Ransomware Protection Strategies for Small Business

I was chatting with a lawyer yesterday about cybersecurity and he mentioned that he has heard that law offices in our county have been hit with ransomware in the last few months. Law offices are a ripe target for ransomware because the confidentiality and integrity of their records are vital. Lose their records, lose their business. The same applies to many other small businesses.

What is ransomware? Ransomware is malicious software used by a criminal to deny the rightful owner of a computer system access to vital system resources and demand payment to restore the resources. Usually, ransomware encrypts data and demands Bitcoin or other untraceable cybercurrency payment for decrypting the data.

What should these offices and other small business do to protect themselves from ransomware? I suggest a two-pronged approach: prevention and damage control.

Prevention

Take steps to avoid a ransomware assault in the first place. The practices below are basic cyber hygiene for everyone that will lessen the chances of all forms of cybercrime.

  • Use a good anti-virus scanning utility. Keep it up-to-date and scan regularly.

    Wondering which utility? Windows Defender, the default Windows 10 anti-virus is a good choice. It’s already installed, doesn’t get in the way, and does a competent job. Are 3rd party tools better? The anti-virus business is highly competitive. Which utility is best changes rapidly. I use Windows Defender myself because it is convenient, and Microsoft has invested in keeping Defender among the best, which is good enough for me. Whatever you do, use an anti-virus utility and keep it up to date.

  • Use only supported operating systems and applications and subscribe to automatic updates. New vulnerabilities show up every day. Accept the manufacturer’s help in patching up the holes as the appear.

    If you don’t trust your vendor’s updates, get rid of their software. If you don’t, you put your business at risk. The only exception to this rule is when you have special software that is frequently broken by security patches. At that point, you are strapped and dependent on the maintainer of your special software. Avoid this situation if you can.

  • Be cautious of links in web pages, emails, and messages. If a link looks dodgy, skip it. Be doubly cautious about attachments to emails and messages. If you are not sure where something came from, don’t open it. If there is a question, call the sender and confirm that it is legit. Links and attachments are the most common entry points for ransomware.

Damage control

If you are diligent in following these three practices, a criminal will have a hard time entering your computer system and might pass it by for easier prey, but you have no guarantee. Let your guard down an instant and you are vulnerable. A smart criminal who is intent on assaulting your system is likely to eventually succeed no matter what you do. However, if you plan ahead, the game is not over when you get a ransom note. Your backups are critical in recovering from a ransomware assault and a lot of other computer system mishaps.

  • Backup your system regularly. I favor reputable cloud backup services because they tend to be automated and trouble free. The most likely time for ransomware to hit is the day someone forgot to run backups, or the janitor switched off the external backup drive by mistake.
  • Test your backup system regularly. All backup systems are complex mechanisms that sometimes fail. Your only assurance that they are working is a recent successful test. I always assume that a backup system that has not been tested recently does not work. I have seen disasters in the aftermath of backup systems that were assumed to be working but were not.
  • Protect your backups. Smart ransomware attempts to mash your backups. Put up barriers to protect them. Check the documentation on your system or talk to your IT technician on how to do it effectively.
  • Have a plan. A rock-solid backup system is the foundation for recovery but consider what you will do the instant a ransom note pops up. I suggest immediately ceasing all activity, detaching from all external networks, and running a virus scan. Then contact an experienced technician for help. Do not shut the system down or restart if you can avoid it. Some recovery methods depend on recovering data from memory that disappears on shutdown or reboot.

Call law enforcement

Local law enforcement may not be able to help because the criminal is likely to be in a different state or country. Keep them informed anyway. Unreported crimes encourage law breakers. Some states have cyber crime task forces with real muscles that work with the FBI and the Department of Homeland Security to shut these operations down. If local law enforcement can’t help, report the crime to the FBI’s Internet Crime Complaint Center. (IC3) If cyber crimes are not reported, funds will not be allocated to fight cyber crime and laws will not be written or changed to reflect the injuries done by these criminals.

