What is Ransomware?
Ransomware is not new and the first cases of CryptoLocker started back in 2013 and most attacks tends to come for outwith the UK. Ransomware has now become so fruitful that many cyber criminals are now running it as a business! To the extent of selling lists of infected and vulnerable PC’s and Servers to other cyber criminals. These people are so organised, some have their own research and development labs.
It has been said that 2016 is the year of Ransomware – and it is only going to get worse!
There are many different types of Ransomware but the most popular are: CryptoLocker, TorrentLocker, CryptoWall, CBT Locker, TeslaCrypt and Locky
How are you getting infected?
Ransomware uses unbreakable encryption such as AES, RSA and Curve ECC. It attacks high value files and it creates a network connection from your network back to the command and control (C & C) server at the attacker HQ, using software, for example, Tor (which is free software that enables anonymous communications). Ransomware works by encrypting your data with a public key, you then get a ransom demand and the only way to release your data is for the attacker to provide you with the private key. This of course, will cost you, and this is where the hackers are clever, they demand a payment of around £300.00 to be paid in Bitcoins, which are near untraceable. The fee is not enough to cause financial damage but enough to make to make it viable to them. Once paid, the hacker will release a private key to decrypt the file. Some hackers are infecting multiple files and offering you one free key to show you that your payment will release the infected files.
What are the delivery methods?
There are two main delivery methods:
- Spam Email Campaigns, using CBT Locker and TorrentLocker. This requires user interaction and can affect patched systems.
- Exploit Kits, these are embedded into legitimate Websites that you may visit. Using CryptoWall and TelsaCrypt they do not require any user intervention and attack mostly vulnerable installed software that has not been patched.
These attacks are becoming more sophisticated and some are even voice enabled and your PC will talk to you. They are well written in perfect English and look real and authentic.
How do you ensure you never have to pay?
- You need to protect your IT systems
- Keep your software up to date. Ensure all of your systems have the latest patches.
- Use virus protection/threat management systems
- Educate users on security protocols, avoid clicking untrusted emails and attachments and look at any unknown file extensions
On the IT side of thing you can take extra precautions:
- Install a good Firewall that has Unified Threat Management.
- Ensure your firewall is blocking Tor and I2P
- Restrict network ports to block ransomware that need to call home to encrypt keys on their C & C Server.
- Disable active-x content in Microsoft Office
- You also need to block binaries from running from popular ransomware installed paths (e.g. %temp% or %appdata%)
You have now taken all reasonable precautions but you are still vulnerable if one gets through. What else can you do?
Backups are now crucial to protect you against ransomware
Backup rules
- All data must be stored in a different locations i.e. on-site and in the cloud or a second site
- Preferably on two different types of media i.e. disk and cloud of disk and tape
- Three copies of data should be kept in an ideal world
Backup best practices to ensure you don’t have to pay.
- Backup all data and systems on all servers
- Replication and Continuous Data Protection is great for low RTO/RPO (Recovery Time Objectives/Recovery Point Objectives) but will also backup the malware alongside your data
- Create archives that are physically isolated from your production systems. This means you can use the archive to go back in time for a clean restore.
- Create bare metal images of all servers, so you can restore to a stable state
- Your DR system should be able to spin up new VMs whilst you recover your productions systems in the event of attack.
- Prepare Now – don’t wait, they cyber criminals wont.
Cloud backup can help you, a hybrid approach is an excellent approach.
- Local backup for fast recovery
- Backup to the cloud offsite
- Archive old data
- Fully automated, no time consuming manual IT intervention
- Can be isolated in the event of an attack
Features you should adopt against Ransomware
- Instant recovery – this is the ability to spin up new servers from backup in minutes while you repair the infected files.
- You need to protect all systems: Windows, Windows Servers and Apple Mac’s etc.
- Ensure your backups are Linux based and not Windows – you don’t want your backup system getting infected!
How can Unleashed help you?
In the first instance, you have to ensure that your security is of a level to protect your business. The Government has recently launched the Cyber Essentials Scheme to raise awareness of cyber-crime. This is an excellent starting point and will help you. Unleashed have qualified Cyber Essentials Consultants.
Business Continuity should be a top priority of every business, if you can’t work, you unprofitable and unable to pay your staff. Ransomware, is an irritant, it is not going to put you out of business, but it can cost you time and money. Data loss is different, if you lose critical data, through virus’s or other methods then you could go out of business.
Unleashed, have spent many years researching and finding the best data management and backup solutions on the market, to suit every budget and business need. Unleashed, believe the most efficient and cost effective backup is a hybrid approach. This means you store data on-site for quick recovery and then send a copy to the cloud. In the event of a ransomware attack or hardware failure you can spin up new servers on-site with access to the local data. If you have a total failure, you can spin servers and data up in the cloud. This means little or no downtime and the ability to react to any ransomware attack quickly and efficiently, without the need to pay.
For more details or free on-site health check, give us a call today on 0333 240 0565 or email unleashyourit@weareunleashed.com