Believed to first have been identified in 2013, there’s a new kind of malicious threat floating around the web that continues to pose a risk to business data: ransomware.

Ransomware is a type of malicious application that uses common attack vectors (phishing attacks, untrusted website downloads, and just general user trickery) to run on a user’s desktop or server. Once installed, the software locks the user out of the computer while it encrypts everything it can get its hands on in the background.

Anything the infected computer has access to is a target – the local hard drive, connected USB sticks and external hard drives, and most scarily, network connected storage locations – i.e. your server shares – including mapped folders, database connections, and server configuration data.

During this process, the software presents a screen instructing users how to pay an anonymous source for a decryption key (which may or may not work). The links provided are almost always to a BitCoin converter, which turns your hard earned US dollars into anonymous, untraceable BitCoin transactions. And what is a good attack without a timer to really lay the pressure on? Most ransomware attacks only allow you to purchase a decryption key within a matter of days.

CryptoLocker and other popular ransomware software presents the user with instructions on how to obtain a decryption key which may or may not work.

CryptoLocker and other popular ransomware software presents the user with instructions on how to obtain a decryption key which may or may not work.

According to Wikipedia: “CryptoLocker was isolated in late-May 2014 via Operation Tovar—which took down the Gameover ZeuS botnet that had been used to distribute the malware. During the operation, a security firm involved in the process obtained the database of private keys used by CryptoLocker, which was in turn used to build an online tool for recovering the keys and files without paying the ransom. It is believed that the operators of CryptoLocker successfully extorted a total of around $3 million from victims of the trojan.”

While the first known variation was taken down and decryption tools were generated, many businesses could not retrieve their data in time and suffered some pretty horrendous losses. Since that time, other, new variations have come to light, one targeting popular Network Attached Storage devices made by Synology called Synolocker. Luckily, in our experience testing the malware, many Synology and other NAS devices have very low-power processing systems and the actual encryption process never fully completed before the incident could be responded to – many times with very little damage at all. Don’t let that reassure you, though.

Now, ransomware makers are creating ever refined targets, not just vulnerable Windows machines. Different demographics and their commonly used files are being targeted (read: gamers and their savegames) according to Security Weekly. Many business security analysts expect that 2015 and future years will see even stronger vulnerability, user, and system targeting. Whenever there is a common vulnerability available, attacker will continue to exploit it.

Similarly, as long as users continue to leave their systems vulnerable and their data unprotected, resulting in purchases of their BitCoin ransoms, attacks will continue – they make good business sense for criminals.

So what can your business do to protect against ransomware of all types?

Everything you’ve ever heard about good business security, of course, applies. For this specific type of attack there are some more advanced ideas to keep in mind, though.

  • Make sure your business has strong, secure, and regular backups of all critical business systems.
  • Perform regular, complete, and monitored updates of all Windows desktops, laptops, and servers
  • Harden the security of your Network Attached Storage devices (if you only ran the setup wizard before putting it on the network, you’re likely at risk)
  • Don’t give users administrative rights to desktops and/or servers – control local administrator policies through a centralized GPO that prevents unauthorized changes to the local admin user list
  • Keep antivirus and antimalware software updated and implement centralized policies that provide monitoring and alerting across the entire organization
  • Configure Volume Shadow Copies on server and other critical file repositories to help quickly restore changed or deleted files
  • Consider running backups of critical user computers or for users that may not be as up to date with standard user policies (there’s always that one person that stores mission critical data on their desktop)
  • Configure advanced antivirus software rules to prevent running applications from within user folders
  • Configure email systems to filter out common phishing files extensions like .EXE
  • Perform regular user security training (at least once a year) including safe internet use, email security, phishing email identification training, and general security practices in shared network environments

If one of your users is unsure if they have been affected turn off and unplug the infected computer immediately. Any damage caused by the encryption process can be immediately stopped by powering the infected system off and it also provides your IT specialist a greater chance at recovering data safely.

If you or someone you know thinks they might not have a tight grasp on what to do to secure their business, get in touch with Hermetic and we’ll take care of everything they need – from hardening the network, to responding to incidents immediately, to working through the disaster recovery and data restoration process.