Ransomware is becoming more frequent, don’t let it catch you off guard. Our publication, Understanding Your Network: Ransomware, will help explain what this virus is and how to best defend your network against it.
What is Ransomware?
Ransomware is malware that holds the victim’s data ransom by preventing access to the computer by locking the desktop or by encrypting the user’s files where they cannot be read. The malware then displays a ransom note, possibly pretending to be from federal or local law enforcement of some sort.
The ransom note may even claim that the computer was used to look at illegal websites, videos, or images and will try to frighten the victim into paying up by threatening to bring them to court.
As we quickly approach 2016, researchers at Fox IT have successfully identified the “Big 3” Ransomware families, whose members have generated huge income in 2015:
What are the Basic traits of Ransomware?
Although each ransomware variant is unique, they still work in similar ways. There are generic traits seen with these behaviors.
Most ransomware will place payment instruction files in the directory of the files that it’s going to encrypt. These files are usually in the form of a text, image and/or URL. It may even include a popup window notifying the user that his files are being held ransom and require a ransom.
Ransomware will encrypt files on drives that are network mapped on the computer as a side effect. This can affect an entire business that relies on network shares for their data, potentially spreading from one computer, to the server, to all other computers that access that server. Having a proper backup solution in place may be the only solution to protecting your data.
As we find encrypted files on a network share, we can use that to determine which user was initially infected with the ransomware by checking the creator of the instruction files on the share. This tells us which computer to disconnect from the network. The goal is to disconnect the infected user as quickly as possible from the network to prevent any further damage.
So where did the Ransomware come from?
One method for installing ransomware is through certain websites. These may be malicious websites, set up by criminals for the sole purpose of infecting website visitors, or they may be legitimate websites that have been compromised by infected advertisements or links by the criminals and used to spread malware.
Another way ransomware can install on your computer is through the opening of email attachments in SPAM or infected emails. These malicious emails may have what looks like regular files attached, but once you open them, your computer is at risk of becoming infected with malware. You may not even see it happening.
Ransomware on Mobil Devices
Ransomware for mobile devices is becoming more common and now have the ability to lock your smartphone or tablet or even encrypt the files stored on these devices. Criminals have learned that we are more dependent upon our phones and tablets than ever before. In some instances, they are more frequently used than our computers, explaining the increase in “mobile malware”.
Follow these tips to stay protected from ransomware.
- Make sure you have a quality, antivirus program installed on your network, and that it continues to be updated on a regular basis. This also includes installing a reputable security app on your phone and tablets.
- Keep the operating system and all software on your computers & servers up-to-date by installing the latest security patches and updates.
- Consider adding a mail-filtering service that not only protects your email from SPAM, but also adds manageability and virus protection. Some services, such as MailWatch from CMS, will continue to spool your email when your connectivity is down, protecting you from lost emails.
- Avoid downloading software or mobile apps not necessary to your work and only download from trusted sources.
- Most importantly, Backup! For your network, have a data backup solution in place that protects your critical data on your network so that if anything does happen, you have an untainted backup source to retrieve from and restore to your network. And don’t forget to back up your mobile device to a reliable cloud source that you can retrieve from and restore.
Those Pesky Bugs…. Just about every office or workplace environment has experienced virus issues at some point. Sometimes it’s a mild one and then sometimes it causes complete desktop or network devastation resulting in hours, days or weeks of downtime and limited productivity.
So What’s the Answer?
I’ve been in the technology business for almost 20 years and some things never change. There are several things that the industry has been battling for what seems like forever and it doesn’t seem to get any better. Viruses is one of them. Others are printer repair and network backup solutions – but that’s another blog post. The truth is that there is no definitive answer for completely eliminating viruses.
As a technology company, CMS IP Technologies deals with viruses every day and we spend far too much time on removing them off infected PC’s and network servers. We sometimes have to change or create policies to protect and educate our customers as well as limit our exposure to time consuming tasks that we don’t always get to bill for. For instance, it may literally take 10 man hours (yes! and sometimes more) to clean an infected PC. Well, at a conservative average of $100 per hour, that’s $1000 to clean a virus from a PC. There aren’t many customers that are just going to pay that without complaining and asking for relief of some sort. Then, there are the viruses that we clean, or we think we clean, and they pop back up the next day or so and we get to start over again and then the customer feels like they shouldn’t have to pay because we should have “fixed it right the first time”. It’s really a no win situation. So at CMS IP Technologies, the approach we take is to educate our customers. It’s a multi-level approach using technology best practices along with policy and usage control of company owned technology. CMS has a proactive service offering that we call NetWatch, and compliancy is a big part of what we teach and insist upon.
There has to be a sufficient level of network protection from the outside world such as a firewall from reputable manufacturers such as Cisco and SonicWall. This is your border and it should not be taken lightly. Your firewall should be properly configured by a trusted reputable experienced engineer that understands firewall and security best practices. Buying a Netgear router from Best Buy and just plugging it into your network is not a solid solution and you’re simply asking for trouble.
There are many things that need to be considered here. If your a bank or credit union, you may be required to have an Intrusion Detection and Prevention solution in place. If your a medical facility there are HIPAA laws that are in place that will need to be taken into consideration. These are things that an experience network engineer should be familiar with.
Once you have your firewall in place and your border secured, a stable antivirus solution should be implemented. CMS in Beaumont Texas uses and recommends Viper. We have found this to be an effective light weight solution that has minimal impact on the workstations OS environment yet offers quality protection. Your antivirus solution should be configured to download and direct automatic updates on a daily basis and run a virus scan on all network devices at least once a week. This should be done after work hours and a policy should be in place that all PC’s should stay on during the scheduled time.
Some proactive service providers such as CMS offers this as part of the network monitoring. In our case the cost to the customer is the same or less than it would be if they just purchased Viper or any other solution such as Symantec out right. The biggest differences are that we can actively monitor virus activity and are better prepared if we see that a network device may become or has the potential to become compromised. The other good thing about this is that our customers don’t have to worry about their annual subscription running out. All of that is taken care of by the service provider.
Policies & Procedures:
Last on the list is policy and procedure control. This is probably the most important part that a company can take to minimize it’s exposure to lost productivity to viruses. Every user in the company should have a copy of the company’s policy for use of company technology. And in that document it should be very clear about usage polices. Things such as accepted internet usage, personal software usage, and personal email usage should be addressed. This is critical! Some users simply don’t realize the impact that going to certain non business websites can have on the network that everyone uses. Some users assume that they can’t get a virus because the company has protection. That’s obviously not true, so you have to educate them and also put policies in place to protect them and the company.
CMS NetWatch clients get a printed Accepted Usage Policy to add to their company employee handbook that educates and outlines the accepted usage policies for the company’s technology. We require that all employee’s for that company sign it and we keep a copy on file, otherwise we will not cover viruses as part of the proactive services agreement.
So, protection from viruses takes serious consideration and in summary there are three basics that should be covered. Firewall border control, Antivirus, and company policies outlining proper use of company owned technology. There are several other things that can tighten the screws even more, but that’s another blog post. If you questions on the information that I discussed in this blog, visit the CMS website at www.cmsiptech.com.