You may have heard about the ransomware attacks, but for those who have not, or want to learn more about it, please read. The latest iteration of the ransomware cryptoworm is the “wannacry” ransomware and a lot of people have been affected by it. Businesses, individual residential users, and even some government agencies have fallen victim to the attack(s).
What is ransomware exactly? Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. While this can be reversed by someone knowledgeable enough, some iterations of the malicious software, such as “wannacry”, will encrypt your files. It will even search for backup systems or other computers on the network of the originating infected computer and also encrypt the files on them.
At the time of writing this article, there is no way to decrypt the data unless you pay the ransom and receive the decryption key from the attackers to decrypt the files. There have been numerous instances where victims have paid the ransom and have not received the key. There is also the possibility that if you do not pay the ransom within 3 days, the attackers may increase the amount of the ransom and/or tell you that if you do not pay they’ll distribute your data to other hackers as a scare tactic.
U.S. government agencies, like Department of Homeland Security (DHS) and the FBI, say not to pay the ransom. It’s hard to fathom the idea having all your pictures, bank info, tax information and other life altering data being lost and not recoverable. So, could choose to pay the ransom like many do, but it’s not guaranteed that you’ll get your data back. You’ll just be contributing to the millions of dollars the attackers receive from other victims. Even if you do have backups and don’t pay the ransom, that doesn’t mean your business won’t take any hits. You could still suffer thousands of lost revenue from trying to disinfect the computer(s), restoring backups, investigation on how you were infected and so forward. This could take days or weeks while your business comes to a complete halt. Not to mention the hit to your business reputation and image.
To minimize the possibility of being infected and falling victim to the attack, you can do the following things.
- Update and Protect.
You should be applying Windows updates as soon as they’re available for home and office users. For businesses, if you’re using a WSUS server, you should test your updates/patches and push them to your production environment as soon as you can. You should also have some reputable anti-virus software running on all your computers and servers. Of course, make sure the antivirus software is regularly updated. Updates and antivirus software don’t protect you 100% from these types of attacks, or viruses in general, but it can surely help. - Backups.
You should be performing daily backups of your critical and valuable data. The backups should be stored on a USB hard drive, or a backup server of some kind. If you’re using a USB device, you should unplug the USB device when you’re not using it to perform backups. This will at least allow you to have a copy of your important data and not have to pay the ransom. - E-mails and Links.
Opening suspicious e-mails and URL links is the biggest contributor to getting infected. This will always be a problem. Us humans will always get tricked somehow and we generally don’t even realize it. Phishing e-mails are getting more and more clever and harder to spot. Taking a few moments to review an e-mail or a link can generally save you. You’ll get the occasional e-mail that’s blatantly obvious. No, we don’t know anyone that wants to send us millions of dollars and only wants our account information to send you the money. Some e-mails may come through disguised as a facebook notification and wants you to click the link to confirm your account. If you take a moment to inspect the link, most often you’ll notice that the link looks suspicious. Facebook has a URL of https://www.facebook.com. If you see a link that shows http://account.someotherdomain.facebook.com, this is clearly not a legitimate facebook link. If you’re worried about your facebook account and want to check it to make sure there is nothing actually wrong with it, go to the website yourself and don’t click the link from the e-mail. This also applies to e-mails that look like they’re coming from a bank. You should go to the website the normal way you do instead of using a link within an e-mail. Companies should have regular anti-phishing campaigns and training sessions that will help users identify fake e-mails or malicious links. - Isolate.
If you have been infected, you should remove that device from the network immediately. Disconnect from the wireless network or pull your ethernet cable from the computer or server. If caught early enough, this may help isolate the infection and prevent it from further spreading and creating more havoc within your infrastructure.
If you’d like to learn more about ransomware you can go to https://en.wikipedia.org/wiki/Ransomware