Ransomware, in its simplest form, is a type of virus that demands the user/s of an infected device pay a ransom, which can be in any form of currency and/or multiple other forms of payment. A good analogy would be a hostage situation, and I’m sure we are all aware how nasty they can sometimes turn out to be.
One of the most common versions of ransomware, that most of us have heard of, is CryptoLocker. Now can any of you guess what the ‘Crypto’ part of this nasty piece of code means? You guessed it, it’s short for Cryptography, which is the foundation on which encryption algorithms are built.
CryptoLocker, is a piece of ransomware that users can receive in a manner of different ways. The most common is in the form of an attachment in an email, that looks on first glance to be from a legitimate sender. The attachments are usually in the form of .zip, as this prevents a lot of spam filtering solutions from seeing what is hidden inside, and this is usually where the ransomware is stored.
Once the attachment is extracted, there is normally what looks like a simple office document. If the user opens the document, the ransomware will be loaded onto their device.
The first thing ransomware does is generate a private key on the infector’s server, and then tells the ransomware on the device to use this to randomly generate more keys for it to do its work.
Its work is not very harmful at all, in the sense that it does not actually do much, it won’t harm your devices operating system or how it actually functions. What it does is it looks for all file types that it has been configured to look for, on all local drives on the device. It then looks for any files that match what it is looking for and encrypts them with the private keys generated from the infector’s server.
Whilst this is going on most users won’t notice anything until it’s too late. The ransomware often has enough time to encrypt all of the users’ files on their device, resulting in nothing opening as it should and notifications of corrupt files. Ransomware can also encrypt files on shared drives, resulting in other users having trouble opening files.
In most cases, once the ransomware has finished encrypting files, it usually opens a window on the infected device stating that all the files on the device have been encrypted. Often, it will then communicate that the user has 24 to 48 hours to pay the ransom or the private key that they encrypted all your files with will be deleted from their server.
So just picture the scenario, nobody can access the files they need to do their work. IT are franticly looking for the device that started the encryption off, and the whole business comes to a standstill. All of this, just because the designer of the ransomware wants 2 bitcoins from you to decrypt all of your files.
See, encryption really can be used against us and very efficiently!
Recovering from ransomware
You’ll need to recover from this disaster and get your users back up and running. The approach you take will depend on how you want to deal with the ransomware’s demands. You could pay the ransom, or start recovery from your last backup, you should try and find the original device affected and take another look at your security systems. There are lots of valid actions that need to take place in a very short time frame.
If you have been in this situation, but never found out why this happened or your current IT services provider didn’t give you an explanation, then feel free to get in touch with Acora. We can get to the root cause of the issue and suggest improvements that can be made in order to stop this from happening in the future.
The main thing to do is find the culprit device and remove it from your network ASAP, and then start the recovery process.
Personally, I would never pay the ransom. As this only encourages them to develop better and more efficient code that can repeat this process on millions of devices worldwide. Even if they’re only demanding bitcoins, I still wouldn’t recommend paying the ransom. The process to get bitcoins is dangerous and involves entering the dark corners of the internet, which introduces more risk to your business.
The safest and most reliable solution is to ensure that your backups and security systems are up to date, and conform to your businesses RTO’s and RPO’s. Again if this is something you’re unsure of and require advice on how to plan for, please get in touch.
If your backups are working, you should be able to restore them once you have removed or cleaned the culprit device from your network, and your business can carry on as normal.
However as mentioned in my previous blog, backups do not always work and in some cases take a long time to administer. Which, in situations like the above, can put your business in a very difficult situation.
Acora can consult with you to design an adequate backup solution which can then be implemented and configured as per the agreed design. If you have a managed service from Acora, then we will monitor and maintain the entire backup process for you. We can implement two products, of which we’re certified partners, which help alleviate the risks highlighted by this type of event. The two products we use are AlienVault Unified Security Management (USM) and LAN Desk.
AlienVault USM, is a bundle of 5 AlienVault products into 1 appliance, whether that be a physical appliance, virtual machine or a cloud hosted version of the USM. The 5 products assist in the following areas:
- asset discovery – this discovers all devices on your network with its advanced scans before anything nasty does
- behavioural monitoring – this monitors activity on your devices and looks for suspicious patterns to identify potential security breaches
- vulnerability assessment – this scans each device it is aware of with a list of known vulnerabilities to help you identify the weaknesses in your network
- SIEM – this is where you configure all of your devices to send their logs and events, so the USM can identify issues with devices if/when they are being attacked or exploited
- intrusion detection – this identifies malicious traffic on the network and alerts you to how the attack is being actioned, so you can stop it and deal with the issue at hand
LAN Desk offers similar functions to AlienVault USM, however it has more focus around the management of all devices in your network, without the security features AlienVault offers. The areas that LAN Desk offers are as follows:
- asset discovery & inventory
- asset management
- MDM management
- software licensing management
- operating systems provisioning (both windows & mac)
- driver management
- software deployment
- alerting & monitoring
- enterprise apple management
- remote control
- power management
- in-depth reporting (customisable)
Both of these products fit perfectly together to help manage your network and help keep it secure.
In conclusion, to ensure you’re defended against ransomware…
- Make sure you have backups, in any form that conform with your RTO’s and RPO’s.
- Ensure that your protection systems, i.e. anti-virus etc, are always up-to-date.
- Ensure that your operating systems are as up-to-date as they can be.
- Educate your users in what to look out for and give them simple rules to follow. Tell them if they’re not sure about an email or an attachment, not to open it! Call the sender to confirm legitimacy if they’re unsure.
- Most importantly, seek advice from peers. We’re happy to help and assist you in protecting your business.