Why Don’t they just Upgrade, Already..?!?

Is it me, or does this seem like it would be a no brainer??

I’ve been in IT for a LONG time. I cut my teeth on Windows 95, Windows 98 and Windows 98SE. Microsoft’s Windows XP days were some of my biggest hay days because I wrote literally THOUSANDS of tips covering ALL of these Windows versions and Office 95 – 97 and Office 2000 – 2007 during my tenure there. When I got through it, I was – and still am – one of the more knowledgeable Windows pundits out there.

Given all of the ransomware recently targeting older machines running unsupported versions of Windows – like Windows XP and Windows 8, a lot of people are starting to point fingers at others trying to figure out who exactly is at fault. Some blame Microsoft, because they’re Microsoft, because they run 97% plus of all the computers that run the businesses of the world, and because they have bazillions of dollars. Others blame the IT departments and workers in those businesses for not either abandoning those outmoded operating systems for something more modern.

My former co-worker Paul Thurrott had this to say in his 2017-05-19 Short Takes:

WannaCry is not Microsoft’s fault

If you’re looking to point the finger of blame for WannaCry, I think we can find some better culprits than Microsoft. For example, the hackers responsible for this attack are an obvious place to start. The businesses—which include hospitals and other medical facilities, banks, and more—that are still inexplicably running Windows XP and putting their customer’s data in harm’s way. And yes, sorry, also the over-cautious IT staffs at businesses around the world who delay Microsoft security patches for far too long because they are in some cases trying to justify their employment or have just lost sight of what’s really important in the risk/benefit debate around Windows patching. I know it’s not everyone. But the sheer scope of this attack says a lot about how we do things. And it says almost nothing about Microsoft except that, in this case, they did the right thing. Stop deflecting the blame.

There are a number of issues in Paul’s quote – as well as other mitigating circumstances – that I want to touch on, but let’s start at the beginning… There are a lot of folks out there that may not know what WannaCry is.

WannaCry is a serious strain of malware/ ransomware targeting Windows PC’s worldwide. The attacks from this nasty bug started on Friday 2017-05-12. The bug was targeted at computers and systems running Windows XP and Windows 8 machines, and while it effected systems around the world, it was initially targeted at the UK’s National Health Service. Infected machines had their data encrypted and users were locked out, unable to access any data on any connected drive or system.

This originated as a phishing attack. Meaning that someone emailed a potential target a message with an infected attachment . That person opened the attachment, releasing the virus. The hackers responsible demanded $300USD in bitcoin to unencrypt the effected machines. Aside from the UK’s NHS, Germany’s rail system, Renault and Nissan factories, FedEx, Spanish telecom Telefonica, and even Russia’s central bank got hit by the data encrypting malware. In the end, well over 300,000 computers were infected globally.

There are a couple of things of note here:

  1. Why are these Older Systems Still Out there?
    To be blunt, there could be a number of reasons – The company using the machine doesn’t want to spend the money to replace the system, or they don’t have the money to replace the system because (reasons).More than likely, the effected machine is a legacy system sitting on a medical device or label printer or some other mission critical piece of equipment that is ONLY guaranteed to run on certain versions of an operating system, and the company that owns it can’t afford to replace it because nothing else like it is available; or they can’t find a way around the loss of the machine to their business process, or some other cost prohibitive reason that mandates that THAT specific machine stays exactly where it is, doing that one specific thing that the company can’t seem to live without.I’ve seen this happen at hospitals with ultrasound machines or some other medical device that can’t be replaced or upgraded due to licensing, budget or other cost based issues. I’ve also seen this happen in industrial settings (like the cited FedEx example, above) where there’s one piece of equipment that only runs software/ drivers that are compatible with a specific version of Windows and the business can’t or won’t replace it due to cost, or some other reason.As of this writing no known US government systems have been infected.
  2. Why haven’t the IT Department Updated/ Upgraded these Systems?This is a multi-faceted issue. No matter how you slice this issue, the effected IT department carries a large part of the blame. In some cases, the IT department got overruled and management has opted to roll the dice and risk getting hit by malware. However, Microsoft itself is also partially to blame, here. Allow me to elaborate…Microsoft has a huge history of releasing security patches and then patches for those patches because their testing process failed to account for every driver of every peripheral possibly attached to any and every partner, OEM’ed version of Windows out there. In other words, no matter how extensively Microsoft’s QA department tests, they’re always going to miss testing some testing some edge cases and that causes stuff to break in the wild.So, because there’s so many different kinds of computers that can work with some many different kinds of devices and peripherals, Microsoft can’t release patches without breaking something, somewhere.As a result, many IT departments/ businesses unwilling to risk having some mission critical piece of equipment going down due to a bad or faulty patch being applied opt NOT to patch, leaving their systems buggy and vulnerable to attack.

