Posted on

Steps To Respond To a Ransomware Attack

steps after a ransomware attack

Cybersecurity is an important topic for any business now. In the last 12 months, 32% of businesses experienced some sort of cyber attack or data breach. That means that every third business had to deal with a cyber-attack, according to the Cyber Security Breaches Survey 2019 by the UK Department for Digital, Culture, Media, and Sport. It goes without saying that every business should prepare for a ransomware attack and other types of cyber-attacks.

Keeping your assets secure against cyberthreats needs much more than installing firewalls and anti-virus software. Today’s cyber threats are sophisticated and use every possible loophole in your security settings to get access.While there are different types of attacks, ransomware is one of the most malicious attacks businesses have to deal with. 

What’s a Ransomware Attack? 

Ransomware is a type of attack where malicious software (malware) takes over a computer or whole systems and denies any type of access until you pay a ransom. The ransom demand usually requires payment in cryptocurrency like Bitcoin, as it’s impossible to trace it. 

It is one of the most dangerous types of attacks, as it can stop a business dead in its tracks. In case the ransom is not paid, all data will be deleted from the system. 

This is bad enough if it happens to an individual. Imagine this happening to your company – you will lose all business and operational data, and you’ll have to start all over again. Some businesses never recover.

Preparing for a Ransomware Attack

The bad news with ransomware attacks? It can happen to anyone, and once it does, there’s not much you can do. 

But you can prepare for it. Here’s how: 

Data backup should be your number one priority.

It can save you thousands and millions, but it has to be done right by protecting your data storage properly. Ransomware attacks are carefully executed and attackers will often have access to your systems for months before they attack. 

Why? Because they want to make sure they hijack everything, including any possible backups you might have. 

This is why you should keep backups on another location. It would be best to have backups in the cloud but also have at least one backup offline – completely disconnected from any network – as even cloud backups can sometimes be affected.  

Make sure IT keeps all systems and software up to date.

Although updates are often a hassle, they exist for a reason. Most updates are released to take care of security vulnerabilities. When software and operating systems are not updated, you are basically inviting hackers to access your systems. Your IT department should ensure every device is up to date. 

Start implementing user restrictions.

Not all of your employees need access to all your data. Ask your IT provider to implement user restrictions so that your employees have access only to data they need. In case they need more, they can request special and temporary access that is revoked as soon as they don’t need it anymore. This way, in case their accounts are compromised, the breach will be limited. 

Invest in monitoring software. 

You can get powerful software solutions that can monitor your whole systems for suspicious activity. This goes beyond the regular antivirus monitoring – it can monitor what users are doing, what data they are accessing, and alert you in case something is out of the ordinary. 

Don’t forget about employee training.

No matter what type of security software and solutions you utilise, if your employees are not aware of best practices on cybersecurity, you’re always just one bad click away from a ransomware attack. Make sure your employees know how to spot suspicious email, and know that they should never click on the links in such emails or download attachments.  

Work on your BYOD policies.

Many businesses, especially small- and medium-sized ones, often allow employees to bring their own devices (BYOD) to work. Without a good policy in place, however, this becomes a security issue. 

If an employee brings an infected device and connects it to the same network, you’re looking at a possible spread of infection – and ransomware – to all other devices and the whole system. Because of this, any device connecting to your system should be up to date, have antivirus software, and be cleared by the IT department regularly. This goes for smartphones too.

First Steps After a Ransomware Attack 

1. Take a photo of the note

This will help the IT determine what type of ransomware you’re dealing with. 

2. Determine the extent of the attack 

Your IT provider should be able to determine whether the ransomware has infected a single device, or if the infection is spreading through your network.

3. Isolate infected devices and disable sharing

All infected devices should be removed from the network to stop the spread. Any type of sharing that’s active should be shut off immediately. 

4. Notify employees

Send an email to all employees so that they can report whether their devices are working. Those who can work can continue, but those affected can help in other areas while IT deals with the issue. 

5. Let IT remove ransomware from infected devices 

IT should scrub the devices that were infected completely. Sometimes, a local backup on the device can solve the issue, but oftentimes, even that will be unavailable. 

6. Restore data from backups

Once you reinstall the operating systems, your IT can restore data on affected devices from a cloud or offline backup.

To Pay or Not to Pay? 

If you’re not prepared and have no backups, you might be tempted to pay. Take this year’s ransomware attack on the City of Baltimore’s government. Their systems were infected by ransomware that stopped numerous important systems: ATMs, airports, even hospitals. 

