Edmonton Police Service logo

Commitment to Professionalism - Reduced Crime & Victimization - Investigative Excellence - Increased Efficiency & Effectiveness
Copyright © 2020, Edmonton Police Service. All rights reserved.

Edmonton Police Service

Dedicated to Protect, Proud to Serve

Ransomware targeting businesses

Not every business has an I.T. specialist in their organization. This can make businesses vulnerable to ransomware attacks.

 

The Edmonton Police Service has noticed an increase in calls for service in relation to Cryptolocker ransomware. This form of malware irreversibly encrypts the computer’s files leaving only a ransom note from the attacker demanding a sum of Bitcoin to be paid in order to decrypt your files. In recent EPS investigations, the attacker is gaining access to Windows systems through Remote Desktop Protocol (RDP) by exploiting vulnerabilities in unpatched Windows systems - or more commonly - brute forcing the password. 

 

If you or your IT staff are using RDP to remotely access your computer system, please enable two-factor authentication, firewall off RDP to restrict access to specific IP addresses, or preferably, disable RDP completely. If you leave RDP enabled, attackers will continually try brute force attacks against your systems and once they gain access, they will encrypt your systems leaving you with few options. With the latest ransomware variants, there is no known way to decrypt your files yourself.

 

Your only options for recovering your files would be:

  1. Paying the ransom (which can be upwards of $10,000 CAD or more). This option is not guaranteed to provide results.

  2. Restoring from backup if this is available.

 

The EPS has found that most infections are occurring on a Friday and therefore will not be noticed until start of business on Monday. The following are a list of things to do to protect your systems and data:

 

  • Close any "port forwarding" on your router going directly to a server or workstation. Open ports and services accessible from the Internet put your system at risk of attack. Even changing the default port for RDP 3389 does not secure your system.

  • Disable RDP if you do not have two-factor authentication or another layer of security.

  • Backup, backup, backup your data! This can be done with a spare hard drive or a cloud-based system. Ensure this backup is not directly connected or accessible to your primary machines, as the ransomware will encrypt both your computer system and the backup!

 

If your systems are compromised please do the following:

  1. Disconnect it from the network.

  2. Do NOT reboot your system; we can retrieve information from memory about what is going on.  A reboot of the system will remove this information.

  3. Call the EPS at our non-emergency line 780-423-4567.