The IT Threat of our Time
WHERE DID RANSOMWARE
In the beginning, viruses which were easily addressed via a robust antivirus solution. These included many brands you are familiar with today such as Symantec and Norton. These were very effective in identifying a virus and quarantining it to ensure it did not propagate to other computers or files.
From there, viruses evolved into adware, malware. You are familiar with this type of an attack although you may not think you are. An example of this would be a pop-up ad that states your computer has been infected and needs to run a scan – just click here. However, as is typically the case, technology and time caught up with malware and even though it still exists, it is not nearly the threat it once was.
These types of viruses and malware infections were typically created by someone seeing how much havoc they could cause and were not designed to generate revenue or hold people hostage in exchange for their data.
Fast forward to today and we have new viruses in the form of ransomware which came to pass once hackers and criminal enterprises figured out how to monetize a virus.
WHAT IS A RANSOMWARE ATTACK?
Ransomware attacks typically come in via a Phishing attack in the form of a link or attachment accompanied by an enticing email from a known vendor, company or individual. These attacks can appear in a very conversational way between coworkers such as “can you do me a favor” or “I need you to transfer funds in the amount of…”
However, for the purposes of simplification, we are going to focus our attention on ransomware that comes via a phishing attack that includes an attachment or link as this is the type of attack most are familiar with.
SINGLE WORKSTATION/USER IMPACTED ▶▶
In this scenario, a user receives an email from what appears to be a trusted source which typically includes the logos, signature lines and common traits associated with the sender of this email. When the user receives it, they assume this is from the individual it states it is from, so they click on the link or attachment. This is when the ransomware attack begins.
Once the ransomware virus is launched on the user’s PC, a process of forced file encryption begins. This is when your entire file structure and all the data contained within is locked behind an intensely complex encryption lock. The encryption key that unlocks this information is then housed in a secret cloud location of the hackers choosing.
Under perfect conditions, it would take years to brute force this key lock combination; however, most of these attacks require 48 hours or less to remit payment or they will delete the encryption key and your data will be lost forever. This payment is typically made in the form of Bitcoins – an untraceable cyber currency – that can require time to setup an account if one does not already exist.
In this scenario, only a single workstation is affected, but let us discuss an even worst-case scenario – your entire network being encrypted.
MULTIPLE WORKSTATIONS/USERS IMPACTED ▶▶
This happens when the affected user is in a domain environment meaning all workstations are connected to a server for file sharing and centralized management. In this network configuration, once the ransomware attack has fully encrypted the individual’s workstation, it begins going to all the shared files and devices the user has access to.
If the compromised party happens to be the owner of the business or someone in management that has access to all files, the Ransomware attack will encrypt everything they have access to resulting – in most cases – in the entire network being encrypted putting you completely out of business until the data is retrieved.
Keep in mind, hosting your servers does not protect against this since it will encrypt everything your computer has access to – regardless of where it’s housed.
Therefore, it is important to create a plan which we’ll discuss in part two of our series on ransomware.
WHAT TO INCLUDE IN A BCDR PLAN?
The best defense against ransomware is to have a good offense meaning you should be proactive in your approach to addressing these types of attacks and the methods used to conduct them.
There are certain core elements every plan should have. Let us spend a little time exploring each as well as why they are important to include.
CYBERSECURITY AWARENESS TRAINING ▶▶
First and foremost, you need to have some sort of ongoing Cybersecurity Awareness Training for your employees as this is how most ransomware attacks occur. This typically consists of training around what to look for when surfing online as well as when checking emails and should provide examples of different variations of emails one might receive.
PATCH MANAGEMENT ▶▶
Patch management performed by an outside IT provider or via an automated process. These are essential because most of the time they are pushed out to patch a specific exploit that can be used to compromise your network.
POLICIES AND PROCEDURES ▶▶
You also want to create and implement comprehensive security procedures for general access and file handling; however, one of the easiest things you can do is to implement a policy that requires the user create a complex password in addition to said password expiring on a scheduled interval – typically once a quarter for highly compliant industries and at least twice a year for those not subject to compliance from an outside governing body.
A complex password typically contains letters, numbers and symbols in addition to being at least 16 characters long. An easy way to create this type of password is to use movie lines, song lyrics or positive affirmations including all letters, spaces and punctuation. This allows you to create a password that is complex while making it easy for the user to remember.
ANTIVIRUS SOLUTION ▶▶
You should also have a robust antivirus, anti-malware, anti-spyware solution deployed on all desktops and servers. We recommend having this solution monitored, maintained and managed by an outsourced IT security provider such as ThrottleNet.
RANSOMWARE DETECTION ▶▶
To protect your network and isolate against any potential attacks, we recommend a solution that monitors the files in your My Documents folder for encryption since this is a solid indicator of an attack. Any solution like this should be able to identify the encryption in addition to sending an alert notifying a designated contact that an attack is taking place. This solution should also quarantine the affected workstation while still allowing outside provider access for resolution and remediation of the issue.
