The latest threat to SMBs
In the past few years, we’ve started getting more and more calls about ransomware in our support center. It’s a horrible way to start your day and sadly it is difficult to prevent because one of your network’s users (unknowingly) often causes the issue.
What is Ransomware?
Ransomware is a new way hackers have developed to make life miserable. Attacking both personal and business computer users, ransomware takes existing important files and encrypts them using a unique key. The hacker then offers a ransom for the key in exchange for payment. Without this key, it is almost impossible to decrypt your files.
Prevention by practicing safe computing habits.
System and network users need to be educated on best practices:
DO NOT open unknown, unexpected or suspicious attachments.
DO NOT go past the warning screen about a potentially bad website in your browser.
DO NOT allow your system to run unknown software, macros or updates that pop up out of the blue.
Administrators can also take steps to minimize risks by:
Preventing users without a need from executing Word and Excel Macros via group policy.
Preventing users from having full administrative access to workstations and files. Isolating network shared files to only the files each user specifically needs.
Using read-only access for files needing to be viewed, i.e. reports and marketing materials.
Should I pay the ransom?
No. Paying the ransom feeds the hacker’s success and also makes you a future target for more sophisticated attacks.
NOTE: When you visit the ransom demand website from the hacker’s note, you start a timer. Generally, demands are made in the $500-$1000 range and begin escalating each subsequent hack. In cases of larger intrusions, the ransom may be much higher. Generally this ransom is requested to be paid in Bitcoin.
Not only are good backups the best way to solve this problem, but you have to have the right backup plan in place.
The right kind of backup and retention plan will typically include the following:
Real-time Protection (won’t protect from ransomware alone).
Dropbox or other file sync service. Daily On-site (won’t protect from ransomware alone).
Daily Off-site – retain for 90 days.
Weekly Off-site – retain for 52 weeks.
Monthly Off-site – Retain for 5 years.
With a proper backup and retention plan in place, you will be able to recover from most ransomware attacks. Although recovery is possible, depending on the amount of data you have, this could take quite some time to be in a fully operational position again.
How to Fix
The recovery process can vary based on your specific needs, but the best solution will be similar to the following:
Image your current system state.
This method takes a snapshot of where you are, in case the recovery fails, and you need to start over with the process.
Clean the malware
Use a variety of anti-virus and anti-malware applications to scan the system. Typical programs include:
Stinger by MacAfee
VIPRE Rescue by ThreatTrack
Malware-Bytes anti Malware
Restore your files from backups
View your backups and restore the latest non-infected files.
Typically, when you see ransom messages, it is already too late, and the damage is done. Make absolutely sure you have good backups of your files starting TODAY!
Having a layered approach to security is important. The first line of defense in that layer has to be the end user, the one that’s likely to click the link in the email. User training is the most important and preventative step in guarding your files against ransomware. If you are a small business in need of assistance in preventing ransomware, contact CORETECH today for more information.