    IT departments are also largely unwilling to apply patches to every day production machines without the “proper” amount of testing being completed in their own test labs, prior to deployment. In fact, in many cases, Microsoft releases patches for previous patches and instead of updating their systems and living with the new problems (which could be bigger problems than the ones they’re currently living with), they wait for “early adopters” to discover them. These wait and see IT departments gain the benefit of avoiding new bugs and issues at the expense of remaining unpatched and vulnerable to known vulnerabilities.

    For them, patching Windows has historically been a lose-lose game.

So, given all of this mess, what SHOULD you do?

That’s simple –

  1. Stop running an unsupported operating system.
    Even though Microsoft patched the WannaCry exploit months ago and also provided patches for Windows XP and Windows 8 (even when they said they weren’t going to provide patches for those OS’ any longer), the best thing that you can do is find a way off the out dated, unsupported platform.
  2. Update Your Mission Critical Components
    In the case of mission critical hardware requiring drivers or other middleware only rated to run on older machines/ operating systems – find a way to live without them. Period. Change the business process, change operating systems/ platforms… do SOMETHING other than staying where you’re at. While it may be costly, in the end, it’s going to be cheaper than figuring out how to disinfect or decrypt effected systems
  3. Upgrade Already!
    Microsoft is never going to allow the circumstances that allowed Windows XP to stay on the market for 15 or so years to recur again. It’s YOUR business’ responsibility to figure out how they’re going to get you from one major OS version to another without killing the company’s productivity.WannaCry doesn’t target Windows 10. It also doesn’t work on patched systems.

So, is my PC at risk?

Your PC is at risk if its running

  • Windows Vista
  • Windows 8.x
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

If you’re running Windows XP, you need to upgrade immediately. If you’re running any of these other operating systems, Microsoft has issued patches to prevent WannaCry from infecting your system. Run the patch or upgrade your computer.

Regardless of which version of Windows you’re using, you need to make certain you’re up to date on all of your security patches.

OK, now that that’s out of the way, let’s talk about Paul’s statements and wrap this all up.

It’s not all Microsoft’s fault
There are literally hundreds if not thousands of different kinds of Windows compatible peripherals out there that require some kind of driver or middleware to work and Microsoft can’t buy and test them all. When you start working out the different permutations on all of these, it’s easy to get dizzy very fast. The best anyone can expect from Microsoft is to test those combinations that seem to be the most popular. After that, you’re on your own.

IT Departments Need to Upgrade
Debugging Windows problems can be a huge headache. The biggest way to avoid the problems is to not patch in many cases. Not everyone is going to get hit by every problem out there, so reducing cost by increasing risk can save a lot of time, money and headaches. However, when issues do arise, they tend to be big ones…

If your computer has been infected, you have a couple of options

  1. Restore from an Uninfected Backup
    Having a redundant backup plan is important. If you’re hit by WannaCry or any other virus and can’t get clean, restoring from a known, good backup may get you back up and running quickly. If you don’t have a redundant backup plan (local backup, local backup of backup and off site backup) figure one out now.
  2. Blow the Machine and Start Over
    Cutting your losses and starting over may be the only option you have, especially if you don’t have an uninfected backup to restore to. In this case, starting over is likely your only option. This may be less painful if you have your data stored on a cloud service like Drop Box, Google Drive or Microsoft OneDrive. That way, with all of your data easily resyncable to your computer, all you need to do is install the OS, reinstall your apps and download all of your data. This is somewhat similar to the work in option #1, above.

The last thing you’ll need to do is make certain you have an anti-malware package installed and running on your machine. Having an offline anti-malware scanner for when you get bugs that your regular scanner can’t remove is also helpful.

Did you or anyone you know get hit by WannaCry? Have you ever gotten hit by any kind of ransomware or other piece of malware that basically killed your access to your computer and all of your data? Did you pay the ransom? Did you get your data back? Did the hacker make you pay more than once? How did you get rid of the infection? I’d love to hear about your situation, in detail. Why don’t you meet me in the discussion area, below and tell me all about it?

Related Posts:

Ransomware. Taking your Data Hostage

Yeah… Speaking of malware…

Introduction
With all of the email problems I’ve been having over the past month or so, I’ve had my hands full. I’m nearly certain that I’ve got some kind of malware. Removing it, has been a real chore; but at least I don’t have any ransomware. Yeah. That would really suck.

Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay a ransom through an online payment system in order to regain access to their data or system. Some ransomware encrypts files. Other ransomware blocks communications.

cryptolocker-ransomware-trojan-bitcoin-payment-page

No matter which way you look at it; you don’t have access to your data. Depending on how valuable that data is to you or to your organization, that can be a problem.

One of the most popular pieces of ransomware is CryptoWall or CryptoLocker – same thing. CryptoWall is a Microsoft Windows based Trojan horse. A computer that is infected with this virus has its hard drive encrypted, with the RSA decryption key held by a third party.

When infected, the virus payload installs itself in the user’s profile folder and then adds a key to the registry that causes it to run on startup. It then attempts to contact one of several, designated command servers where it retrieves a 2048bit RSA key pair. The command server sends the public key to the infected computer.

The virus then encrypts the user’s files across all local and mapped network drives with the public key and logs each encrypted file in a registry key. The process only effects files with a specific extension type – usually those belonging to Microsoft Office, OpenDocument, JPEG, GIF, BMP, etc.

Once encrypted, the virus then displays a ransom message that includes a countdown clock. If a ransom of $400USD or €400 in the form of a pre-paid cash voucher – like a MoneyPak or an equivalent amount of BitCoin. If the ransom isn’t paid within the specified timeframe, your decryption key gets deleted, and then there’s no way to decrypt your data. Once paid, the user is able to download a decryption program, preloaded with the decryption key, that unlocks the files.

However, some victims have claimed that even though they have paid the ransom, their files were not decrypted.

Now, there are three ways to get rid of CryptoWall/ CryptoLocker once you get it. Some of them are easy, others are not. Let’ run them down so you know what the options are.

  1. Pay the Ransom
  2. Restore from a Non-Infected Backup
  3. Use an Appropriate Mitigation Method
  4. Call it Quits and Restart from Scratch

Pay the Ransom
Many security experts have said that with a 2048bit encryption key, using some kind of brute force attack to get the decryption key was nearly impossible. Previous versions of the Trojan horse used 1024bit keys and while that may have been crackable – in at least one case, it was – doing so, was not easy and took a great deal of time. That method also required the use of tools and skills that most consumers don’t have, can’t afford, and wouldn’t know how to use.

While removing the Trojan from an infected PC is possible, especially in its early encryption stages (depending on the amount of data in question, encryption can take quite a while), the nature of the infection is that it works in the background. Many users don’t know or see that anything bad is happening. In cases like this, many security experts initially agreed that the only way to recover files was to pay the ransom. Users can usually expect to receive their decryption key within 24 hours.

However, given the dishonest nature of the individuals behind the Trojan horse infection, the 24 hour waiting period and the fact that some people don’t always receive their decryption keys without the call for additional payments, this is a risky removal method. Its certainly not guaranteed. They got your money once. Its very likely that if you don’t get your decryption keys early in the 24 hour period that you will get asked to make additional payments.

It has been estimated by Symantec that up to 3% of all infected victims pay the ransom. Its also been estimated that ransomware operators have collected upwards of over $3.0M USD. So, while you may get your data back with this, paying the ransom doesn’t always get your life’s memories back; and it could end up costing you more than was originally asked for.

Regardless of how much you may pay, if this is the case, you’re going to want to make a back up of your decrypted data and then blow your hard drive and reinstall Windows and all your applications from scratch. You’re also going to want to invest in a malware scanner and some kind of backup plan after that.

Whether its online or offline, it doesn’t matter. The key is starting from a known clean slate and then making certain you don’t get hit again.

Restore from a Non-Infected Backup
Even if your PC and all of your data becomes completely encrypted, if you have your computer’s restore DVD’s AND you have a back up of your data before it became infected (and that drive isn’t always connected to your PC), then you’re more than half way home.

In this case, you can just go tell the malware creator to go pound sand.

However, this may take just a bit of work on your part. You’re going to have to do a few thins to make certain you can safely get to your data.

Check the Status of your Backup
If your backup is done on line, through services like Carbonite or Backblaze, you should be ok.

If you’re using a backup drive that’s connected to your PC all the time, its likely infected and encrypted. However, if you’ve backed data up AFTER you got infected, its likely encrypted and should be considered bad. Do NOT use that data.

If its not always connected to your PC, do NOT connect it to your infected PC. CryptoWall/ CryptoLocker will encrypt it. Check the status of the backup from ANOTHER, uninfected PC and check the last backup date and perform a malware scan on it. Once verified clean, that’s the state of the data you’re going to get back.

If you’ve got all of your data on a cloud service drive, you’re in even better shape., as its likely NOT encrypted. Those services should be set to scan all the data that comes into their data centers and should prevent infections like CryptoWall or CryptoLocker from infecting them. You just need to restore your PC (see below) and then log back into your cloud service and resync your data.