The attackers demanded the city pays about $76,000 in Bitcoin. The city refused to pay, only to realise many of their systems weren’t backed up. They lost huge amounts of data, and the attack ended up costing them $18 million

It seems that in the case of Baltimore, it would have been much better if they simply paid the ransom. Well, not really. 

Why? 

You’re dealing with criminals. Even if the city paid the ransom, there’s no guarantee that they would have gotten the access back. If they did, they would have become a prime target for future attacks too, since they paid the ransom already. This is why it’s so important to prepare – it will minimise damages.

Conclusion

Everyone’s at risk of a ransomware attack. Preventing it is next to impossible, but preparing for it is more than possible. Your IT provider should back up your data regularly, and you should make sure your employees know how to spot suspicious phishing attacks. When you prepare for a ransomware attack properly, you can minimise the impact of such an attack and save you from monetary and reputation damage. 

Posted on

The Different Tactics Hackers Use to Gain Access to Your Computer

We’d all like to think that hackers are spending weeks on end planning their every move to attack a business but the truth of it is nowhere near as exciting. Although this could happen to a big target, for most people it’s a lot more boring and they get ‘accidentally’ caught in the net as hackers looking to make a quick buck send out malware or ransomware hoping someone will fall into the trap.

That doesn’t mean the effects aren’t any less devastating!

So, to make sure you can protect yourself, let’s look at the various different tactics hackers use to try and steal your business’ data.

1. Relying on Human Error

We’re sorry to say that lack of education in businesses and human error by employees account for a large portion of breaches in our experience. For example, employees attempting to access internal systems from unsafe locations, using personal (infected) devices on the network, or clicking malicious links in an email. Hackers cast their net far and wide, and the likelihood is someone will click something and open the door. And that’s all they need. 

Hackers also pray on the lack of oversight from business owners on their employees. According to Keeper Securities’ State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report from 2017, 59% of small businesses do not have insight into the types of passwords employees use. This means that although the company is liable for a breach, they aren’t enforcing or even aware of the security standards of the passwords in use. 

2. Phishing

Phishing is one of the most common tactics hackers use. This is usually in form of an email that is spoofed to look like it’s coming from another sender, like your bank, or ISP. It will urge you to act immediately or you might lose your account, money, or face infractions. 48% of hacks on companies last year found that phishing or social engineering were the result.

Here are the warning signs you need to look out for in a phishing email

3. Public/Free Wi-Fi

Public computers and Wi-Fi networks are notorious for being plagued with malicious software that “sniffs” for data packets while you are using them. You risk losing your account data as soon as you type in your password. 

4. Phone Calls

Surprisingly these still work and is still one of the tactics hackers use! Hackers have been known to ring you claiming to be your bank or an organisation you’re affiliated with and ask you to confirm details over the phone. For example, banking pins or passwords as well as talking to you about family data or information, like your mother’s maiden name to get the ‘security question’ answers or take a stab at your password. If you feel a phone call is suspicious, never hand over your data, simply tell them now isn’t a good time and hang up.

5. Weak Passwords

Lazy, generic and consequently weak passwords are the easiest way for hackers to get access to your accounts. Many small business owners admitted that, while they still have password strength policies, 68% do not enforce them. A generic or commonly used password like 12345, makes it easy for hackers to gain access to your email or computer.

Check out our article below on protecting your password from hackers:

6. An Out-of-Date OS

While nobody likes how long OS updates take, they exist for a reason: to address flaws within the code that can potentially be exploited. Without regular updates, you enable easy access to hackers who are aware of the weak points.

7. Infected Attachments

It’s not just the links you should be wary of in an email. Masked to look like images or documents, they often carry viruses, malware, or spyware, like a keylogger that will install to your device and record your every keystroke to get your passwords that way.

8. Dodgy Devices

Be wary of those free devices being handed out to you as “freebies” in many cases, hackers can load malware or keystroke loggers on them so that when they are entered onto the computer they immediately infect it.

9. Pineapples – Spoofed Wi-Fi Points

A Wi-Fi pineapple is a fake Wi-Fi access point that has been purely set up to steal your data but it masks as public Wi-Fi. From the hacker’s point of view, they have multiple programs and software running to gain access but to the unsuspecting user, they just jump on as usual and voila, instant access to your data.

10. Unsuspecting Accessories

Your new smart lock, phone controlled thermostat, camera that is enabled to a network, card reader or any other online accessory all have access to your network. Hackers can use these as easy points of entry if they aren’t protected correctly to access your network and get to your data that way!

