In recent weeks we have seen a major increase in Ransomware (Cryptolocker), which is a type of malware that is designed to make you pay the bad guys in a way that has never been done before. The increase in infections lines up with some new variants of the Cryptolocker Ransomware called Locky and Samas and has caused enough of a problem that the US Depart of Homeland Security (US-CERT) have issued a warning about the situation. See https://www.us-cert.gov/ncas/alerts/TA16-091A for reference.
So what is all the fuss about? Traditional malware as you may know either stopped your computer from working correctly or forced advertisements upon you which was also designed to make the bad guys money. What is different about Ransomware is that it encrypts your data with a key that only they know, leaving your data locked up which you cannot access. In this scenario you only have two options for getting the data back and that is to pay the criminals to get access to the encryption key, or restore your data from backup. In other words, it holds your data ransom.
When this happens in a business environment, depending on what permissions are in place, this Ransomware can very quickly lock up your entire shared file structure across the network, meaning the problem suddenly goes from one user, to all users. The latest versions of this Ransomware hunt out and lock up more files than before, meaning things like Word and Excel documents, database files, payroll systems and even the backups you make of your data can be locked up. The infections themselves are developing at a very fast pace and learning how to scan the network and find files you did not even think people had access to.
When you are put into this situation a few common questions are asked.
- How did this happen?
- How can we get our data back without paying?
- How can we stop this happening again?
How did this happen?
It’s a great question and the first reaction is to look for blame. In most cases, but not all, it comes down to a user clicking on a link or opening an attachment that contains the virus. The bad guys are constantly trying to find ways to create fake emails that manage to get around spam filters and when you consider that they are making tens of millions of dollars out of these systems you can understand why they are continually trying to evolve their method of delivery. And while it is common to be delivered via email, not all infections start off from a bad email. Legitimate websites can become infected if they do not keep their back-end systems up to date and may end up being a delivery point for these types of infections for users that think they are visiting and downloading items from their favorite websites. Websites can also be used to look for vulnerabilities in users web browsers or computers that are visiting the sites, so the user can become infected just by visiting an infected site without downloading anything at all. These are not as common as the email method, but it is something users need to be aware of and as always be extremely careful in what they are doing on their computer.
How can we get our data back without paying?
Clearly no one wants to pay the bad guys for ripping them off, so the obvious thing is to want another option. Because of the method they are using to encrypt your files, there is no way to ‘reverse’ the encryption. That means the only option for recovering the information is to obtain them from your backups. Remember above where we mentioned the virus can infect your backups? Correct – That is a scary thought. This is why ensuring your business backup system is prepared for scenarios like this. Remember when your IT provider (hopefully) was pressing why backups are so critical, why they need to be on a device that is secure and why you MUST have an off-site backup solution in place? It’s not because they were trying to sell you something that would help against a giant asteroid hitting the earth, Deep Impact style, it is because they have seen these types of scenarios. Off-site backups serve many different purposes such as fire, flood, system wide failure, etc but also in scenarios where your on-site backup can become compromised and this is a perfect example of where an innocent user could click on the wrong thing and accidentally wipe out your business files along with your backups if the system was not set up correctly.
How can we stop this again?
Glad you asked. Most people do ask this question and normally show a lot of interest in it while they are offline, but once things go back to normal and their day fills up with normal meeting requests and phone calls they forget the most important thing. Something needs to be done to better protect yourself against this in the future. While you can never guarantee you will never fall victim to these types of ever developing viruses, you can put some simple things in place which will better protect your staff, your data and your business from these outages.
Layers of Internet Security.We can’t tell users enough that the more layers of security protecting the users the better. Anti-Virus is not enough anymore and should really act as a last line of defense. Why take the risk of allowing only the anti-virus on your staff’s computer being the only thing stopping them from taking down the company network? Some very simple things can be put in place such as web filtering and network protection that can assist in stopping the infection from ever making it through to your anti-virus. Web Filtering for example adds a layer monitoring what web sites your users are visiting and stops them from visiting infected sites, or the ‘bad links’ that are in those emails that sneak through your SPAM filter. Network Protection adds a layer of security to the traffic passing through your firewall, so should that infection happen, or a computer be brought in to your network that is infected, any internet based traffic is scanned and if it is malicious it is blocked (such as the infected computer calling home to get the encryption codes before it starts eating your files on your network). These and more layers of security can be implemented with a Next-Gen firewall.
Keeping your systems up to date.You have heard it before, but using old operating systems such as Windows XP and not keeping your systems security patches up to date are very important. Windows XP ran out of support two years ago and has not had a security update since. This means using it to browse the internet is just like playing Russian Roulette. It’s only a matter of time. We often take on new clients and perform a review on their updating only to find the built in updating mechanism was stuck and causing no machines on the network to be updated, with machines sometimes being years out of date and running very old web browser versions. This is not only a security issue, but can cause problems for your users when trying to do the latest things online. Patching is important and something that you need to ensure your IT vendor is managing on your network.
Permissions.Although having everyone in your business have access to every folder on the network is easier to deal with, it’s not the best approach. We have seen this put in place and then 300,000 files locked up in a Ransomware infection in a matter of minutes. These viruses sometimes highlight just how many permissions a particular user has as it can be a real issue. The same rules apply regarding local administrator permissions for your staff on their computers. We understand you may want your staff to be able to install software from time to time, but that also means your staff can install viruses from time to time. Remember the office computer is a tool for business. You wouldn’t allow a staff member to modify their company car, so why let them modify their company computer? The less permissions the better and if that means an onsite manager needs a password to make changes to a computer or you contact your IT providers helpdesk with a change request, at least you can rest easy knowing you are taking the best approach to security.
User Awareness.This is probably the most important item to address. The Internet will lie to you. There will be a website with an advertisement on it that promises a free iPhone. That Nigerian Prince is not really going to make you a million dollars overnight. The bank doesn’t really need you to confirm your account details and the State Debt Recovery Office doesn’t email pictures of you being caught at the speed camera. These scams have been around since the early 1990’s, however they used to send you something in the mail. Now it’s via email, or through an advertisement on a website or whatever the next easiest way to draw you in. It is very important that your users are aware of what they click on and if they are not sure, don’t click it. If they are trying to do something not so work related, then do it on their own time, on their own computers, off the company network.
If you would like any more information on anything in this blog post, please feel free to contact us on 1300 138 761 or email us at firstname.lastname@example.org