Restore Your PC
After you have the back up drive for your PC identified and set aside, you’re going to need to restore your PC back to factory fresh status. You’re going to need to do this no matter what you do (pay the ransom, restore from a non0infected backup or use a mitigation tool. Once compromised, its not good to continue to use a Windows installation that’s been infected by such a serious piece of malware.

If you have something like a Surface Pro or other tablet/ convertible device do NOT restore from the device’s recovery partition. There’s no way to know that it hasn’t also become infected as well.

In that case, you’re going to need to download the recovery image on a separate computer and then burn that image to a DVD, also from that separate computer. Do that and set it aside

If you have a PC that has a set of restore DVD’s grab those now. Place the restore DVD (either the one you just made for your Surface or other similar device or the ones that come from your PC manufacturer) into either your PC’s DVD drive, or into a USB DVD drive connected to your computer.

You’ll need to set your UEFI or BIOS to boot from the DVD drive. Use that DVD to restore your computer. Once it finishes, and you can reinstall your backup software and a suitable malware scanner. After you’ve updated all of the appropriate malware definitions and performed a malware scan on your newly configured PC, THEN connect your backup drive to your PC.

Perform a second malware scan on your backup drive before the restore. Its better to be safe than sorry.

Once verified clean again, you can restore your data; and you should be good to go.

Use an Appropriate Mitigation Method
You should know up front that this is by far, the riskiest option of all. Its not easy, and you’re not guaranteed to be successful.

If you don’t have your data on some kind of cloud sync service, backed up to a drive that was connected to your PC BEFORE you got infected with CryptoWall/ CryptoLocker, and you aren’t using an online backup tool and you MUST get all of your data back, then you can try to use an appropriate mitigation method.

Now… this is where things get a bit sticky. If you’re not comfortable working with and modifying the Windows Registry, installing and updating hardware drivers or other low level components, then stop. It might be a good idea to take your infected computer to a trusted, reputable repair shop and let them handle it.

They’ll likely keep it for a few days. They may charge you $150 – $250 bucks to get rid of the virus; but you’ll likely get your computer back, with some to most of your data, without having to pay a huge sum to some crook.

In a nutshell, here are the steps you’ll need to perform:

  • Boot to Safe Mode
    In Windows 7, XP and Vista, you’ll need to restart or turn on your PC and quickly and continuously press F8 until you see the Advanced Boot Options screen. From here, you’ll have 30 seconds to use the up/down arrows to choose the “Safe Mode with Networking” option from the list and press the Enter Key.

In Windows 8/ 10, its best to start with the computer already on and sitting at the Windows Logon Screen.

Press and Hold the Shift key, and then click Restart. On the resulting screen select Troubleshoot – Advanced Options – Startup Settings, and then Restart. When your computer becomes active, select Enable Safe mode with Networking.

Let your PC boot into Safe Mode. Your PC should be up and running in Safe Mode. You should be logged in (do so if you aren’t) and you should have access to the Internet.

  • Download a Malware Removal App
    Open up a browser window and download SpyHunter or other spyware/ malware removal app. Purchase a licensed copy if you need to. Use it to remove CryptoLocker/ CryptoWall from your PC. Use that app to remove all of the malicious files that belong to the ransomware and complete the CryptoWall/ CryptoLocker removal.
  • Salvage your Data
    If this works, get your data off your computer and store it on a known clean drive. Then, refer back to the section above where I tell you how to rebuild your PC from scratch.Rebuild your PC from scratch.If you don’t get everything – and that’s possible, even with a good malware removal too – you don’t want to be on a PC that’s had ransomware on it. Rebuild your PC and then put your data back on it.

If that doesn’t work, or if your version of CryptoWall/ CryptoLocker prevents you from booting to Safe Mode with Networking, then you can try something else. However, if this doesn’t work, your options become limited.

  1. Boot into Safe Mode with Command Prompt
    In Windows 7/ XP/ Vista, restart or turn on your PC and tap F8 multiple times until you see the Advanced Boot Options window. Use the up and down arrows to move down to Safe Mode with Command Prompt and press Enter.In Windows 8/ 10, at the Windows login screen, press and hold the Shift key and then click Restart. On the resulting screen select Troubleshoot – Advanced Options – Startup Settings, and then Restart. When your computer becomes active, select Enable Safe Mode with Command Prompt in the Startup Settings Window.
  2. Restore your System Files and Settings with System Restore
    Once the Command Prompt window is available, you should be logged into your computer and the Command Prompt window should have you logged in to C:\Windows\system32Type – cd restore – and press the Enter keyType – rstrui.exe – and press the Enter key

    When System Restore comes up, click the Next button and then select a restore point that is PRIOR to you getting infected with CryptoWall/ CryptoLocker. After that, click the Next button again.

