Ransomware – What It Is and How to Stop Yourself Becoming A Victim
Bob Sampson, Head of IT at Bray Solutions shares his advice on ‘Ransomware’.
“I recently hosted a series of open-door events where clients on any of our serviced office sites could discuss IT security concerns. I was surprised when I realised how few people had ever heard of ransomware, considering last week’s NHS cyber-attack. However, regardless of its publicity, there is still a lot of uncertainty as to what happened, how it happened, and how we can prevent it.
While the NHS is the most prolific victim in the UK, it is by no means the only one.
Globally, it affects many other minor and major corporations. Is it true that no one is safe? In this blog, we look at what happened in detail.
Ransomware is part of a family of viruses known as cryptoware. These viruses malicious payload specifically target critical files on your machine and encrypts them. Usually word documents, excel spreadsheets, photos or Sage financial databases amongst others. The virus indexes your hard drive, and any files with the right extension (.doc, .xls, .jpg, etc.) will get encrypted.
Think of a ransomware virus like a burglar in your home. One that finds nothing of worth to him, but items of value to you. So, instead of stealing your family photos, he locks them in a box and leaves a nice note asking for money in exchange for the key.
Viruses – more and more sophisticated as time goes on
Along with the programming base moving from the typical geeky teenager to complex criminal organisations, their complexity is evolving too. It is not unusual for a virus to infect early on but stay dormant, logging key bits of data and sending them out to an external source (data such as passwords, account details, sensitive company documents, etc.).
Then, all PCs (hosts) infected with the virus begin to rapidly, and in synchronisation, encrypt all identified targeted files whilst displaying a message to send an amount of money in the form of Bitcoins (web-based virtual currency) to an address. In return, you’ll receive the code to unlock your files.
The cost of an attack like this comes from two sources.
Either you pay the ransom, which will list you as a potential future target; or you turn off your network, recover core data from backups and rebuild the system, machine by machine. Either way, the financial cost to an organisation often runs to many thousands, from the ransom or the impact to the business. Look at your organisation. If you turned off the PCs for just one day, what impact would it have? How many users couldn’t work? What about damage to your reputation with your clients?
So that is the ransomware virus
It is a huge nightmare to happen to any system. We have backups, however, I know first-hand the disruptive effect an attack like this has. Even with complete backups and the recovery of our entire platform in 5 hours, it was tough managing a workable alternate system in the meantime.
How did it get in? The attack made use of a known vulnerability in Windows. Software manufacturers, after they release new software, they tend to update them regularly when security holes come to light. Microsoft releases patches every month for many different programs as it is so widely used that new problems come to their attention all the time.
In the case of the NHS, and others that have been affected recently, the problem most likely comes down to not updating servers and PCs with these patches once released. This highlighted an underlying problem for the NHS, one I’m sure they were very much aware of.
A large portion still ran on Windows XP
This is an operating system which dissolved over three years ago. For three years, the devices missed a lot of security updates, vulnerability patches, and unfixed bugs.
How to stop it happening to you? Firstly, understand that there is no guarantee that prevents you from infection of this kind. You put in place measures to identify viruses, isolate unusual processes, mitigate threats with decent network policies.
The first rule of malware is:
Talk about malware. Educate your users. They are the biggest threat to your network if left unchecked, but also your greatest ally if you get them on board with network security. Make them understand the ramifications of an attack (lost revenue to the company, possible redundancies as a result). It needs a team effort and I work hard with my users to keep the messages front and centre.
The manufacturers release patches and updates for a reason, so put them on
For bigger organisations, they need to vet patches and see if they impact any existing systems, if they test ok, get them on the machines. If they are patching a security flaw, all the time you’re not patched, you’re more open for attack.
Invest in security
Too many companies see IT as a cost, rather than an asset. You’d train your staff, invest in them as they invest in the company, right? Well, the same applies to IT and your security. Get a good firewall. A £20 Firewall from PC World won’t serve as well as a £200 dedicated firewall device. Which in turn is configurable and less capable than a £2000 device. Boundary security, stop the burglar even getting in your house in the first place. The same goes for anti-virus. It’s a small price to pay given the costs if you get hit.
Invest in email scanning and filtering
Email is such a massive threat vector and one of the most common routes into a company for malicious software. Scan for viruses, scan for junk email, scan for dodgy attachments, scan for links in an email that go somewhere other than where they say they do. If you let infected emails or one with links to viral sites land on someone’s computer, you’re relying purely on their recognition of the threat. At 4 pm on a Friday afternoon, would you trust that person to notice, to not open a viral attachment?
Force users to connect to a VPN
If you use Remote Desktop/RDP/Citrix (or anything else that gives you a window on a machine inside your office), force your users to connect to a VPN. If you expose a Windows login to the outside world, this is like having your card in the ATM with anyone able to try as many attempts at your PIN as they like. Sooner or later, they’ll guess the right password. Make users connect over a VPN, a secure link into the office, then run Remote Desktop or whatever over the VPN. It’s a much more secure way of doing it.
Use complex passwords
It’s not rock3t sci3nc3. It can be complex but memorable though. ‘correct horse battery staple’ was a famous example of a much harder to guess, but easy to remember password. Although dictionary word attacks would get it sooner than if the words were each slightly misspelt (crorect hosre batteyr elpats would be harder to crack).
Have an IT usage policy
Emailing explicit content around the office, regardless of its inappropriateness, asks for trouble. Accessing these sites is the IT equivalent of giving your bank details over the phone before asking any questions. A good, comprehensive policy sets the guidelines for what company equipment can be used for and so restrict this potential threat. This can also include using USB drives that are not owned by the organisation. Found one in the car park? This is a known ploy, to leave an infected USB drive in an area outside an office. Drive over it!
For most companies, a lot of the above might seem beyond the reach of financial resources. However, balance it with the impact of an hour, or a day, or a week without the IT. I’ve seen a company send 40 people home for a few days when their out of warranty server blew its motherboard. 40 workers, no data, no work (they were completely reliant on the IT) for three days. Which could probably pay the extended warranty cost a few times over.
If enough people get the flu vaccination, the virus struggles to spread easily
Another reason to invest is herd immunity. When making it hard for network viruses to spread, you’re not only protecting yourself, but you’re protecting companies you might do business with, maybe your clients.
The prospect of a ransomware attack is one that terrifies most IT professionals. Understanding what the threat is, like many things, is better than ignorance. Once understood, it’s easier to justify a budget for protection for the users, for the network, and, therefore, for the company itself. If there is a good thing to come out of the recent attacks, it’s highlighting the vulnerabilities of so many companies and making employees at all levels give thought to their actions on the web.”