26 Mar How to Prevent Ransomware and Guard Your Data
Ransomware attacks are a severe epidemic affecting businesses of all sizes. Protecting your company is more critical than ever before as the number of ransomware attacks continues to rise. A report from Cybersecurity Ventures projects that on average there will be a ransomware attack on a business every 14 seconds by the end this year.
What does this mean for small to mid-sized businesses in Oklahoma? To protect your organization from cyber threats, you need to make cybersecurity a top priority. Teach your team about this damaging category of malware and the harm it can do to your business.
To help you confront the growing threat of ransomware, we’ve taken a closer glimpse at how it works and recent ransomware variations. We’ve also gathered helpful tips on how to protect your business.
Types of Ransomware
Ransomware is vindictive software that encrypts files, locks network computers, and retains control until the user pays real money. Attacks may occur anywhere in the world–even in unsuspecting Oklahoma communities. Ransomware appears in two configurations — by locking your screen with an image to prevent you from accessing your PC or by encrypting your data so they can’t be opened without a unique passkey.
Here are several key entry points that most ransomware hackers utilize:
Email-borne contagion – Although some variants have been known to attack via drive-by download advertisements, malicious websites, or network file sharing, ransomware usually attacks through spoofed ransomware emails, where the user is duped into opening an attachment. It often arrives in compressed zip files with enticingly ordinary names. The zip file contains an executable file, which downloads onto the target machine.
Covert interaction – Once downloaded, the malware establishes communication with a command-and-control server. For example, CryptoLocker, which started the modern ransomware craze, relies on a domain generation algorithm and hops between new servers routinely to avoid identification.
Hi-tech encryption – Once the server connection is established, CryptoLocker generates a pair of encryption keys — one public, one private — using the huge RSA-2048 bit encryption algorithm and military-grade 256-bit AES encryption.
Bitcoin ransom – After encryption is concluded, the cybercriminals usually demand Bitcoin or some form of payment for the key to un-encrypt infected files. Ransomware works quickly and quietly in the background before it unveils itself to people asking for ransom.
Short deadline – A pop-up window usually informs the victim that important files have been encrypted and sets a time limit for payment before the private encryption key is destroyed and the files are lost forever.
Ransomware Examples and Recent Variations
Ransomware has grown enormously since CryptoLocker first made a name for itself in 2013. With new strains of ransomware appearing every day, it can be difficult to keep track of what the latest threat is. Here are a few current examples of threats that have been seen in the news:
Cerber installs itself on the victim company’s PC and is activated by enabling macros. After encrypting team members’ files and adding the “.CERBER” extension to them, it asks people to pay the ransom in Bitcoin, and if the ransom goes unpaid for more than a week, the ransom is doubled.
3. WannaCrypt & WannaCry
WannaCry ransomware exploits a Windows vulnerability called EternalBlue to spread quickly. A new variant of WannaCry compelled Taiwan Semiconductor Manufacturing Company (TSMC) to briefly shut down several of its chip-fabrication plants in August 2018.
Originally thought to be a strain of Petya — Two years ago, NotPetya wreaked havoc worldwide. Although it claims to be ransomware, this variant was changed so that it is unable to actually revert its own encryption, meaning you will not get your data back, even if you pay the ransom.
How to Regain Data After a Ransomware Attack
What do you need to do as a business owner if ransomware strikes your business? You should take the following three steps immediately after an infection is discovered. If you work with a managed IT services provider, like Dobson, you should contact them right away so they can help you execute these steps effectively.
Disconnect from the network and stop backing data up immediately
Disconnect the infected machine from the network immediately after the infection is discovered. Not only do some ransomware variants encrypt shared files on the network, but you’re also stopping the malicious software from overwriting clean backups with infected files. You should check and see if any other machines have been affected as well.
Remove ransomware and clean devices of malicious software
If you have a good restore, remove all traces of the ransomware using antivirus software or an appropriate malware remover before proceeding. Don’t test or try to recover data until the ransomware is completely gone. It’s important to note that by removing the ransomware you are effectively forfeiting your ability to unlock files by paying the ransom. This shouldn’t be a dilemma if you have backed up your data to a separate offsite location and don’t intend to pay the ransom.
As an added precaution before you restore files, conduct a test run in Safe Mode on the network to see if there are any additional infected files.
Restore from the most recent uninfected backup
Provided that you maintain consistent backups, locate a clean version of the files, and restore to your most recent backup set. Unfortunately, if you haven’t followed best practices for backup, you won’t have an alternative. You’ll either need to pay the ransom or accept that all of your data is gone.
Ransomware Protection and Procedures
Tip #1: Educate teams on security best practices
Education is still the best way to help your business avoid infection by ransomware download — or any other form of malware. Make your employees aware of popular social engineering methods and tactics so they don’t fall victim to phishing emails or spoofed messages. It’s particularly useful to share examples of these kinds of emails and the types of attachments that are often associated with social engineering attempts. A local outsourced IT provider like Dobson is well equipped to deliver this sort of training to employees in Oklahoma City or anywhere in the state.
