Ransomware – How to beat it
Got the feeling you're being watched?
That is probably because you are being watched. Well, your website is anyway.
We have teamed up with a forensic data analyst to bring you the following insights into the mind of a cybercriminal. Please share your comments and experiences at the bottom of this page and we’ll be sure to answer them.
The cybercriminal is selecting targets all the time
Cybercriminals are constantly scanning public data sources to look for targets they can extort money from. The Companies House website is a gift for the cybercriminal because it shows a company’s financial status and often where their offices are, and where the owners live. This data helps the cybercriminal to put together their customer demographic (AKA Hit List).
One drawback of this method is that it doesn’t always show the website used by the company. This is essential because it allows them to start their journey into your network. The problem for the cybercriminal is that the corporate website isn’t linked to the Companies House website. It isn’t hard to manually add 2+2 and link this data together. However, the cybercriminal wants to automate everything.
Instead, they scan all websites and scrape the company name to see if is displayed. From there, they can check the company name against Companies House’s database to identify profitable targets, i.e. YOU.
The cybercriminal is watching your website and measuring how valuable it is. If you hit their threshold, you go onto the Hit List and wait your turn to be targeted.
It goes without saying that the more popular your website is, the more money your company is making. Website stats are easy to identify for free or by signing up for an SEO tool such AHREFS or SEMRUSH.
You’re making money – great! With that comes the usual expenditure, extra staff, systems and maybe a new office. But don’t forget to beef-up your IT Security and keep a stash of cash in case you become the victim of a ransomware attack. Did I just say, Ransom? Yes, I did. The last part (IT Security) is almost always overlooked. You’ve never been a victim of a cyber attack, so why do you need to spend more money on IT Security – right? The reason is that you have never been identified as a target before.
Getting serious about Ransomware
There are hundreds of successful attacks daily where critical data is compromised, encrypted and a ransom is demanded (often paid as well). We highlight some of the biggest attacks each month See who has been shut down by Ransomware in the last month
Everyone has the basic tools to prevent a ransomware attack from progressing from an email infected with malware, right through to a ransom demand being displayed on the screen.
With some preventative measures, you can also recover from a successful ransomware attack.
Cybercrime is simple business
Cybercrime is very easy to commit from anywhere in the world. It really is the perfect business for the mobile worker who has access to the internet and email. To be successful though, it does require some thought and a methodical approach in the same way as any other job. Although the crime is a simple ‘numbers game’, we shouldn’t make light of the people behind it because they are slick and dedicated to what they do.
What is a Ransomware attack?
Ransomware is a type of malware that is normally distributed via phishing emails. Unsuspecting users are hit with malware in an email attachment or redirected to a website where the malware is downloaded and executed. Malware can also infect a PC simply by visiting a website where malware is stored.
When executed, the malware will encrypt data on the user’s network so that it cannot be accessed. A ransom request in bitcoins will be shown on the screen to unlock the files.
There is no way to recover the data except to pay the ransom. There is also no way to get your money back afterwards.
Worst of all, you might pay the ransom and not have your files unlocked.
The simplest attack will consist of the cybercriminal sending malware to an unsuspecting recipient via email. The attachment is opened, and ‘hey presto’, the virus encrypts all the data the recipient can access. It really is that easy!
Then you have to decide if you want to make the payment!!
Ransomware attacks are completely different from methodical penetration attacks on internet-connected devices to see which insecure ports are open. Someone preparing a ransomware attack will need to know who they want to target, how to target them, what their expected response will be and how to repeat the process effectively.
If you have a backup, you can restore your data and ignore the ransom
The cybercriminal’s plan
Step 1 (identify the target)
The cybercriminal will make a list of organisations that can pay a ransom and will have no choice but to pay a ransom and recover their data. They will also specifically target those who MUST pay a ransom. These organisations are most likely to be police, medical, MOD, education, and any company that is reliant on their data.