Unfortunately, we’ve only just scratched the surface of tactics hackers use to access your data and your files, and this is why we are firm advocators for using file protection as part of your cyber security strategy. That way, hackers can’t access the data from your files once you’ve been breached, therefore protecting the data stored within them.

To get automatic file and email encryption for small businesses using Microsoft’s Azure Information Protection, click the image below to get half off our course on udemy:

file and email encryption course image. click to take you to the course
Posted on

Data Breaches Aren’t Just Your Users’ Fault (Infographic)

As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.

Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.

It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:

  • Forcing users to frequently change their password – even if they hate us for it
  • Making sure policy dictates a different password for each program or part of the system
  • To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
  • To be approachable so that any issues are quickly reported

Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
Infographic: Security Breaches from Compromised User Logins

UserLock FileAudit IS Decisions Priorités en matière de sécurité d'accès
Posted on

Making sure You’re Protected From RANSOMWARE Attacks

All Disaster Recovery plans include ways of dealing with fires, floods or earthquakes, but do not mention RANSOMWARE attacks – why is that so, and what to do if you want to be protected?

This article includes:
1. Defining RANSOMWARE as disaster
2. How do avoid getting infected by RANSOMWARE programs
3. How to deal with infection after it happened
4. Structure of backup and fast replication systems
5. Conclusion

It may be a real surprise for most of us to learn that many major organizations and companies have high-quality DR/BCP plans that do not include preparedness for RANSOMWARE attacks.
Disaster recovery planning usually gives sufficient response for the events caused by natural disasters (such as massive floods, fires etc) or even to events caused by human error or malicious actions. At the same time, possible damage in case of RANSOMWARE attacks is frequently left by the wayside, with the IT departments not assuming full responsibility for the consequences of such events.
Is RANSOMWARE attack a disaster event? In my professional opinion, it is, and very much so! Definition of disaster event in the IT environment should be influenced by the event’s business impact, and by the level of downtime experienced by the organization due to the event’s occurrence.
I am convinced that RANSOMWARE attacks should be defined as disaster events that can frequently cause a total shutdown of the organization, therefore there is need to plan for this kind of attack as it would be for any other significant disaster.
RANSOMWARE attacks have already caused widespread damage to various organizations, such as major hospitals, causing financial damage as well as endangering human lives. This proves once again that RANSOMWARE attacks should be classified as disaster-level events and dealt with accordingly.
Having concluded that dealing with RANSOMWARE attacks should be made part of your Disaster Recovery (DR/BC) Plan, we need to know how to prepare for it.

How to prevent being infected by RANSOMWARE

This is a theme for an entire a separate essay, but these are the main steps every organization should undertake on this issue:
1. Raising the awareness of personnel to the dangers of such infection
2. Minimizing the number of Admin authorizations to the absolute minimum, and making sure that those authorizations are given only to those employees that really need to have them
3. Control over software inside the office – you need to work on a strict WHITELISTING basis, so that pre-authorized applications can be run on your company’s IT network (mapping all the software inside the company may take time, but it is worth it)
4. Blocking applications in sensitive locations such as APPDATA
5. Blocking all scripts throughout the organization except the Whitelisted ones
6. Using anti-virus software with features that provide protection against RANSOMWARE, anti-virus programs without those features cannot be considered worthy of the name

Nowadays there are more steps to be taken, of course, I will describe them at length in a separate article that will be forthcoming

How to deal with RANSOMWARE infection

This chapter is the most relevant to the issue, as it is only a matter of time until your organization will be hit by a RANSOMWARE attack. IT professionals have to be fully ready to the “day after” that follows such an event. The process of dealing with RANSOMWARE attack should be part and parcel of your DR planning.
In my professional opinion, the best way to effectively deal with such an event is to ensure fast restoration of your data and servers, together with immediate forensic investigation that will help out to locate the way your organization got infected in the first place.
The decision on whether to initiate restoration of a file, a folder/directory, a server or a whole server cluster has to be taken according to the level of infection and its influence on company’s operations. There is a need for a clear Rule Book that will define when to step up from restoring a single file to the level of restoring the whole server. In such situations there is usually not enough time to deliberate on the possible consequences for the company, the best way is to operate according to a clearly delineated Rule Book that is compiled according to calculations and projections made well before the emergency occurs.
My professional experience exposed me to multiple cases in which the organizations lose precious hours or even days while trying to figure out in real time “what to do” instead of “doing it”.
This is when the proven methodology of Disaster Recovery Plan should kick in and save the besieged organization, when the employees and managers work according to a pre-approved, clearly defined and pre-tested process stages. All employees should know well their roles in the process, what and when to do – this will result in the company quickly returning to routine full-capacity operation.
Below you can find a concise template for Disaster Recovery process for organizations dealing with RANSOMWARE attacks:

