Ransomware has seen a dramatic increase and some analysts are calling 2016 “The year of Ransomware” Ransomware is a particularly evil malware that suddenly encrypts the contents of your hard drive and then demands payment if you want you to regain access to your data (the ransom is almost always demanded in untraceable Bitcoin).
We were warned of a significant rise in ransomware when the FBI issued an alert warning that businesses in general, and financial operations in particular should be extra vigilant. It was also suggested that smaller companies and individuals would be particularly vulnerable to this type of attack since hackers may see them as more willing to pay a ransom to get their data back due to inadequate backups and weak disaster recovery planning.
But for ransomware to work, it has to get into your systems and one of the most common ways a computer or network gets infected is through what’s called a phishing email message. For example, you might receive a message that appears to be from a company you deal with. The message contains an invoice but if you click on the links in the message or open the attachments on an inadequately protected system, a malware payload, such as ransomware, will be launched. Ransomware is now the “go to” method for cyber criminals to deploy malware, particularly healthcare, and a number of hospitals are declaring internal emergencies during the past two months due to ransomware attacks. Another sneaky method that’s often found in these phishing attempts is the use of spoofed email addresses so the message appears to come from staff within your organization which was how, in January, Aircraft parts manufacturer FACC AG lost $54 million and a in February a Snpachat employee emailed company payroll records to a hacker. So what does ransomware look like?
A Real Life Example of Ransomware
Here’s an example of an email message containing ransomware I recently received, apparently from a company we’d done business with. The screenshot is of my inbox showing multiple messages from the Fiverr service regarding jobs I’d commissioned and, along with the valid email messages, is one (highlighted) that appears to be an invoice. My first reaction when I received this was “I thought we paid for that?” then I remembered all of our invoices from this company were paid via credit card. The header also looked odd as well as the invoice number, so right then I knew the message was bogus.
I compared it with other emails I’d received from Fiverr and, as you can see below, it’s not formatted convincingly (note that we use Outlook for our email and because it has link and macro protection I wasn’t concerned about opening the message and getting infected with malware).
As you can see, the formatting and language aren’t at all professional, but if this had been sent to a naive employee unfamiliar with the company that apparently sent the invoice and who wasn’t trained to be on the lookout for suspicious messages and had an inadequately secured PC, we could have had a serious problem as the payload in this message was, indeed, ransomware ( we make sure our employees are trained as soon as they join us and that our PCs are as “hardened” as possible). We’ve got solid defenses but what can you do to stay safe, as well as what are your options if you do contract a case of ransomware?
1. No Private Webmail
In a cybersecurity presentation in Houston last November, Andy Sawyer, Director of Security at Locke Lord, an international law firm, said that last year, the firm had been getting two or more successful ransomware attacks in house every week. After they eliminated the use of staff personal webmail on their networks, the ransomware attacks virtually stopped. If you’re responsible for your organization’s security, you should consider banning employees’ use of personal webmail when logged into the company’s computer systems. If employees need to access their private email at work, they can use their smartphones.
2. Security Awareness Training
Simply being aware of cybersecurity issues makes a huge difference in staff behavior and specific training in the identification and avoidance of phishing attempts is a must. And because the methods hackers and malware creators use to trick users constantly change, it’s important to keep your users up-to-date. After all, everyone knows their friend was not stranded in Montenegro and needs you to wire them money, but what if “Bill” from accounting sends you a request to update your direct deposit details? Many untrained people won’t question the origin of a well-crafted phishing email, especially with a seemingly normal request. While infection by malware can come from the actions of hackers outside your network, by far the most common way malware infections occur is through this kind of “social engineering” and ongoing security training of all staff is the best defense.
Hopefully your company already has software and hardware defenses in place at the edge of your network as well as on every computer in your network. But are these defenses kept up-to-date? It’s crucially important for these systems to be kept current otherwise there’ll be security holes that a hacker might exploit and it only takes one successful attempt to cripple your network. And if that attempt involves ransomware and you’re not prepared, it’s conceivable that you could go out of business! An important aspect of these defenses lies in not allowing employees to bypass or shutoff automatic updates. Azstec has published additional resources about these issues that are available for free (see the resources section below for links).
4. Have Good Backups
In the event that a successful ransomware attack happens to you, you will have three choices: The first choice is to pay the ransom, which is usually a bad idea because there’s a good chance you won’t get your data back anyway. Even if you do get your data back, the time required to resolve the problem will be significant and some or all of your business will be on hold for the duration while you negotiate, acquire Bitcoin, wait for responses, and so on.
The next choice is to simply erase all of the ransomed data. While that may be practical for the contents of a single PC, it’s probably going to be a big problem if the affected system is a network server. The third choice is to roll back your systems to the last “clean” backup. With both completely erasing and starting over as well as the choice of partially restoring a system, you’ll still have to reconstruct all the missing data and no matter which of any of the choices you make, the cleanup required to ensure that you haven’t got a hidden malware infection waiting to strike again is going to be expensive and time-consuming.
The Bottom Line
Staff training and hardware and software defenses will go a long way to keeping your organization safe from malware in general and ransomware in particular. But mistakes happen and defenses sometimes get breached. The reality of dealing with a successful ransomware attack is that you have to have a comprehensive, effective backup strategy if you want to minimize business downtime. This strategy also has to include a verification process to ensure that if you have to restore your systems, the restore will actually work (you’d be surprised at how many organizations fail to do this with predictably disastrous results).
The article is not intended to give you all of the answers to the very real and growing danger of ransomware but to make you more informed about the issues and point you to additional resources. We’ve published several guides to help you including our “Azstec Cybersecurity Handbook” and our “Answers to Your Cybersecurity Questions” e-book, both of which are available with a free 2 month trial of docNCRYPT™, our document and email security software that’s ridiculously simple to use.
Just follow the link to our website and click on the green button then finish the checkout process and we’ll email you a copy of both guides as well as your free license key for docNCRYPT (no personal information is required, just your email address). Our Cybersecurity Webinar, which covers the big picture of business cybersecurity, is also free and available on demand. We’ve received lots of complements from those who have watched it and I highly recommend you take the time to view it.
David Griffith used to have a normal life but he’s now living and breathing cybersecurity as the CEO of Azstec LLC, the creators of docNCRYPT, the incredibly simple document and email security solution for everyone. If you have any comments or questions, email David at dgriffith [at] azstec.com and follow the Azstec Blog or on Twitter or LinkedIn.