It has been in a busy week in ransomware and information technology security levels, and many companies have already been targeted, and unfortunately affected. As we’ve all read on CNN Money and other news sources, Ransomware is a malicious code or a computer virus that denies users access to their own data, encrypting it and holding it until the user pays a ransom. Users can choose between restoring a backup of their ransomed data, try to decrypt it, accept losing the data or paying the ransom. In this blog post, Daniel Ruiz, Point of Rental Software’s Customer Support IT Liaison, covers why we should care and how to take preventative measure.
Symptoms of Infection
It is rather easy to determine if you are a victim of ransomware. The symptoms can vary. You may not be able to open files or use programs like normal. You may get pop-ups with errors indicating corrupt files or unrecognized file extensions. You will see a pop-up of some sort with detailed instructions on how to decrypt your files by paying for it. The method of payment will most likely require Bitcoin (BTC).
How Did This Happen?
Ransomware is introduced via three common vectors – email, drive-by-downloads and users downloading free software. Everyone can probably see how email can be a vehicle for ransomware. If you are like the rest of us, you may receive email spam and even have spam filters that don’t always zap the bad stuff. The key is not clicking any links or opening any files in emails sent by users you don’t know. Drive-by-downloads happen when visiting compromised websites or using outdated/unpatched web browsers. Downloading free software is risky business especially if you don’t know the publisher. Many times users download free software tools that actually work but don’t realize the bad guys added the ransomware inside it until it’s too late.
I’m Hit, Now What?
It’s never a good thing when someone is a victim of ransomware. If you find yourself on the wrong side of the tracks, you should immediately disconnect the infected computer from the network. That is, unplugging its Ethernet cable or disconnecting from any wireless networks. Ransomware is a virus and often times malicious human beings with vast coding experience created it, so expect it can propagate your network to infect other computers, files and folders. Next, you will want to determine the damage. What are the encrypted files? How critical are they? How quickly do you need them recovered? Then you want to know which strain of ransomware you have. There could be a decrypt tool available. Your next action depends on scope of infection and include restoring backed up data, attempting to decrypt the files, lose the data or pay the ransom. Part of me wants to never pay the ransom but it is an option and as weird as trusting a criminal may sound, ransomware is a lucrative crime and variants of the CryptoLocker ransomware have been known to make millions from paid ransoms and have actually decrypted the files when paid. A criminal with integrity, now that’s an oxymoron if I ever heard one.
It’s important to understand that ransomware is introduced by users. Software is no longer a safety net to catch all intrusions, at least not anymore. Good security awareness can go a long way. Not opening emails from unknown senders, keeping your antivirus and other software patched and taking caution when downloading files and programs can go a long way in keeping you on the right side of the tracks.
Backups are only critical when you need them, and you need them when you need them. Checking backups and maintaining them can be drag, but you have to ask yourself “what happens if I can never recover my most critical data?” and “how long would it take me to recover?” Having a reliable daily backup routine and a recovery plan is a requirement for critical data and businesses should implement one if they haven’t already.
If companies allow their users to remote access company resources such as a server or the entire office network, then two factor authentication or “whitelists” should be implemented. This requires the remote user to authenticate in another form rather than a username & password which can be compromised. For example, if a remote user connects a virtual private network (VPN) connection by typing their username & password, before they are granted access they are sent a message to their phone in which they must also grant access. The same can be true with only allowing a particular computer remote access. The specific computer is “whitelisted”. In both cases the remote user authenticates using something they know, username & password, and by something they physically have, a phone or computer. This should be monitored and maintained regularly.
You can find more information regarding ransomware at www.bleepingcomputer.com and www.knowbe4.com. For paid services such as web security and endpoint security services, we recommend Harland Technology. Details about their services can be found at https://www.harlandts.com/public/SecurityManager.aspx.