Ransomware

ransomware

As your IT partner, we make routine improvements to the way that we manage IT Security challenges. During this process, we examine the threat and determine the best method for protection. The security landscape in the digital world is always changing and we consistently make security enhancements and upgrades behind the scenes without the need for much worry. The purpose of this information is to make you aware of a security threat that requires a different approach.

Ransomware is a type of malware that encrypts your computer files making them inaccessible without decryption. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. The more common names of this malware are cryptolocker, cryptowall, or the Locky Virus. The ransom prices vary, ranging from hundreds to thousands of dollars.

Users may encounter this threat through a variety of means. Ransomware can be downloaded by unwitting users visiting malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. The most common method of infection is a spammed email attachment.

Once in the system, ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with a password. In the first scenario, ransomware shows a full-screen image or notification, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second and most common type of ransomware locks files like documents, spreadsheets and other important files.

At this point, your files are encrypted and not available to you. These files vary based upon the type the malware is targeted to attack. The most common file types are pictures, documents, spreadsheets, adobe pdf documents, and text documents. However, in the most destructive variants, this malware can also attack database files.

The malware is coded to attack the computer originally infected and any other network share that is available. The most common entry point for this malware is on a workstation. The workstation is typically always attached to other computers or a server, and this is how the malware spreads.

Ransomware variants will encrypt your computer files including desktop files, document files locations and anything local on your computer. Once the malware spreads to other network resources, like a server, all of your files and important business proprietary data is at risk.

If this happens to your business you have two choices.

  1. Restore from backup
  2. Pay the ransom

Without proper protection and a proactive approach to security, you will most likely encounter this ransomware. The best reaction once you are hit with this malware is to restore from a backup. If your files that are infected are included within your backup and your backup is working as expected, you should be able to recover. Keep in mind that most users store data on their desktop and this is one location where files are not included in your backup. You should setup a policy to enforce users to store data on the server.

Important company data should not be kept on a personal computer.

If your backup is not current or missing important data, you are faced with paying the ransom. The ransom process only works if you can pay the ransom to the hacker network who created this and receive your file decryption back. The payment process is not quick nor cheap. We know from experience. Read the details from that exchange HERE.

The ransomware malware is one of the first infection product that has become profitable for hackers. Previous malware infections such as rootkits, bots, worms, browser hijackers, and macro viruses were built for destruction for sport - not profit.

Ransomware is now a service.

If you have not heard of SaaS, this is the acronym for “software as a service”. A common example of SaaS is Netflix, since you pay a subscription for the software to use it. Ransomware has started this approach in the hacker networks called Ransomware as a Service. The malware is ever changing and a new variant comes out on the internet at least twice per quarter. The malware is not detected as a virus due to the process of how it installs to a computer, and lays dormant until it performs a call home and downloads an encryption key.

There are methods to help prevent these infections, however the common anti-virus is not enough. Stopping ransomware needs a tiered approach. Having adequate protection includes several items as listed below:

  1. Anti-Malware – A good business grade anti-malware product will not only look at incoming traffic coming into your computer but it will analyze outgoing traffic. Another key feature is to analyze file changes versus which files should be changing. We also need web control on the anti-virus to help prevent non-business website traffic.
  2. UTM Features for your firewall – UTM stands for Universal Threat Management. A good UTM product sits at the edge of your network and acts as a traffic cop only allowing in internet traffic that has been authorized. The UTM product can help prevent unwanted internet traffic by blocking block inbound and outbound requests.
  3. Email Spam Filter – SPAM is one of the worst problems on the internet. Anyone can send you an email and, once your address is on an internet list, you will get flooded with these messages. The most common method of the ransomware spread is through a phishing attack which is most common with email attachments. Anyone who uses email on your network should have their email scrubbed by an enterprise spam filter to help prevent spam from making it to your user’s inbox.
  4. Windows and 3rd Party Updates – We all get the annoying pop up for updates and find it irritating to do these all the time. However, without these updates you are at risk for malware. Windows updates are easily scheduled and most times you just need to restart the computer. 3rd party updates such as Flash/Java/Adobe are more difficult to complete. ACI can manage these updates behind the scenes by forcing the updates to go through.
  5. Application Execution Policies – Typically this malware starts by executing code from an email or a webpage. This malware typically starts in a temp directory inside of a user profile. We have setup a policy on all of our contract clients to prevent applications from installing on these folders. This can be frustrating because it prevents legitimate downloads from running but it is a necessary step to prevent malware from starting.
  6. Image Backup – The first five steps were to help prevent the malware from attacking the system but there is no way to stop this malware forever. The only real 100% protection is a good solid backup. We recommend an image backup that backs up the entire server and not just files. The file and server restore process from an Image Based Backup is faster and easier. Any place your store data should have backup. All files should be kept on the server and all email should be kept on an email server and not stored locally. If you follow this approach, your workstation data should never be at risk.