Security best practices to share with your staff:
- Don’t open emails from weird or unfamiliar email addresses
- Don’t disable or deactivate antivirus or anti-malware apps
- Don’t download software from torrent sites — direct downloads are desirable
- If you receive an email from a well-known contact that includes an unexpected attachment or link, verify offline that the person actually sent you this message
Tip #2: Continually update operating systems, antivirus and anti-malware software
Most security companies are constantly working on updates to capture and stop ransomware before it infects your files. If you use antivirus or anti-malware services, be sure you are running the most modern versions of these products and do regular updates. Reach out to managed IT service provider, if available, to learn more about how they’re protecting against ransomware to see if there is any extra protection available.
Tip #3: Disable macros in Office documents
Many new ransomware strains fool employees into running macros on Microsoft Office. Macros automate frequently used jobs and hold an arguably serious security risk. If malicious macros are introduced, it starts with one file and quickly spreads.
Tip #4 Set up a cloud-generation firewall
Cybercriminals are releasing new malware variants into the wild at an increasingly rapid pace. A cloud-generation firewall can combat several threats, and some can even detect zero-day threats before they infiltrate the system. Zero-day exploits are expected to increase from one per week to one per day by 2021, so the menace is growing.
Firewalls proactively defend against ransomware instead of just reacting to an attack. “Network security is akin to a home alarm system, whereas BDR is like a homeowner’s insurance policy that comes into play if something is stolen or damaged,” says Brian Babineau, senior VP, and general manager of Barracuda MSP. Thinking of it that way will help you understand the importance of both approaches. Network security, like a cloud-generation firewall, goes hand-in-hand with a comprehensive BDR plan when protecting your business from the most recent ransomware threats.
Tip #5: Back up your data frequently and consistently
Offsite backup is a critical component to a ransomware recovery strategy and should be an integral part of your disaster recovery plan.
Why offsite? Because ransomware infections have been known to infect localized drives and network shares that are mapped as a drive letter on the infected PC. That means if you’re using only a local backup solution, there’s little chance of recovery without paying the ransom because your backups will most likely get encrypted as well.
- Keep manifold versions of your protected files
Certain cloud backup offerings provide the advantage of sophisticated version histories, which is a critical component to successful restores after a ransomware infection. If you only backup a single version of your files, it’s possible that your software has backed up an infected file.
By saving as many revisions as feasible, you have an improved chance of restoring to a pristine version of the data.
- Keep several days’ worth of files
Depending on how frequently you perform backups, it’s possible to store multiple versions of a single file, all of which were backed up the same day. But it’s essential to also back up several days’ — or even weeks’ — worth of files to ensure maximum protection. By retaining clean backups over days, weeks, or months, you give yourself additional safe restore points, raising the likelihood of a successful restore.
- Routinely test your restores
Your backups are only as good as the restore. Test your restores on a frequent basis to make sure your data is being backed up properly.
The FBI wants businesses to take ransomware seriously. “Because of the global reach of cybercrime, no single organization, agency, or country can defend against it,” the organization explained in a recent statement about the growing threat of ransomware.
As a small or mid-sized business in Oklahoma, it is impossible to stop the ransomware epidemic. However, taking the right proactive and reactive measures can help you mitigate the likelihood of an attack for your business. No business, large or small, is immune to ransomware attacks, but you can set your network up for success by following best practices and using the right tools to defend against it.
- Ransomware Damage Report 2017 Edition, Cybersecurityventures.com, Retrieved February 2018.
- What is ransomware?, Microsoft, retrieved September 2016.
- Cryptolocker 2.0 – new version, or copycat?, We Live Security, December 2013.
- CryptoLocker Ransomware Information Guide and FAQ, Bleeping Computer, October 2013.
- Malware Protection Center, Microsoft, Image retrieved February 2018.
- Here Comes Locky, A Brand New Ransomware Threat, Dark Reading, February 2016.
- Locky now using Embedded RSA Key instead of contacting Command & Control Servers, Bleeping Computer, September 6, 2016.
- Combatting the ransomware Blitzkrieg, ICIT, April 2016.
- Cerber Ransomware Has a New Family Member – Cerber3 Has Been Spotted, Virus Guide, August 31, 2016.
- The Ransomware Meltdown Experts Warned About Is Here, Wired, May 12, 2017
- Petya Ransomware Skips the Files and Encrypts Your Hard Drive Instead, BleepingComputer.com, March 25, 2016
- The NotPetya Ransomware May Actually Be A Devastating Cyberweapon, Forbes, June 30, 2017
- Ransomware 2017 Report, Cybersecurity Insiders, Access February 2018.
- Enable or disable macros in Office documents, Microsoft, Retrieved September, 2016.
- Zero Day Report, Cybersecurity Venutres, Accessed February 2018.
- 3 Ways to Supercharge Your BDR Offering, Business Solutions Magazine, September 2016.
- 2016 Vulnerability Review, Flexera Software, March 16, 2016
- 2017 State of Cybersecurity in Small & Medium-sized Businesses, Ponemon Institute, September 2017.
- Cyber Crime, FBI, Retrieved September 2016.