Consider cyber insurance

Cybercrime is not that different from conventional theft and damage. I understand that cyber business insurance is becoming more common. I am not familiar with the costs involved or the efficacy of the policies, but your business insurance agent is likely to be able to help. Nonetheless, remember that avoiding or controlling damage is less disruptive to business than insurance compensation and insurance seldom makes up the whole cost of an assault.

A final note

Ransomware and other forms of cyber crime are real threats. In 2016, over 1.3 billion dollars in losses were reported to the FBI. Those who take steps to protect their business will suffer less and may completely avoid becoming victims.

 

Ransomware– You Don’t Have To Pay!

Monday, 3/28/16, what appears to be a ransomware attack forced a hospital in Maryland and Washington D.C. to shut down their network. Ransomware attacks on hospitals have been increasing. Attacks on individuals are also on the rise.

Ransomware is the most direct route from a victim’s wallet to a hacker’s pocket. The hacker infects a computer, tablet, or phone with malware that makes a threat and demands a ransom. Extortion. Pure, simple, and lucrative. Ransomware has extorted hundreds of millions of dollars from innocent victims during the last few years. Despite some notable busts, the number of assaults has increased each year for several years.

The Course of an Assault

An assault follows a predictable course. The initial infection comes from executing an attachment from a malicious phony email, or clicking a web site that is a drive-by infector. Then comes the threat and demand—the choke and puke, as it is called. The victim is ordered to pay, usually in bitcoins.

Threats

Sometimes the threat is idle. The victim might click on a dodgy site that promises salacious celebrity photos. Shortly thereafter a realistic image pops up that looks like it came from the FBI, the county prosecutor, or whoever. The pop up accuses the victim of downloading something illegal. Send money and the charges will be dropped. Another variant pops a message saying that the victim’s computer is infected with a deadly virus. Buy this expensive software to clean it up or suffer the consequences. In most cases, threats like these are entirely bogus. A good anti-virus scan will probably take care of the infection.

File Encryption Threats

There is another type of ransomware that is a more serious threat. These infections disable the victim’s computer by encrypting the victim’s files. The encryption is strong and nearly impossible to decrypt without the key, which the hackers will gladly supply, for a ransom, usually between three hundred and eight hundred dollars for an individual. Businesses are hit for larger ransoms.

These criminals are ruthless and heartless. Lately, hospitals have become a favored target, no doubt because the threat to patients ups the urgency. A hospital in the Los Angeles area recently paid out $17,000 to get their files back. Around a dozen other hospitals have been hit.

Solutions

This threat is so effective, on at least one occasion, the FBI recommended paying the ransom, but you don’t have to fall victim to these file encryption attacks.

First, follow basic cyber hygiene. Don’t open email attachments unless you are absolutely certain the email is from a trusted source. Don’t visit dodgy web sites. Use an anti-virus and run scans regularly. Keep your system and anti-virus up to date. These steps will protect you from infection in most cases.

If your defenses don’t protect you, a good backup will still keep your data safe. What makes a good backup? It must be kept current, either by frequent runs or continuous backup. Most ransomware will encrypt any drive that is accessible to the infected computer, so your backup must not be connected directly. The easiest way to do this is with a reputable cloud backup service, not a cloud storage service. Cloud storage services, such as Dropbox or OneDrive, will not provide a full restore. They can help, but a regular backup is more likely to completely restore your system.

Using backups, Methodist Hospital in Kentucky was able to recover from a ransomware attack that put the hospital into an internal state of emergency for four days. They did not pay the demanded ransom.

In a Pig’s Eye

If you have a reliable backup, when the ransom demand appears, raise your right hand in a fist and shout out “in a pig’s eye,” completely reinstall your OS to get rid of the malware, restore your data files from your backup, and return to normal. You might not need to completely reinstall, but reinstalling is a sure way to remove all malware. You will have to update and patch the system. That will probably be automatic, but you should check.