- What is ransomware?
- Should I pay to unlock files locked with ransomware?
- How to pay the ransom and recover files?
- Should computers be wiped after a ransomware infection?
- How does ransomware get in?
- How does ransomware spread?
- How to prevent ransomware in small business IT systems and email accounts
- What is the best way to respond to a ransomware infection?
Ransomware is here to stay. Ransomware protection for small business is a top priority, because small business is targeted in automated ransomware attacks. It is well known by bad actors that many SMB’s do not take adequate precautions and lack IT staff to stay on top of IT and network management.
Ransomware prevention is key, because the cost of recovery is too high.
This post is a guide to ransomware protection and prevention with some important notes about the problem with prevention tips. Key actions to take include:
- Take regular backups (Using the 3-2-2 rule)
- Test backup restores regularly.
- Reduce ransomware from being delivered.
- Prevent ransomware from executing if delivered.
- Assume a breach and have a Disaster Recovery Plan in place.
The solutions must be holistic, baked into your IT systems design, layered well together without gaps. Piecemeal tools will not suffice. With so many variants of ransomware, and so many exploit types, only a small gap is needed to get in. Smart, comprehensive solutions are required.
As small business IT services providers in Toronto, our team helps SMB’s with these IT security issues daily, and we want to help you too. In this post we will cover everything you need to know about ransomware infections and preventing ransomware from interrupting your business.
What is ransomware?
Ransomware is a type of malware that locks, encrypts, and prevents one from accessing IT systems, files, or emails unless a ransom is paid to the cyber attacker who infected the systems with ransomware.
The idea behind ransomware attacks is that in exchange for the ransom fee, the cyber attacker provides a decryption key to unlock files and restore business operations. As you read this article you will learn that is not always the case.
Cyber attackers use ransomware and many other exploit kits to extort money from business owners. Ransomware infections may also be paired with countdown timers and threats to release the user’s data to the public or dark web unless the ransom is paid.
Should I pay to unlock files locked with ransomware?
There are arguments on both sides as to whether one should pay the ransom. On one hand, your business and livelihood may be at stake, and on the other you are indirectly enabling cyber terrorism by giving in to their demands and justifying their activities. This is a decision you must make on your own. Our advice is not to pay a ransom if you can help it.
If you decide to pay for a ransomware decryption, know that paying a ransom is a bit of an involved process. It is not as easy as transferring funds. It requires a crypto currency wallet account to be setup, then funded, then used to pay the ransom. The ransom itself may be remarkably high, and a financial burden.
Once paid, a decryption key may be provided to unlock and restore access to files. However, in 12-17% of reported ransomware infections where the ransom was paid on time, no decryption key was provided.
With no guarantee of unlocking files, industry reports tracked a trend that showed more business owners refused to pay ransoms at all. Seemingly in response to a rise in ransom payment refusal, decryption key delivery after payment seemed to increase.
You may never have thought of ransomware as a business model, but that is just what cyber crime is; an effective, highly automated, and lucrative business model.
It is difficult for analysts to report these trends with absolute certainty, as an unknown percentage of ransomware infections go unreported. However, it seems as though a war between cyber criminals and business owners is in play. When cyber attackers noticed the drop in ransom payments, that hurt their bottom line. They responded by increasing file decryption key delivery, which in theory, would increase ransom payments being made.
You may never have thought of ransomware as a business model, but that is just what cyber crime is; an effective, highly automated, and lucrative business model. Criminals make money and continually improve their delivery methods. Business owners lose money, time, data, security, reputation, and peace of mind.
The most effective way to combat these issues is to implement ransomware prevention strategies. They are many, varied and effective for small business. We will talk more about prevention later. First, what to do if you have a ransomware infection.
How to pay ransom and unlock files?
You may want to have professional IT support to respond to a ransomware attack. The general steps you will need to take include:
- If not paying ransom, wipe all IT systems and use your Disaster Recovery Plan.
- If paying ransom:
- Purchase a cryptocurrency wallet - see videos in side column
- Purchase Bitcoin from a Canadian operator such as Coin Base, CoinMama or Gemini.
- Transfer to your wallet.
- Follow ransom instructions to send ransom payment.
- Receive decryption key.
- Follow decryption instructions.
- Run deep antivirus and antimalware scans on all systems or preferably wipe all systems and restore your now-decrypted files.
- Plan to implement stronger cyber security solutions to prevent ransomware infections from happening again.
Again, these steps are a general outline, and your systems and infection strain will vary. You may wish to hire professional IT support services to help you through this process.
Should computers be wiped after a ransomware infection?
It is important to know that because these infections are so sophisticated and evasive, IT administrators often take a “scorched earth” approach to remedy ransomware infections – a total wipe and reload of all systems. This is because you can never be certain that ransomware has been fully removed from systems, so the safest course of action is to start over from scratch. Wiping and reloading a single computer can take 3-4 hours under a best-case scenario. If all computers and a server need to be wiped and reloaded, things will take a lot longer.
As you would imagine, this is very time consuming and disruptive to business operations. Systems can be down for days or weeks, and some data may not be fully restorable. In addition, operations will be impaired, and staff will not have full access or functionality. In the 2019 Scalar study of Canadian SMB’s, it was found that the average downtime after a cyber threat spanned 19 days and cost $120,000 in associated costs.
One thing is clear; since ransomware is growing and evolving, it is time for every business to prioritize proper cyber security solutions.
– 78% of ransomware attacks targeted to small business.
-Scalar study in Canada reveals 100% of SMB’s surveyed faced a cyber threat and 58% were breached.
- Ransomware threats in Q1 alone grew 700% more than all threats in 2019.
- Estimates predict 1 ransomware attack will occur every 11 seconds.
How does ransomware get in?
