Ransomware attacks at several of our customers over the past several weeks – including two in the past five days alone - speaks to the urgency with which you should understand and take action.
Ransomware, sometimes known by the names CryptoLocker or CryptoWall, are exploits that encrypt your data and then demand money to free it. So far, we've had some luck in mitigating the data loss for some customers that have been hit. Good backup practices in those cases saved the day.
First response is essential
I can't stress this enough: Call us immediately – but don’t wait for us to arrive before starting the first steps outlined below.
The key first step is to right click the ransom note (usually a text file in the same directories as the encrypted files), select properties, and whomever owns that text file, well, that is the one that's infected.
Next, get any machine(s) off whatever network that file owner might have been using around the date/time that the file was created. Turn it off. Don't turn it back on until the operating system has been reloaded.
We'll want to look at every ransom note text file on the drive to make sure you don't have more than one infected machine. Do not delete those ransom note files: They're not infected, and they'll tell us how far the malware got before it stopped. They also hold important information should your worst case recovery option – paying the hackers - becomes the only option.
Now that you’ve (hopefully) mitigated the problem’s spread, start lining up your recovery options.
1. Do you have a good recent backup? A good backup solution can reduce the amount of data lost to hours, or, at worst, days. Days might not be a big deal depending on the volume of changes to a file. The proposal you wrote a year ago? Not a biggie. Your accounting database? Probably a biggie.
2. Pay the ransom. Unfortunately, you might have to balance the ransom cost with the value of that hijacked data. At least you won't have ABC News doing a story on you, like a certain sheriff's department in that link above. The good news is that these efforts are specifically intended to generate revenue. In an odd bout of honor among thieves, they’ll want to unlock your files after payment because, if they don’t, then no one will pay.
Why? Why? Why?!! (or should that be How?? How?? How??!!)
The first thing we hear is "How did this happen? I have anti-virus running!" That doesn't really matter. In fact, we've seen in one case that anti-virus programs were blocking less than 20 percent of malware.
The latest efforts have gotten even more sophisticated. Where once you had to actually do something – such as click on a link or ad, go somewhere potentially suspect, or download software – now you just need to visit your favorite well-known website (think big trusted organizations with ads on their sites). This has gotten pervasive enough to get its own name: malvertising. Yes, those flashy (pun intended) ads that pop up and try to get your attention are the vector for this exploit. I'll skip repeating what other news stories or blogs say, and we can go on to some good suggestions to avoid this issue.
How to avoid ransomware
While you might be tempted to move to a remote cabin in Montana or disconnect the Internet entirely, you do have other viable options. But they come with some trade-offs, such as Web pages not rendering how they're intended or having to occasionally let scripts run on a site that requires it. Get hit once and lose critical data, and those trade-offs become more tolerable.
1. Choose your browser wisely. I rarely use Internet Explorer unless a vendor’s site is still locked in to some proprietary Microsoft Web things. Consider switching to FireFox or Chrome. Most of the security analysts I know and listen to use FireFox as their primary browser.
2. Add some extensions (add-ons) to your browser. Add and enable Flash and script blockers, which will stop ads and scripts from automatically running and potentially delivering the malware to your machine. For FireFox, I have FlashBlock and NoScript running. Each gives me the option to enable the Flash or scripts on a case-by-case basis, but nothing runs automatically, For Chrome I use FlashControl and ScriptSafe.
3. Stop clicking on shortened URLs. Those things can take you anywhere, and you won't know until it's too late. I know that kitten pic that someone tweeted about is incredibly tempting. Don't do it. At least not on a company PC.
4. Keep your applications and operating systems up-to-date. When you receive security patches and updates, be sure you are routinely running them.
5. User Awareness is paramount. You can’t take adequate precautions without being aware of the dangers. Given the ever-changing threat landscape of the Internet, make awareness a recurring theme. Over the next few months, we'll be putting together a regular published newsletter that you can forward to your employees.
6. Good backups are the answer. That statement probably stands on its own. Whether it's some outsider encrypting your data or a disk drive failing, you want to be able to get that data back.
The bad guys are getting more creative, and your traditional firewalls and anti-virus are no longer enough to hold off the horde. CTG is ready to come in and consult on ways to better protect your data from thieves, vandals and kidnappers.
Jeff Garell is co-founder of CTG.
No comments:
Post a Comment