Are you absolutely certain that you have done everything necessary to protect your company’s confidential data from security threats?
Certainly in the IT world we are more aware of the inherent dangers of surfing the web, downloading files or inadvertently putting information at risk through an innocuous download, but even with this understanding, many companies choose to believe they are adequately covered. Current estimates indicate that antivirus captures 3% of the threats out there. Social engineering hack and other such exploits have made it relatively easy for hackers to gain access to your system through any firewall, any IDS/IPS and any antivirus/malware.
If you have the time, watch David Kennedy’s amazing video of how this type of exploit can occur. It gets very technical, but stick with it because around 23 minutes in he states, “Getting a shell [access to a system] is easy nowadays…it is what you do with it.”
So what is ransomware and why is it more deadly than ordinary virus, malware and worm infections? Because of the reason behind the attack. The damage is not just a malicious way to get back at businesses and society; it is a way of making money. Because of the profit motive, more and more threats are appearing. With the speed of modern computers, once a threat takes hold, the damage is done quickly, leaving little time to switch off and stop the progression. Anything that is attached, from a single hard drive, to a shared director on the file server will be scanned and infected
A few weeks ago, one of our clients was hit with a ransomware attack, and it wasn’t pretty. This particular attack came from an email, which was launched by one person. The ransomware encrypted the shared directory on the file server and 200,000+ files were held ransom.
Luckily, we had drilled home the importance of backup, and we were able to help. Bear in mind that this is still no simple task. In this instance, the only option was to restore from backup.
Good news is that a recent survey confirms the increased awareness of ransomware and how companies are choosing to react. When ransomware attacks, the defense profile is identical to a standard virus attack:
- Determining where the infection is coming from
- Taking steps to stop it from continuing
- Defining what has been damaged
- Remediating the damage – by either restoring from backup, (or in some cases, attempting decryption yourself)
- Making sure it does not happen again
Ransomware is insidious. It can creep out of extremely safe looking attachments. It can sneak in from code imbedded in website advertisements. It can be done by a social engineering attack. A social engineering attack is where the attacker calls up an employee of a company and tricks them in to clicking on “company” web page which begins the attack.
You can no longer make the assumption that the user was doing something untoward to start the encryption. Think about it. It is bad enough when a single C drive in infected. The device can be wiped and restored, and the user is without his system while the infection is cleared. But what happens when it is a network share, corporate drive, or SQL database? The company can be crippled.
With our client, we went about correcting the problem, which took several days and man-hours to complete. Truth be told, if they had been aware that they could pay a $500 ransom and get the information back through a decryption key, I think they would have been sorely tempted. Bear in mind that 900 users were affected.
The US Government says it does not negotiate with terrorists, but these are not terrorist, they are kidnappers. There is a dilemma when you are dealing with information. Paying a relatively small ransom seems far easier than wasted man-hours and charges to restore from backup. There is a certain relief in the knowledge that all is not lost and all can be regained, but in essence this is still about paying a ransom. Those in the IT department know that restoring from backup can certainly be done, but that it is not a simple task. How strange that many companies are prepared to pay the ransom end up grateful for the encryption key!
Make certain your backups, virus and malware protection are always up to date and run regular tests. To be consistently safe, backups should be constant, and not just every night. Companies like Code42, or Druva offer real time backup for just about everything. Another lesson often learned the hard way is that anti virus software is only as good as the threat it knows. New viruses, malware and ransomware are popping up regularly with no simple solution other than a backup restore. And, most importantly, educate your users! Never trust anyone. If someone says that they are from HR, call them back.
So what is the message? Be as vigilant as you can, educate your users, and put a plan in place to help them look out for possible threats or suspect files. In short, if you don’t know who sent it, don’t know who you are talking to or don’t know what the message means on your compute, don’t proceed further.
What is your strategy if ransomware hits your company tomorrow?