We in the IT community have been witnessing an alarming pattern in internet attacks. It’s called ransomware and can ruin your day. Find out what it is, why it’s important and what you should be doing to protect yourself and your business.
What is ransomware?
Until the last couple of years, viruses and malware did little more than steal data, disrupt services, cause computers and networks to crash or run very slowly. Other than stealing your information, there wasn’t a whole lot of money in malware creation except for computer repair places, IT companies and anti-malware companies who had the fun job of re-mediating them.
Now the attackers have found a way to make money…lots of money, from you. It’s called ransomware and the profits must be obscene because we are seeing a huge increase in occurrences. Once activated on your computer, ransomware will encrypt or lock all the data it can find that the user who opened the attack has access to. This can be Word, Excel and other files. It can be your music and pictures. It can be located on your hard drive or on a network drive. Once encrypted, the user is given a very helpful popup that explains how to pay for and receive the “decryption key.” They usually want bitcoin because it’s untraceable and they usually don’t give you much time to pay.
How much is the ransom?
The ransoms usually start around 1-5 bitcoin. As of the writing of this article bitcoin are going for $420 per bitcoin. I have seen ransoms go for as little as $100 to as high as $137,000. What they do with the money I can only speculate. I would not be surprise to learn that it goes to terrorist and other criminal organizations to fund their activities.
How does it work?
To understand how it works I like to use an example of a lock box. Let’s say I have a box that I keep special documents and pictures in. I have an engineer devise a special lock for this box. For reasons of my own, there are two keys that work with this box. One key can lock the box but it can’t unlock the box. The second key can unlock the box but it can’t lock it. So if I want to send the box with its contents to someone and I don’t want anyone else to be able to open it. I make sure I give the “unlock key” to the recipient and I lock the box with my “lock key.”
In the world of computers and data, we use keys all the time. Instead of a little metal key with cuts in it, we use a unique long string of letters and numbers. I can take the “lock key” and use it with an algorithm to scramble data in such a way that in order to unscramble it, I need the “unlock key.”
Ransomware works this way. They deploy the “lock key” to your computer via a web site, email attachment, etc. and encrypt all your data with it. Then, they offer to sell you the “unlock key.” If the key were only a few characters long, it would not take long for us to figure it out using software and get you your data back. However, they use very long keys that would take a powerful desktop computer centuries to unscramble.
Who is targeted by these attacks?
These attacks are not targeted. The attackers simply put an attack deployment together and send it out. They then sit back and watch their bank accounts grow. We have seen this type of attack affect home users and businesses of various sizes. Others who have been attacked include:
- Hospitals (http://arstechnica.com/security/2016/02/la-hospital-latest-victim-of-targeted-crypto-ransomware-attack/)
- Radio stations (http://fox17online.com/2015/01/19/plainwell-radio-station-loses-music-library-in-ransomware-attack/)
- Web sites (http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/)
- Police stations (http://www.darkreading.com/attacks-breaches/police-pay-off-ransomware-operators-again/d/d-id/1319918)
- Municipalities and law firms (http://www.marketwired.com/press-release/mdl-technology-responds-to-ransomware-attacks-on-government-agencies-law-firms-2018979.htm)
Just to name a few, and the number is growing exponentially.
Who is doing this?
The best answer I can give is “global internet attackers.” We don’t know for sure but they can be anywhere on the globe and are very good at covering their tracks. I suppose if law enforcement wanted to spend the time and money to try to track a couple of these attackers down they may find a few but would it really be worth it? Attackers are growing in numbers across the globe.
Now just about anyone who is willing to take the risk can deploy one of these attacks. However, if caught, you will probably face serious jail time.
How can you protect yourself and your business?
With the growing number of attacks we all need to start taking this more seriously since your only option to get data back may be to simply pay the ransom. I am still astonished at how often we see a ransomware attack take a business down and within hours of cleaning up the mess (assuming we are able to clean it up), management simply shrugs it off and goes back to business as usual. We always inform our clients of some things that can be done, some of which come at no cost that would mitigate the possibility of an attack or the impact of a successful attack. We recommend every business should, at the minimum:
- Raise your security posture. If you have a business with just an inexpensive internet router connecting your office to the internet, you should know that, for a small investment, you can have an appliance that will monitor and filter internet traffic going to and from the internet. These devices have proven to be very good at stripping these types of attacks from ever getting into your network. Also, if you are protecting your network with those free antivirus programs, look into a real security solution.
- Invest in email security. More and more so, businesses are routing clients’ emails through a security server that, not only blocks annoying spam, but can also prevent emails with viruses in them from ever reaching your inboxes.
- Have several different backups you can rely on to at least get most of your data back. One backup is not enough. You should have at least two backup solutions including an offsite backup. Backups should be monitored and tested regularly. We have seen too many occurrences of data loss only to realize that backups had not been running for some time and no one was aware.
- Have written plans. Most businesses have absolutely no plans or policies regarding their IT and data. Every business that depends on computers and data should have at a minimum:
- An Acceptable Use Policy – A written policy that all employees read and sign outlining what is acceptable use of the company’s computers, network and internet connection. Most people just assume if nobody says anything, there are no rules. With no rules, they may be on various sites that could contain ransomware and other malicious attacks. I have seen business owners destroy their own website by getting viruses off gambling sites they visited on their office computers, then logging in to their online transaction portal to check on daily sales. The contracted virus, uploaded itself to the website and took it down for several days. Thousands of dollars in sales were lost not to mention the cleanup and remediation costs.
- A Business Continuity Plan-This should be a bit more comprehensive. Its purpose is to outline how your business will continue to operate in the event of some sort of disaster or outage. It takes a number of likely scenarios into account and outlines the “what do we do if…” response to each one of them. Anything you can think of should be thought out, discussed and planned for BEFORE the event occurs. “What do we do if…”
- the building burns down
- data disappears
- the servers crash
- the internet goes down
- there is a natural disaster
- A Disaster Recovery Plan – Often a part of the business continuity plan. This is the actual procedure your company and IT staff will follow to get your business back to “business as usual” as quickly as possible. Often includes replacing hardware, and restoring programs and data. Assisting users with getting set up remotely in the event the office is no longer available. It would not be a bad idea to include your IT personnel in these conversations or let them write portions of the plans since IT training often includes these types of procedures.
- A Succession Plan – What happens if the owner or manager gets run over by a bus? Who takes over until we can get back on our feet? People don’t want to consider this until it happens, leaving them with no idea what to do when it does.
As you can see, these are not terribly complicated things. They are simple enough that we tend to just put them off indefinitely. With these types of attacks sharply on the rise, don’t put it off any longer.