Our research shows the most consistently attacked groups are schools and local government. While the police and big companies are often affected too, it is typically the organisations with the least funding who get hit. Taking on big companies will be hard work because they will have the staff and technology to prevent and defeat attacks, and they will almost certainly have many copies of their data should they be successfully attacked. Such attacks are unlikely to result in a big PAYDAY.
The police aren’t usually a popular target for obvious reasons. However, as we reported in March 2019, the Police Federation was successfully attacked. The Police won’t have the resources to investigate an attack on YOUR company but will find enough resources to investigate their own mishaps.
The most likely reasons schools are targeted is because they can be sued for losing data, and therefore must pay a ransom. Schools must open every email they receive, and they never have enough funding to pay for the technical staff and systems required to prevent attacks. This unfortunately makes them an easier target. If humans are manually opening emails all day long, it is expected they will eventually open an email that lets malware into the network.
Large companies will have the required defences in place such as web filtering to stop users from visiting risky websites, scanning of all emails at the source with 3 or more anti-virus applications, and on-network systems which detect when a malware attack may be taking place. They are still targets, but not the obvious choice.
Step 2 (when to start and stop the attack)
Knowing when to start the attack is also very important to the cybercriminal. Schools are targeted more frequently around busier times such as the exams periods. Sending malware during the summer holidays to a school is probably a waste of time for the criminal because no one will open it.
We also see a spike in attacks on betting companies being targeted around important sporting events. With the majority of revenue being earned around the FA Cup final and Grand National days, you can see the sense in attacking them around these periods.
Step 3 (Pay Day)
By now, the malware has been run on your network and has encrypted all of your data. You have a popup message on-screen which requests payment in bitcoins. If you are wondering why bitcoins, it is because they are untraceable.
Hopefully, at this point, you can go to your backup and restore your data. If you use us for your backup, our system will allow you to restore everything with ease.
If you are using our FileSync cloud backup, sync, and share service, there is a convenient restore button that will recover all your data automatically back to the last good snapshot prior to the ransomware attack.
If you don’t have a backup, you’re faced with the dilemma of losing your data forever or risk paying a ransom and still losing your data.
Click below to create a Free-For-Life account
Easy steps to prevent ransomware landing on your network
Look at it this way; you can’t stop someone walking past your home or car with the intent of breaking a window and taking what isn’t theirs. The reassurance that you will get your stolen goods back afterwards, is little consolation. Somewhere in the middle, between the intent and the theft, you need a strategy to prevent that criminal intention from going any further. The same is true with cybercrime.
It is easy to prevent ransomware, but as with everything in life, there is some effort involved. The easiest ways to prevent ransomware attacks are:
1. Ban raw email and use an electronic helpdesk
Instead of using standard email – which is cumbersome, allows unsolicited emails into your systems and has no in-built management, try using an electronic helpdesk instead. Your customers can still use their email systems to contact you without the need for them to change how they work. The difference is that all emails sent to your company are now screened and managed. The most basic systems will also allow you to block email addresses and remote networks so they can’t contact you. They will also allow you to block entire countries from contacting you.
There are many helpdesk systems available online which are free-to-use for light usage. Larger systems can be hosted online or on-premise. We use WHMCS as part of our service plan which allows us to have as many support staff as we like for less than £30 a month. Using these systems correctly will instantly deny unwanted attachments and links to malware.
You can deploy a system-wide anti-virus service that will automatically scan all emails at the source and block unwanted attachments. Staff can still view safe files such as PDF attachments and images, while unsafe file types such as .exe or .zip files (these often contain viruses) are blocked.
With an electronic helpdesk, every email will still arrive at your organisation and will be visible to everyone in the team. You can see when an email has gone unanswered for a set period of time, who has replied to each message, and what they said.
Larger organisations that don’t deal with the public will block free email accounts such as Gmail or Yahoo because their customers won’t use those types of accounts. The cybercriminal will use these types of email accounts rather than an email domain of their own. This is because creating their own email domain would require some sort of payment trail that would identify them.