Nothing in cyber security is foolproof, but by using the methods above and being pro-active on how you approach security, you can help save your system from data loss.

Once you have this malware on your system, it spreads through the network. The malware can start a pattern that makes it hard to find which computer started the infection. Once you find the infection starting point, we have to start the cleaning process. The removal process can range from simple to complicated and require a restart of the system. The malware variants are always changing and require different approaches. Once the malware is removed, we are faced with the task of restoring data.

If you have an image backup that is current and has been tested on a re-occurring basis, we can restore the files. However, as you can imagine, this can be a time consuming process. We have to remove all traces of the infected data and restore back to the last recovery point. Next, we have to copy the data and put it into place. The recovery time ranges on data size but typically a minimum of 3 hours of downtime for the network is required to recover.

The recovery process is not a quick one and can also leave lasting effects of the infection.

One single product will not stop ransomware. User awareness and understanding will help however you must use several methods to stop this infection. There are methods to help prevent these infections however the common anti-virus is not enough. Stopping Ransomware needs a tiered approach, and having adequate protection includes several items as listed below, each of which we recommend:

  1. Anti-Malware – A good business grade anti-malware product will not only look at incoming traffic coming into your computer but will analyze outgoing traffic. Another key feature is to analyze file changes and which files should be changing. Additionally, we need web control on the anti-virus to help prevent non-business website traffic.
  2. UTM Features for your firewall – UTM stands for Universal Threat Management. A good UTM product sits at the edge of your network and acts as a traffic cop only allowing in internet traffic that has been authorized. The UTM product can help prevent unwanted internet traffic by blocking inbound and outbound requests.
  3. Email Spam Filter – SPAM is one of the worst problems on the internet. Anyone can send you an email and, once your address is on an internet list, you will get flooded with these messages. The most common method of the ransomware spread is through a phishing attack which is most common with email attachments. Anyone who uses email on your network should have their email scrubbed by an enterprise spam filter to help prevent spam from making it to your user’s inbox.
  4. Windows and 3rd Party Updates – We all get the annoying pop ups for updates and find it irritating to do these all the time. However, without these updates, you are at risk for malware. Windows updates are easily scheduled and most times you just need to restart the computer. 3rd party updates such as Flash/Java/Adobe are more difficult to complete. ACI can manage these updates behind the scenes by forcing the updates to go through.
  5. Application Execution Policies – Typically this malware starts by executing code from an email or a webpage. This malware typically starts in a temp directory inside of a user profile. We have setup a policy on all of our contract clients to prevent applications from installing on these folders. This can be frustrating because it prevents legitimate downloads from running but it is a necessary step to prevent malware from starting.
  6. Image Backup – The first five steps were to help prevent the malware from attacking the system but there is no way to stop this malware forever. The only real 100% protection is a good solid backup. We recommend an image backup that backs up the entire server and not just files. The file and server restore process from an Image Backup is faster and easier. Any place you store data should have a backup. All files should be kept on the server and all email should be kept on an email server and not stored locally on your computer. If you follow this approach, your workstation data should never be at risk.

The cost of these items add up to more ongoing monthly fees. The cost of these items are not necessarily something that will help grow your business. Conversely, the cost of these items could save what is most important to your business - your proprietary company data.

You don’t have to be a security nut to realize the need for this. If you don’t think this is important enough for your business, this is a mistake.

If you want to say “I can’t afford to increase monthly costs”, ask yourself if you can afford to lose company data.

Security and anti-virus has always been a point of discussion mostly due to the annoyance of having to deal with a slow computer and the recovery time.

However, ransomware is the first to hold your data hostage. There is no recovery without a backup or paying the ransom.

In a recent article in October of 2015, the FBI recommended you pay the ransom as there is no easy way to recover from this.

In another article posted by the FBI in January of 2015, they cite more evidence of this being a global security threat.

Without prevention and protection, this will happen to you. It is only a matter of time.

Ransomware demands your money to recover your data.
Downtime of your systems cause problems.
Ransomware spreads to more than just one computer.
Ransomware attacks your network and all of your files.

How can you be so certain that the files that become encrypted will be included in a backup?

If you are fortunate and all of the important files on each system that the malware infects are on a backup and are recoverable, how much downtime will this cause?

How much downtime could your business sustain?

We recently had two businesses come to us because they were not prepared and were hit with ransomware. They wanted an IT firm to help them recover. We helped both of them but between the downtime, support costs to recover data, removing the infection, and payment to the hacker network, both instances ranged from $8,000-$15,000 in overall costs.




Reference Material:

http://www.trendmicro.com/vinfo/us/security/definition/Ransomware
http://www.businessinsider.com/fbi-recommends-paying-ransom-for-infected-computer-2015-10
https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise
http://www.digitaltrends.com/computing/what-is-ransomware-and-should-you-be-worried-about-it/
http://www.bleepingcomputer.com/virus-removal/threat/ransomware/