is usually done automatically.  Don’t disable your antivirus software.

Don’t use unauthorised USB sticks, cameras or other devices with data capacity.  These can introduce an infection into the network.



The creators of Cryptoware are apparently targeting Australia and New Zealand so it may not be a matter of if an attack is directed at your business but more a case of when.


Be afraid and be careful. 

Also take care at home.  There is a variant of this software which encrypts data on home users PCs.  Make sure you have adequate virus protection and apply the same rules to email that you do at work.  Backup your important data to a cloud account.  Cryptoware destroys photos!!