MOCK PHISHING ATTACKS ▶▶
To ensure your users have ongoing training, we recommend a third-party mock phishing attack solution identify those users that require more education in addition to training videos for those areas your users need assistance with.
An enterprise grade firewall with active threat monitoring should be installed as this serves to protect against external attacks and can also provide additional security features depending on the model and available security solutions.
IMAGE BASED CLOUD BACKUP SOLUTION ▶▶
Finally, you should have an image-based backup with versioning and cloud replication. The reason you want an image-based backup is that this type of backup takes a snapshot of the entire operating system as well as any patches and updates that have been applied since its inception – sometimes, this could be years’ worth of patching and updates – resulting in a quicker recovery time.
The versioning is necessary in the event the most recent backup is encrypted. If that’s the case, we simply go back to a version prior to the attack taking place and restore from that point in time – making it as if nothing happened.
WHAT TO DO IF YOU ARE A VICTIM OF A RANSOMWARE ATTACK.
If you are the victim of a ransomware attack, there are certain actions you can take. Keep in mind, these actions should be performed in the order discussed as this will increase your chances of success.
DISCONNECT YOUR MACHINE FROM THE NETWORK ▶▶
Start by disconnecting your machine from your network or any other devices you may be connected to including any external drives. You do not want the ransomware to spread to other devices on your local network Or to file-syncing services such as dropbox or OneDrive.
TAKE A PICTURE OF THE RANSOM NOTE ▶▶
Use a smartphone or a camera to take a photograph of the ransom note presented on your screen. If you can take a screenshot, do so as well. You will want to file a police report later, after you go through all these steps.
DETERMINE IF YOU WILL PAY THE RANSOM ▶▶
Since ransomware attacks are typically accompanied by a ransom request, you should determine if you are willing to pay. If you are not willing to pay and would rather resolve the issue internally, you should locate an antivirus or anti-malware software capable of cleaning the ransomware infection from the machine. Again, only do so if you are determined not to pay the ransom. Otherwise, you should wait until you have recovered your files via the decryption key. Keep in mind, removing the ransomware will not decrypt your files, and it may kill your chances of getting the files back if you decide later to pay the ransom. But it will let you carry out the following steps without the risk that the ransomware will encrypt new files or try to thwart the recovery process.
See if you can recover from your deleted files folder. Many forms of ransomware copy your files, encrypt the copies and then delete the originals. Fortunately, you can often recover deleted files easily assuming you have the tools and knowledge required to do so.
IDENTIFY THE STRAIN OF RANSOMWARE ▶▶
If the ransomware does not provide its name, try the ID Ransomware online tool. This solution will allow you to upload encrypted files and will tell you whether the encryption can be reversed; however, in most cases, it cannot. See if there are decryption tools available. If you already know the name of the ransomware strain, check out the list of decryption tools at the No More Ransom website and see if there is a matching decryptor.
RESTORE YOUR FILES ▶▶
If you have a solid, image based backup solution in place and assuming the ransomware has been fully removed, you can then restore your files; however, you’ll want to make sure the backup files weren’t encrypted too prior to doing so. This alone illustrates the importance of having a backup solution that includes versioning and offsite storage. If you are just backing up over an existing backup nightly without any versioning, you could overwrite a good backup with the encrypted data.
To confirm you have a good, uncompromised backup, connect the backup drive to another machine or log in to your online backup service. This will allow you to check on the status of the files. You also want to make sure you have the installation media or license keys for all third-party applications.
If the backups are good, you will want to fully wipe the drive, do a clean installation of the operating system and then restore the files from the backup.
You could also just restore the files from the backup drive without wiping and reinstalling the OS. This might seem like less trouble, but it is not a good idea — you might leave some trace of the ransomware on the machine, even after performing a full antivirus scan.
WHY NOT LET AN
EXPERT HANDLE IT?
Outsourced it security providers have had exposure to a variety of attacks and have developed specific solutions to address them taking the guess work out of your hands and putting in the hands of a team of outsourced IT professionals.
For example, ThrottleNet outsourced IT management and security solutions have saved our clients over $2.6 million in ransoms over the last two years alone and that number continues to grow.
You should also consider outsourced IT management and security services even if you have an internal IT person simply to provide supplemental support as well as to perform network monitoring and maintenance so your IT person can work on resolving actual end-user issues.
It also makes sense to have an outsourced organization perform an annual assessment of your network to identify any risks that may have gone without notice in the past.
Let's Get STARTED.
We’ll even perform a risk analysis for free with without cost or obligation. Reach out to schedule yours today by submitting the form below or call us us today at 866-826-5666 or online at throttlenet.com