    A warning dialog will display, notifying you that System Restore can’t be interrupted. Click the Yes button and let System Restore run and complete.

  3. Remove the Virus Files
    After System Restore completes, you can reboot your PC. After that, you can download Spy Hunter or other spyware/ malware removal app. Use it to get rid of the malware files
  4. Attempt to Salvage your DataYou need to understand that using a mitigation method does NOT remove any encryption from your data. It just removes the malware. If you data is encrypted, you can try to use Windows’ Previous Versions feature to restore any files that may have been encrypted.To do that, find the file in question and right click it. Choose Properties from the context menu that appears. When the Properties dialog appears, look for the Previous Versions tab and look for a restore point for your file. Choose a date before you got infected, and follow the process.

    However, you need to understand that this method is ONLY effected after System Restore completes and the ransomware is removed. Ransomware often deletes Shadow Volume Copies and this method may fail to work.

Call it Quits and Restart from Scratch
Ransomware is a very SERIOUS piece of malware. If you get it and you end up with your data encrypted, depending on how adventurous or wealthy you are, you can try one of the methods that I’ve listed above, or you can cut your losses and call it a day.

In other words, you can simply resign yourself to the fact that your data is gone and you can rebuild your PC, again, using one of the rebuild methods I noted, above.

Depending on how much you trust the drive you’ve got, you may want to just go and buy a new hard drive for your computer, put it in, and then rebuild your PC from scratch, again, using one of the rebuild methods I noted, above.

There are a few advantages to this. While it consigns your files to a permanent rubbish bin, its likely a much safer way to go, especially if you catch it early in the encryption process.

Conclusion
Ransomware is a huge problem in many countries around the world, especially in the United States. Malware is EVERYWHERE on the internet, and you can get it from visiting dubious websites and even through ads that display in a browser window. You can get malware from email, from infected files and just about anywhere else on the internet.

While you’re clean, the best thing for you to do is to make a backup of all of your data. You can use a backup program, a cloud data service like Dropbox, Google Drive orOneDrive and the like. You can also use online backup programs like Carbonite or Backblaze. Whatever you do, though. Make a backup of your data.

If you do find that you get infected with ransomware, again, you have very limited options. You can:

  1. Pay the Ransom
  2. Restore from a Non-Infected Backup
  3. Use an Appropriate Mitigation Method
  4. Call it Quits and Restart from Scratch

There’s a price to each of these, either in cold hard cash, or in time. Unfortunately, despite any of these methods, you’re likely going to experience some data loss, unless you have a recent, uninfected backup. So the rule here, as always should be to back up early and often.

But again, if you do get infected, the best thing to do as quickly as you can, is to get off the internet, remove the malware, rebuild your system and then restore your data. How you pull this together is up to you, but it isn’t easy, and it can often create other problems that you didn’t initially anticipate.

Related Posts:

Free your PC from ransomware with Anvi Rescue Disk

img1FileRebuilding your PC after a malware infection is a total pain in the butt. Its time consuming, troublesome and occasionally problematic. Ransomware has been making the rounds worldwide, and short of forking over the required cash, there’s little you can do to save your PC from a complete rebuild once infected.  Ridding your system of this malware is difficult. It’s well written and in most cases even activates even in Safe Mode. It’s for this reason that I really like Anvi Rescue Disk. It’s a must have Windows utility.

ARD-03

Anvi Rescue Disk helps users remove ransomware infections. If your computer is locked up due to a ransomware infection, and won’t even boot into safe mode, then Anvi Rescue Disk may be able to save your computer.  In many Eastern and Western European nations, users have seen law enforcement logos displayed on their screens with messages saying that their  browsing habits have broken the law and they must now pay a fine in order to be able to continue using their PC’s.  While this type of malware is extremely difficult to get rid of, Anvisoft seems to have finally found a way to combat this problem.

Using the software is simple.  You download, burn a CD/DVD, restart your PC using the burned CD/DVD, scan and clean.  A simple restart after that, and your PC should be ransomware free.   However, a word of caution – both the problem and the cure are very new and likely to undergo a lot of tweaking in the immediate future. If you get infected more than once, you will likely need to rerun the tool or may need to wait for an update.

download Anvi Rescue Disk

Related Posts:

Stay in touch with Soft32

Soft32.com is a software free download website that provides:

121.218 programs and games that were downloaded 237.780.356 times by 402.775 members in our Soft32.com Community!

Get the latest software updates directly to your inbox

Find us on Facebook