  1. RANSOMWARE identification – the identification can be delivered by a server monitoring system, or by HELPDESK staffers that get complaints from the users concerning files or folders that “do not open/do not work”
  2. Absorbing the information about the infection and performing the initial analysis of the event – what files are affected, in what department, in what directories, this will help to identify the computer that was the source of infection
  3. Isolating or detaching the affected sector of the company’s IT network so that further infection will be prevented
  4. Making decision on the crucial subject of whether to restore only certain files/directories or the whole server/server cluster – this decision should be taken by the appropriate manager according to the chosen indicators as projected in the DR plan
    1. Usually the trigger indicators are defined as follows:
      1. If the infection is found in one separate department/unit and just a few files are infected there – only those files or folders containing them may be restored
      2. If there are indications that the server itself (in its system files or databases) has been infected – then there is a need to restore the whole server
    2. Every manager and employee of the affected department should understand clearly what his role is in the process, as defined by the DR plan
      1. All the team members should undergo training and simulations for the DR process
  5. If the process of full server replication is initiated – great back-up and recovery tools, such as VEEAM, can ensure very fast Instant Recovery capability, especially when it is possible to define a SNAPSHOT back-up procedure with hourly recurrence, so that you will never lose more than the latest hour’s work
  6. You will be able to bring the affected server back to operational status while still accessing the infected version in a SANDBOX mode, so that you will be able to extract some of the freshest data from it manually
  7. After the restoration process is complete – you need to evaluate the situation, making sure that:
    1. There are no more affected files
    2. Source of infection has been identified and isolated

 

Structure of Back-up and Restoration System

As could be seen in the preceding chapter, protecting yourself from RANSOMWARE attacks is based mostly on thorough back-up and fast effective restoration.
Every organization has to make sure that it has the following:

  1. Full back-up on hourly, daily, weekly, monthly and annual level
  2. Offline/Offsite back-up capability – Offsite back-up should include historical versions of your data, separate back-up file created during each back-up session can be considered as Offline back-up. It can be done in several sites, my recommendation is to use Cloud services, perfect for the purpose
    1. No, there is no need to return to the era of back-up tapes
    2. It is also possible to ensure that there is no overlap of authorizations, so that the back-up system can read data from a Production system, but not vice versa (so that RANSOWARE would not be able to infect your back-up system)
    3. Nowadays we have numerous solutions for Offline/Offsite back-up, I would certainly recommend utilizing Cloud solutions such as AWS and Azure
  3. The organization should implement a high-quality Backup and Replication solution such as VEEAM – experience shows that this product can save IT networks from destruction or massive damage
    1. It allows for fast and efficient back-up
    2. It provides for back-up through separate PROXY servers – this increases the back-up speed and also adds to the level of system segregation
    3. Back-up on the level of Virtual Machine/Host greatly reduces the possibility of severe malware infection
    4. VEEAM uses Always-On approach which is so essential in current threat environment
    5. It is very important to keep VEEAM back-up copies at an Offsite location, there is no real DR without that
  4. There is a need to invest in a separate solution for Offline file back-up (below the threshold of server/server cluster) which back up the files with Unlimited Version History – there are solutions like CrashPlan that, while not enabling fast recovery, do allow the unlimited number of versions to be saved
  5. You will need to enable Volume Shadow Copy; in most cases it ensures quick recovery of affected files (otherwise RANSOMWARE infect those as well)
  6. You need to make sure that the back-up structure is designed and implemented correctly for data integrity
    1. Back-up of SQL systems should be enacted in the highest possible resolution (every 15 minutes) at the data level, and at hourly rate on the VM level – this way you will be protected even in cases of deep and widespread infection

If your system still runs on physical / non-virtual machine environment – this is the time to change that, advance to virtualization, because when your system operates as VM, there are so many more possibilities for fast assured back-up and Restoration!
Most organizations nowadays do not have any justification for not working with a virtual system, usually the reason for not advancing is the difficulty and complexity of replacing Legacy systems that are especially susceptible to RANSOMWARE attacks and other major malfunctions.

Conclusions:

1. RANSOMWARE attacks should become an integral part of your DR plan
2. Your team has to be trained and ready to deal with those attacks
3. The foundation for effective and fast solution to such attacks is a fast back-up and restoration system
4. It is much easier to protect a fully virtual environment – do not hesitate to start the process of moving from physical to virtual environment

Prepared by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)

Visit our Information Security page for more information on our services.