If you block emails from free email accounts you will probably have prevented 99% of potential malware attacks in one action.
2. Be aware of when heightened attacks will occur
Following on from the betting shop analogy above, IT Admins can use historical data from their firewalls, web filters and antivirus systems to build up a profile over time of when the attacks are more frequent. Are Monday mornings extra busy for your company? If so, do you think dodgy emails with harmful content are more likely to be opened when staff are at their busiest?
3. Manage user permissions correctly
Ransomware CANNOT encrypt your data if the network account compromised doesn’t have permission to do so. Malware can’t elevate the permissions of the user account which has been compromised and will be ineffective if that account has minimal access to their local PC and network data.
It is very rare that a user will need full admin rights to their PC. These rights can be controlled by Windows policies at the domain level by the IT Admin. Rights can be granted and revoked when required, but should never be left unchecked. Start with minimal PC and network rights and increase as required.
Department heads will very often have an ‘entitled’ right to have full access to their PC and network data when in practice they don’t need it. Department heads are often the most targeted because they have been at their jobs a long time, and their email address is more well known than the new starter’s.
4. Web filtering
There are many web filtering applications and services on the market which will prevent a user from visiting an unauthorised website and unknowing downloading malware. Not only do they protect your network, but they can also increase productivity by restricting which non work-related websites can be viewed and when. Some will require you to install software on your network and some will simply require you to reroute your Internet traffic. This can be done in minutes and will hand over the responsibility of securing your web browsing traffic to experts.
5. Protect your email
If you are using sales@ and info@, so are the cybercriminals. Use different non-generic email addresses and add a contact form to your website instead of publishing your email.
Also, be careful where you enter your email address online. If you sign up for free offers, your email address will probably be sold on.
6. Small companies still have a fight.
As a small company or sole trader, you have the consolation of knowing that you are likely to fall under the radar of a cybercriminal. It is still very easy to secure yourself though.
Simple works best
Always have an up-to-date antivirus and firewall application on each PC and laptop.
This will prevent viruses coming in via email, webmail and removable media. It will also block access to dodgy websites where malware is lurking. If you have more than 1 device in your company, set up central reporting so that you know when a virus or attack has been blocked and when the security software needs updating. Most systems have this feature built-in.
Never open emails you are suspicious of and never visit dodgy websites.
Recover from ransomware
Full backups are your best weapon against a successful ransomware attack
Regardless of what happens to your data, if you have regular full backups of your data, you can recover from any incident.
Your full backup doesn’t have to be stored on expensive media or on an online storage system. It simply needs to be somewhere which suits your availability and security levels. Your budget and bandwidth will also dictate whether you have multiple copies of your data backed up, and where they are stored.
You will need to store enough full copies so that you can go back in time to a backup prior to the ransomware attack happening.
Incremental backups MIGHT allow you to recover from a ransomware attack, however, a full backup that is not linked to your live data and other backup sets is the only method we recommended.
Ransomware attacks in force the need for reliable backups.
We have been involved with online cloud backup since 1999 and have provided our service to almost every sector in the UK and other countries.
Back in the 1990s when we worked with networks and tape drives for backup, it was very common to see an entire organisation’s data stored on a server with one hard disk, or at best mirrored to a second disk in RAID 1 format. We frequently saw servers fail with a total loss of data, and everyone had a backup.
In the last 15 years, hardware failures of these types have been less frequent, and some IT Admins have been less concerned about their backups now.
In the last 5 years or so we have seen a complete renewal of the need for a solid backup because of ransomware.
If your data is stored in the cloud, it can easily be destroyed in a ransomware attack.
At the most basic level you can make a copy of your server drives to removable storage by using a simple command like “xcopy d:storage*.* x:backup-device-storage /s/v/c/d/e”
This isn’t the way most organisations would do it, however it highlights how easy it is to beat cybercriminals.
If you use our cloud-to-cloud backup service, you can backup anything anywhere.
Contact us to start a discussion or post your comments below if you have something to add to the community.