Kidnappers Have All Your Business Data. Now What?

The worst disasters always start with the most innocuous of beginnings. A raging wildfire starts from a tiny spark. A hurricane begins with a few clouds on the horizon. A system-wide, data-erasing viral ransomware infection begins with a simple popup message.

Like the one you get when your anti-virus has quarantined something or when Windows needs you to restart because of updates: the one you hardly read before clicking it closed. But this message is different. It’s part of a malicious virus called ransomware, which is designed by cybercriminals to hold your documents hostage until you pay up.

Enterprise-level organizations were rarely bothered because of their multiple layers  of protection and the policies they have in place to protect themselves from exactly these kinds of threats.

Consumers tended to ignore it because they didn’t have documents they depended on or because they didn’t want to pay the ransom.

This left a sweet spot of victims: small to medium businesses (SMB) who didn’t have enough protection, who had employees unaware of the threat, and who could “afford” to pay a relatively small ransom to get their vital data back.

Download our free Asset Protection Checklist to find the gaps in your external and internal data security.

Trend Micro researchers reported this summer that the vast majority of clicks on malicious emails were coming from SMBs. In other words, their employees are falling for “phishing” emails and infecting their company network with one or more variations of ransomware.

 

ransomware popup image example

It’s Digital Kidnapping

It’s also extortion and theft. Hackers create a virus that encrypts or otherwise restricts access to files on your computer. They send you a message with instructions on how to pay to get the key to decode your files. There’s a deadline, an email address, and a way to pay up to get your own stuff back.

These sadistic “capitalists” want to make it as easy as possible for you to pay the ransom. Bitcoin is a favored payment method since it’s untraceable currency, but they also use MoneyPak, PayPal My Cash Card, or other anonymous forms of payment. The ransom amounts vary from a few hundred dollars to thousands of dollars, depending on the boldness of the hacker and what they think they can get.

How it Works

Ransomware is a type of malware which is a form of software that is designed to cause damage or disable computers. Viruses, worms, Trojan horses, and spyware are all forms of malware.

Ransomware is specifically designed to encrypt your files which can only be retrieved by getting the unlock code from the hacker.

Cryptolocker was the first, but it’s spawned dozens of variations including Cryptowall, CrytoJoker, and the FBI Ransomware, which pretends to be software from the FBI accusing you of violating copyright laws. You have the “opportunity” to pay the fine immediately to avoid further punishment.

UPDATE: We discovered an instance of Locky several weeks ago and it’s now rapidly spreading. We wrote several tips on preventing this ransomware variation from infecting your network.

This one works well because so many people have made copies of music files or downloaded movies from Torrent sites. Their guilty conscience makes them pay up without questioning the source.

The ransomware is a virus which comes embedded in another piece of software and then requires someone to run the program in order to spread itself. Users can get them by opening email attachments or downloading software from the Internet or visiting less-than-savory sites. The “naughtier” the site, the more likely you are to get something bad attacking your computer.

Anti-virus is one layer of protection, but they, like the antibodies in your system, have to encounter something bad before they can build defenses. The best anti-virus in the world, the best defense software, are still going to lag behind the hackers and that, coupled with the lack of awareness and insufficient paranoia, is where the “opportunity” for hackers is in attacking small businesses.

Everything Was Gone

On December 14th, our front line took a call from a client that sounded relatively normal. The accountant was unable to log in to QuickBooks.

Then another person in the office got a text document pop up in the middle of her screen. “Haha, boys and girls,” it said. “If you want your files back, you’ve got to pay up.”

That was not normal. We suspected ransomware right away. Dan Kirk, our Systems Engineer, worked on the ticket to confirm it was ransomware and to determine the extent of the damage. After just a few minutes, he called in David Xiong, VP of Technology.

“It was the worst I had ever seen. It was bad,” says David. “You’ll see ransomware that locks up a set of files, or maybe one box, but this had taken everything. All their computers, the servers, and even the Backup and Disaster Recovery appliance. Everything that was on site and connected to the network.”

Even their OneDrive, Microsoft’s cloud file storage, was encrypted because the ransomware will seek out and lock up any files that are mapped to the drive (i.e. anything with a drive name such as the C: drive or N: drive).

Fortunately …

We had an advanced backup of all their data so good luck wasn’t really at play. We subscribe to the 3-2-1 backup strategy: have at least three copies of your data, two of which are local, but on different types of devices, and at least one copy off site.

Some of our clients wouldn’t have been so “lucky.” It’s an investment of several hundred to several thousand dollars to properly back up an entire company. Many have chosen to not make the investment.

In this case, even though the ransomware infection had all weekend to make its way through every one of their drives, including their BDR appliance, the offsite backup was still safe. We were able to restore almost all of their files from that backup.

The only thing that was lost? About a year’s worth of email archives from the client’s POP3 account. The downside to POP3, and why we recommend every serious business get on Hosted Exchange, is that POP3 doesn’t keep copies of the messages on the server. Which means their emails weren’t part of the backup protocol. With Hosted Exchange, messages, contacts, and calendar items are all backed up as part of the regular protocol.

How to Stop Ransomware

Start by understanding that the biggest risk comes from inside your organization: your employees are most likely going to be the source of a ransomware or other malware infection because of the sites they visit and the email attachments they open.

Use the Asset Protection Checklist to evaluate your current level of protection. If you’re a client, J. Colin Petersen, our President & CEO, will be reaching out to you to advise you on additional layers of defense that you need to have in place.

If you’re not a client, have a serious discussion with your in-house I.T. or your current I.T. provider about the protocols they have in place to protect your business. Follow up with us for a second opinion, or if you don’t like what you hear.

As for us, we’ll be insisting that all our clients begin subscribing to proper backups. The threat is simply too great to do anything less.