On the 16th November 2016 The Daily Telegraph reported that UK organisations had been ubjected to an estimated 7 million ransomware attacks in the last year. This was based upon a report from the Federation of Small Business (FSB).
The Guardian on the 3rd August 2016 carried news of a survey of 500 companies. 54% of these in the UK said they had been targeted by a ransomware attack. Overall around one third said they had lost revenue as a result of a ransomware attack.
The police in the UK say that 1 in 4 small businesses have been subjected to fraud. Estimating losses to these companies of £18.9bn.
As a professional outsourced IT organisation, we deal with many Ransomware attacks. I and in this article, we give you our advice on how to prevent and deal with such attacks. One word of warning though. There is no simple or easy answer to the ransomware question. V, various US Federal Agencies, the entire global anti-virus industry and our own National Crime Agency are on the case but the war against ransomware is far from over.
What is Ransomware?
Ransomware is software that infects your IT system. Typically, a virus will prevent users accessing their system or their data by locking files. The “lock” tends to use cryptography which is impossible to reverse without a software “key”. The basic idea is that companies need to pay a ransom in real money (US Dollars) or cyber money (Bitcoin) in order to recover access to their files. In some cases, even if the ransom is paid the files are not unlocked leading to a double hit on the victim.
In the olden days, viruses were thought of as a sort of cyber vandalism and an inconvenience. Now money is the motivator.
How is ransomware injected into the IT system?
There are many ways that ransomware can infect an IT system, the most common is an infected e-mail attachment. A fairly common approach is to spoof – or fake an e-mail from someone you may know or with an attractive message – for example “Credit Note Attached”. Once you open the attachment there is no immediate sign of the attack, but the virus has been released into your IT system and will soon over time, infect and lock your files.
How easy is it to get rid of ransomware?
The fact of the matter is that it is phenomenally difficult to get rid of ransomware. They use a fairly high level two key encryption system to ensure that it is virtually impossible to decrypt files once affected.
Typical Names for Ransomware
There are various nefarious organisations creating ransomware – some of the more common names used are CryptoLocker, Locky, Crysis, CryptoWall but there are many more.
A typical ransomware message:
Ransomware Prevention & Defence
There is no sure fire way to defend against Ransomware but these simple steps are helpful in preventing and recovering from Ransomwarein our opinion, the best way to mitigate losses and company down-time.
Step 1 – Back Up Belts and Braces
Review your back up strategy to make sure that is working and effective. One of the key attributes on ransomware is that it locks your files and folders. If you are in the positons to quickly restore these then you are less threatened and a good IT company can clean and restore your system. For example, our customers we monitor our customersthe back up at least every working day to ensure that it has run and is effective. We also strongly recommend the use of online back-up, perhaps as well as a traditional tape, drive or disc. Sometimes the virus can be spread to the removable drive or tape rendering your back up useless too. Hence the recommendation for an online system.
Step 2 – User Education
Make sure that your team are aware of the ransomware threat. Ask them to read this article.
Ask them to be very circumspect before opening attachments to mails from unknown sources and mail from known sources that doesn’t look quite right make sure users are aware that seemingly attractive offers are there to tempt them.
Pay attention to the software updates from Microsoft and Anti-Virus providers, make sure updates are applied and run.
If they do open an attachment that they suspect after the event, then the best thing to do is to disconnect the PC from the network and switch it off. In general, the first thing that most of these programs do is try to find a network server and encrypt the files on it disconnecting from the network will stop that process. We can then take the hard disk out of the PC and perform an offline disinfection to ensure the system is clean. But time is critical at this point. Arresting the spread is paramount to removing the issue.
Step 3 – IT Protection
We are very particular about the IT protection that our clients use. No defence system is flawless but the correct measures will greatly reduce your exposure. We use a suite of products that we have found to be superior to competitors in the case of an infection.
This may appear like an age old story but it isn’t. Not all Antivirus systems are equal. In our experience and in our testing, some are much better than others. Having the right AV system is the first step in building your protection. Your Anti-Virus needs to be reviewed and if not appropriate swapped to a modern system that has been developed with ransomware in mind. Our opinion is that many well-known AV systems have simply not kept pace with the times, so we now recommend only one system.
We strongly recommend that all mail is scanned before it reaches your system, there are a number of cost-effective ways to do this.
Again, most organisations have a firewall of some sort but many are the wrong type or configured to an incorrect default. These need to be thoroughly reviewed to tighten up on security.
Step 4 – Report
Many ransomware attacks go unreported. This means that the seriousness of the issue is not fully recognised and hampers the police investigations into the fraudsters. We strongly recommend that all cyber-attack and ransomware demands are reported to www.actionfraud.police.uk.
Taking these steps is a positive way to help to address the threat of ransomeware. If you need advice or a plan as to how to deal with these and other virus infections. Contact us to discuss your situation and arrange a site visit.