Security

Ransomware damage can be minimized with these 11 actions

ransomware

Ransomware is a real threat to Australian small businesses.

Around the world, it has caused millions of dollars of damages. Companies that fall victim to their data being encrypted with ransomware and having to pay a ransom have really only two options: recovery from backups or pay the ransom, but paying a ransom does not necessarily get you all your files back.

Here are 11 points you can implement right now as a small business to help reduce your chances of getting infected and in the event that you do get infected, minimise the risk as much as possible. The information in this guide results from firsthand experiences we have had from dealing with ransomware.

 

Backup every day.
Every day that you don’t backup is an extra day you have to recreate work lost. While most small businesses can easily recover from 1 day of lost work, trying to recover from a month or 3 months is very hard and sometimes impossible. Apart from the time it takes to recreate the files lost there is also the current work demand happening to make it very hard to cope. The best way to ensure you have a daily back is to setup an automatic backup and then monitor it
regulary.

If you do local backups
If you are backing up to an external drive there is a high risk of the backed up data also getting encrypted. Just recently we were called out to a company that uses external USB drives for their backup. They got hit with the CryptoLocker malware which encrypted not only the computer the malware arrived on, but also the network shares and the backup drive that was attached to the server. This company did have another external backup drive, but they last swapped it 4 weeks ago. If only they swapped it the night before they could have restored that backup and avoid having to pay the ransom.

The takeaway here is if you backup to a local external drive make sure you have more than one drive and swap them daily. The more drives you have and the more regularly you swap them the more chance you have of a full recovery.

Use cloud backup
A client of ours recently fell victim to a ransomware. It encrypted all the documents on her drive and then started on the company share encrypting all the data stored on there too. Since we provide managed IT services to them we had their company share configured to sync to a cloud service for remote access and act as a backup. We simply wiped the encrypted share and re-synced it with the cloud copy. No data was lost and very little time was lost getting them back up and running. Best of all the extortionist never got a cent!

When looking at using the cloud for backup ensure you have fully researched the cloud vendor or your IT consultant has chosen a good cloud backup vendor that can provide you with a secure and reliable backup.

Test your backup
Whether you are backing up to an external drive or a cloud service it’s always a good idea to test your backup. Restore a few files every month or two and make sure you can open them. If your backup software has reported your backup has been successful it generally is. However restoring a file from backup and opening it gives you that level of assurance that it is working properly.

Educate your staff
Most malware requires user interaction to execute, especially if it is via email. It pays to regularly remind and re-educate your users. It only takes one click to open an infected email and your whole business can come to a screaming halt. Below are 3 quick tips you can show your staff today to help them recognise a potential malicious email.

  • If an email looks suspicious it is.
  • When asked to click on a link inside an email hover your mouse over it first. If the domain does not look familiar or is not the same as the email senders domain treat it as suspicious. Example: You get an email from Australia post and in it is a link to click to help you track the parcel. The Australia Post domain is auspost.com.au. If you hover over the link and get something like 23de.mlook.ru well that’s not Australia Post and so is likely a link to a malicious site.
  • Most companies don’t send out mass emails with attachments. Instead, they send notifications of bills or parcel tracking. To be safe go directly to the website yourself and don’t click on the link in the email.
  • If you get a zip file or a Word doc arriving in your inbox be very suspicious unless you were expecting the email from someone you know (even then it’s a risk).

Implement a mail filter
While mail filters don’t provide 100% protection against mail threats they certainly reduce your chances. We’ve recently compared two companies; one with and the other without any mail filter. The company without the mail filter received tens of malware-containing emails per day versus the company with the mail filter that hardly received any. Having no mail filter makes it more likely for your staff to click on an infected mail while they daydream. The best mail filters are those which filter mail before they arrive into your mailbox. We recommend cloud mail filtering services to our clients.

Use standard accounts
Most user accounts have full administrative access meaning they can perform any administrative task on the computer. These included installing programs and changing important system files. As a best practise make all your user accounts standard users (only allows them to execute programs, create and delete user data). Have one account that is the administrator account. That way when a virus executes on your computer it can only do as much damage as a limited user account can.

Take account of what is not backed up
It’s common for a user to save documents on their desktop or their documents folder instead of the location where files are backed up. If you backup your server, then all files must be stored on the file share. As an exercise go around to each computer and have a look at what files are being stored outside of the folders where backups get done. I bet you’ll be surprised at what you find. Any file that is not backed could be permanently lost if it gets hit by ransomware. Can you afford for that to happen?

Have a disaster recovery plan
Most small businesses would have no idea what to do in the event of an IT disaster in their business. Getting your data encrypted is surely a disaster if you have not prepared for it. The best way to prepare is to have a professional IT consultant access your current environment from the view of what-if. If the professional is learned in today’s technologies and threats he should be able to make worthwhile recommendations. Beware of the IT guy entrenched in his old ways of thinking. The landscape in our environment is forever changing what was a threat 2 years ago is not a threat today.

Invest in a UTM
Unified Treat Management is a device that sits at the border of your network. It’s configured to scan traffic for known threats coming into the network. A UTM device worth its weight in gold can detect known malicious traffic trying to enter via email or the web and block it. It’s another layer of defence to help you protect your business assets.

Run a malware scanner in addition to a virus scanner
Virus or security software is forever trying to catch up with threats out in the wild (internet). None of the virus protection software will always detect malicious software and block them. We have found they all have periods where they do well and then they miss stuff. The most recent ransomware we had to deal with had a well-known virus protection software on all the machines and it was up-to-date. The ransomware still slipped through without any alarms being raised. We recommend running a secondary malware scanner like Malwarebytes or HitMan Pro. These applications can run in conjunction with your current security products. As a rule don’t run two antivirus software on the same computer as this can cause system issues.

What do you do if you do get hit by ransomware?
Here are a number of things we recommend you do if you realise you have been the victim of a ransomware infection.

  • Disconnect the computer from the rest of the network. This will help reduce the chance of networked file shares getting infected too.
  • Disconnect your backup drives. If they have not been encrypted yet then you might be lucky enough to restore from them.
  • Don’t try to remove the ransomware. In some cases, it can cause more damage to your files and make it impossible to recover them.
  • Call a professional. If your data is important to you it’s better to call an IT professional that have dealt with this type of situation before. Make sure they have as they could do more damage than good.
  • Don’t pay the ransom just yet. You have some time so to work out your plan of action. Paying the ransom does not guarantee you your data back, but it could be your only hope. I can tell you this from experience. A lot can go wrong during the entire process and neither you nor the extortionist have control over it. Speak to a pro and calculate the risks then go from there.
  • Rebuild the computer that got infected. It should be wiped and started fresh.

We hope this guide has provided you with some good tips to help you protect yourself from ransomware and in the unlikely event, you do fall victim, you have an action plan.

Elscomm provides professional IT services to small businesses based in Sydney. We’re always up-to-date with the latest technologies, helping our client keep current and ahead of their competition.

Want to contact us? Tel: +61 2 8188 9777 or [email protected]

Did you enjoy reading this article and want more? Click here to get future articles from us