Ransomware: One Of The Biggest IT Security Threats Facing SMBs

16 November 2015

Ransomware is one of the biggest threats facing Small-Medium Business (SMB) networks

Ransomware is a type of computer virus, also known as malware, which causes damage to your digital files, databases, pictures, software and operating systems. It is one of the biggest threats currently facing businesses of all sizes in terms of IT and network security. This is because it has the ability to evade detection by most anti-virus software.

Ransomware viruses include CryptoLocker and CryptoWall variants.

Ransomware gets its name from the way it damages your files

1/ Once on a single PC on your network the virus immediately generates a unique code based on the configuration of that computer – it then sends this code to an internet server run by the attacker (virus author)

2/ The virus then uses this unique 256-bit code to start encrypting (or locking-up) all files stored on your computer. It targets files stored locally on your hard disk such as documents, pictures, databases, music, projects, etc. It then starts looking for network drives and network shares and targets the same files in those locations.

3/ The encrypting process takes some time depending on how many files and how much data is stored on your PC and on the network. During the encrypting process, your computer functions as normal – the user is unaware of what is occurring in the background. The encrypting process can take many hours.
Note: If your backups are physically connected to the PC such as an external Hard Drive – your backups are also encrypted at this point.

4/ When the encrypting process is complete, the virus then deletes all your normal files and data which it has just made encrypted copies of. Leaving you with strange looking encrypted files (it changes the file names) which when clicked-on do not open.

5/ The virus then plants an unencrypted text file in common locations (Documents, Desktop) which gives instructions. The instructions tell you your files have been encrypted and you are required to pay a ransom payment to get your data back. If you fail to pay the ransom by the specified deadline the special code which was generated in step 2 (which is needed to decrypt/unlock your files) will be deleted forever and you’re warned you’ll never get your files back.

6/ The instructions are given on how to pay the ransom – which usually involves using an online untraceable currency.

The encryption is 256-bit – bank grade – which means cracking the encryption is not possible.

The user is then confronted with no way to work because all their data is locked up – this means lost productivity and network downtime for the business while they try to recover from the attack.

Why paying the ransom is never a good idea

Your options after infection include:
1/ Wiping and re-installing the infected PC and restoring your files from off-line backups (you may lose some data)
2/ Paying the ransom

Paying the ransom is worst possible outcome because:
1/ There is no guarantee you’ll actually get your data back
#The internet server where your decryption key is stored could have been shut down by the authorities or by the attackers meaning there is no way to get your data back.
#The virus 'program' may not work properly which means the decryption process might fail.
#Your Anti-Virus software could interfere with the decryption process and keep shutting the process down.
#The virus may not actually have any process for decrypting the files at all.
2/ The ransom payment can be expensive. From our research the ransom payment can be from a few hundred to tens of thousands of dollars.
3/ Even if you pay the ransom and the decryption process appears to have worked there is no guarantee that; (a) your files haven’t been modified or altered, (b) your operating system is clean of the virus, (c) that it won’t start encrypting your files all over again, and (d) your files haven’t been exposed on the internet in some way

Why Anti-Virus software won’t protect you from this threat

Anti-virus software works by looking for strange patterns in programs running on your PC. If it detects a strange pattern it stops the program from running.

Ransomware viruses are able to evade this detection because:
1/ The virus is constantly re-written daily/hourly by the virus author which changes its structure enough to evade detection (remember this is a very profitable virus for the attacker – so they can allocate a lot resources towards making it effective)
2/ The virus doesn’t act like traditional viruses when it starts running on your PC. Encrypting files is not typical virus behaviour and it’s difficult to detect.
3/ The attacker’s internet servers constantly change their domain address which makes blocking addresses difficult

How to protect your business and devices

So it’s clear the options after you’re infected are bleak to say the least.
If you’re infected: then wipe all infected PCs and reinstall everything from scratch. Then restore your data from an off-line backup. It might be best to engage a professional to ensure you’ve actually erased all traces of this virus before connecting your off-line backup.
Note: an off-line backup is a backup which is not physically connected to the PC or network.

By far the best method is prevention with this virus. To protect your network you need multiple layers of security. Anti-virus software can not be relied upon to protect you from this threat. The layers of security include patching for applications/operating systems, applying security policies to all network devices, network/device hardening, and user education.

User education

One of the most important aspects of prevention is user education. It is usually via the user the virus gets onto your network. For example;
1/ The user clicks a link in a scam/fake email such as those which appear to be from the Tax Office or the Post Office
2/ The user opens an email attachment such as a document which looks like a PDF or Word document (but is actually a virus)

If your network/devices are missing software patches the virus can also get onto your systems via websites and browsing the web. This is why user education along with IT security measures are the best mix to help prevent this virus.

It’s not just Windows

While Windows certainly sees its share of the Ransomware viruses due its popularity in the SMB space. There are variants of Ransomware which specially target Mac OS and Android devices which work in much the same way. So security for these devices is just as important.

The future for Ransomware

It is clear that Ransomware has been very lucrative for the viruses’ authors. Symantec reported that in 2014 ransomware attacks increased 113% on the previous year. This year the number of attacks on Australian businesses have increased significantly. With the ‘success’ of these Next Generation viruses – the SMB sector can expect to see more threats like this in 2016. SMBs should look to engage a professional to help them secure their networks and devices – it could be the best investment they make.

How we can help protect you

We have our own internally developed 114 point security checklist which helps us secure our customer’s networks from these types of Next Generation threats.
We also publish bi-monthly user education looking at real-world examples of current scam/virus/phishing emails to help our customer’s staff identify these threats.
Let us know if you’d like any more information about IT security.

Back to article list