As your IT partner, we make routine improvements to the way that we manage IT Security challenges. During this process, we examine the threat and determine the best method for protection. The security landscape in the digital world is always changing and we consistently make security enhancements and upgrades behind the scenes without the need for much worry. The purpose of this information is to make you aware of a security threat that requires a different approach.
Ransomware is a type of malware that encrypts your computer files making them inaccessible without decryption. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back. The more common names of this malware are cryptolocker, cryptowall, or the Locky Virus. The ransom prices vary, ranging from hundreds to thousands of dollars.
Users may encounter this threat through a variety of means. Ransomware can be downloaded by unwitting users visiting malicious or compromised websites. It can also arrive as a payload, either dropped or downloaded by other malware. The most common method of infection is a spammed email attachment.
Once in the system, ransomware can either (1) lock the computer screen or (2) encrypt predetermined files with a password. In the first scenario, ransomware shows a full-screen image or notification, which prevents victims from using their system. This also shows the instructions on how users can pay for the ransom. The second and most common type of ransomware locks files like documents, spreadsheets and other important files.
At this point, your files are encrypted and not available to you. These files vary based upon the type the malware is targeted to attack. The most common file types are pictures, documents, spreadsheets, adobe pdf documents, and text documents. However, in the most destructive variants, this malware can also attack database files.
The malware is coded to attack the computer originally infected and any other network share that is available. The most common entry point for this malware is on a workstation. The workstation is typically always attached to other computers or a server, and this is how the malware spreads.
Ransomware variants will encrypt your computer files including desktop files, document files locations and anything local on your computer. Once the malware spreads to other network resources, like a server, all of your files and important business proprietary data is at risk.
If this happens to your business you have two choices.
Without proper protection and a proactive approach to security, you will most likely encounter this ransomware. The best reaction once you are hit with this malware is to restore from a backup. If your files that are infected are included within your backup and your backup is working as expected, you should be able to recover. Keep in mind that most users store data on their desktop and this is one location where files are not included in your backup. You should setup a policy to enforce users to store data on the server.
Important company data should not be kept on a personal computer.
If your backup is not current or missing important data, you are faced with paying the ransom. The ransom process only works if you can pay the ransom to the hacker network who created this and receive your file decryption back. The payment process is not quick nor cheap. We know from experience.
The ransomware malware is one of the first infection product that has become profitable for hackers. Previous malware infections such as rootkits, bots, worms, browser hijackers, and macro viruses were built for destruction for sport – not profit.
Ransomware is now a service.
If you have not heard of SaaS, this is the acronym for “software as a service”. A common example of SaaS is Netflix, since you pay a subscription for the software to use it. Ransomware has started this approach in the hacker networks called Ransomware as a Service. The malware is ever changing and a new variant comes out on the internet at least twice per quarter. The malware is not detected as a virus due to the process of how it installs to a computer, and lays dormant until it performs a call home and downloads an encryption key.
There are methods to help prevent these infections, however the common anti-virus is not enough. Stopping ransomware needs a tiered approach. Having adequate protection includes several items as listed below:
Nothing in cyber security is foolproof, but by using the methods above and being pro-active on how you approach security, you can help save your system from data loss.
Once you have this malware on your system, it spreads through the network. The malware can start a pattern that makes it hard to find which computer started the infection. Once you find the infection starting point, we have to start the cleaning process. The removal process can range from simple to complicated and require a restart of the system. The malware variants are always changing and require different approaches. Once the malware is removed, we are faced with the task of restoring data.
If you have an image backup that is current and has been tested on a re-occurring basis, we can restore the files. However, as you can imagine, this can be a time consuming process. We have to remove all traces of the infected data and restore back to the last recovery point. Next, we have to copy the data and put it into place. The recovery time ranges on data size but typically a minimum of 3 hours of downtime for the network is required to recover.
The recovery process is not a quick one and can also leave lasting effects of the infection.
One single product will not stop ransomware. User awareness and understanding will help however you must use several methods to stop this infection. There are methods to help prevent these infections however the common anti-virus is not enough. Stopping Ransomware needs a tiered approach, and having adequate protection includes several items as listed below, each of which we recommend:
The cost of these items add up to more ongoing monthly fees. The cost of these items are not necessarily something that will help grow your business. Conversely, the cost of these items could save what is most important to your business – your proprietary company data.
You don’t have to be a security nut to realize the need for this. If you don’t think this is important enough for your business, this is a mistake.
If you want to say “I can’t afford to increase monthly costs”, ask yourself if you can afford to lose company data.
Security and anti-virus has always been a point of discussion mostly due to the annoyance of having to deal with a slow computer and the recovery time.
However, ransomware is the first to hold your data hostage. There is no recovery without a backup or paying the ransom.
In a recent article in October of 2015, the FBI recommended you pay the ransom as there is no easy way to recover from this.
In another article posted by the FBI in January of 2015, they cite more evidence of this being a global security threat.
Without prevention and protection, this will happen to you. It is only a matter of time.
Ransomware demands your money to recover your data.
Downtime of your systems cause problems.
Ransomware spreads to more than just one computer.
Ransomware attacks your network and all of your files.
How can you be so certain that the files that become encrypted will be included in a backup?
If you are fortunate and all of the important files on each system that the malware infects are on a backup and are recoverable, how much downtime will this cause?
How much downtime could your business sustain?
We recently had two businesses come to us because they were not prepared and were hit with ransomware. They wanted an IT firm to help them recover. We helped both of them but between the downtime, support costs to recover data, removing the infection, and payment to the hacker network, both instances ranged from $8,000-$15,000 in overall costs.