Ransomware can get in to computer systems in many ways. Four of the most common initial access points for ransomware are:
- Drive-by compromise – websites that push infections out through code, extension installations, pop ups etc.
- External remote services such as Remote Desktop Protocol (RDP) – RDP ports are often poorly secured, unmanaged, and easy for low level hackers to breach.
- Spear phishing attachments in emails
- Exploiting unpatched software on computers in common programs business teams use
The diagram below shows a vast array of vectors ransomware can use to infect computers. It is important to have layered IT security systems in place.
How does ransomware spread?
According to threat research by Group iB, once a ransomware executable has access to a company account or computer, the most common methods of execution are:
- User execution – clicking a link, opening an infected attachment.
- PowerShell – scripts and commands that run in the background without any user intervention required.
To gain more access and evade detection, ransomware viruses can:
- Exploit your IT systems to escalate their own privilege, permissions, and access.
- Disable your security tools to avoid detection and alerts.
- Create brute force attacks to gain more credentials for more access to your systems.
- Scan networks, network shares, admin shares and remote desktop protocols to move laterally across your systems.
- Modify group policies to hide within service accounts and increase the privileges of those accounts.
- Provide themselves redundant access so if one entry is detected, a backdoor re-entry point exists.
There are many more tactics ransomware viruses use to spread. These are just some of the most documented.
Now that we understand what ransomware is, how ransomware spreads, and how serious an infection can be, we can understand why prevention is key.
How to prevent ransomware in small business IT systems and email accounts
Due to the sophistication and effectiveness of cunning cyber criminals, prevention is a top priority. You need professional IT management services working for you.
The problem with ransomware prevention tips:
Many articles offer tips to prevent ransomware without addressing what research shows; that users ignore cyber security training or make mistakes that compromise cyber security. As a result, many of the free tips offered are not used, and therefore not helpful. For example:
TIP: Only open attachments from trusted senders.
PROBLEM: Sender's name can be easily spoofed.
TIP: Check that sender’s email address is correct.
PROBLEM: Senders email address can be easily spoofed.
TIP: Inspect all links before clicking, use URL expander for shortened links OR manually type in all links.
PROBLEM: Staff may not check. In addition, fake online ads from seemingly reputable retailers, banks and companies contain redirects to fake websites built to phish users or inject malware.
TIP: Patch all computers and software as soon as prompted.
PROBLEM: Users do not patch. Reports show four in ten businesses compromised due to unpatched systems, and the Canadian government urged all organizations to implement patching policies and adopt 2 factor authentication.
Manual prevention can work, if applied. Automated prevention is a better option. Many of the tips offered below rely on automation, machine learning, your staff and skilled IT partners working together.
If you are skeptical about investing in subscriptions for cyber security tools, compare what you can do alone and manually, to what automated tools from industry leaders can do for you.
Giants like Microsoft, BitDefender & Huntress invest billions in research. Every cyber threat logged on their paying customer’s computer is added to their massive database. Their AI compiles all the data, learns from it, amalgamates metadata and pushes it back out to security tools & IT managers so that all paying clients gain protection from it. This means their tools catch more threats, even sophisticated threats that can rewrite their own code to evade detection.
Ransomware Protection strategies should include:
Guarding Information Flow
Assess, understand, and protect all paths for information flow in and out of your business, including emails, how documents are shared, what data is shared from one software to another etc. Each point is a breach risk and requires appropriate planning for protection.
Staff training & Acceptable Use Policies
Train staff on how to spot phishing, how to scrutinize suspicious emails, how to avoid risky websites and to always exit them without clicking on popups. Have staff sign off on Acceptable Use Policies so that everyone is on the same page about cyber hygiene and prevention.
Automated Computer Patching
Automation for small business should include automated endpoint management and patching of all vulnerable software as soon as a patch is released, because staff members are known to ignore and delay these important software updates. Patching closes gaps that allow threats to get in. MSP's offer basic computer management plans that provide excellent antivirus software and automated patching of all computers- and that is a good start for small budgets who do not have in house IT staff. As soon as you can, grow into more fully fleshed out managed IT services.
Centrally Managed Computers
Centrally managed computers can be locked down in various ways, including restricting internet usage to one browser, restricting browser extension installations, software installations and more. All these layers of security help close gaps that threats can use to get in.
Removing Administrator Rights from Computers
Every new computer ships with full permissions, including permission to install software. This also allows ransomware and malware to be installed when a bad link is clicked. Best practice is to remove administrator rights from computers before assigning them to staff, thereby greatly reducing accidental and bad click malware installations. Only IT staff or outsourced IT providers should have administrative rights.
Segregate Data or Networks
High value data should be stored separately from high traffic data. This will look different depending on your physical or virtual network, your organization size, and the type of data you hold. Speak to your IT consultant to plan.
Ensure your Remote Desktop Protocol (RDP) is behind your firewall. Since RDP relies heavily on secure passwords, ensure that you have a company wide password policy enforced. Use multi factor authentication to reduce risk further. Monitor RDP and maintain logs. Any remote access to your systems should only be granted with a strong argument and requirement, and best practices in place.
Building your IT systems from the ground up, with best practices baked in, will help to reduce the risk of ransomware infections, and make your company more resilient in the face of any cyber threat.
Application whitelisting is the practice of specifying exactly which applications or executable files are permitted to be present and active on a computer system. Read more.
Ransomware Detection strategies should include:
Network Firewalls and Intrusion Detection Systems
Automated inspection and filtering of known threats at the network level.
Detection Based Antivirus / Antimalware Software
A homogeneous set of tools on every device across the company is required. Any one device without adequate tools can be an entry point. SPECIAL NOTE ABOUT WORK FROM HOME COMPUTERS - make sure they are secured and managed or choose an adequate remote work solution.
AntiPhishing Tools such as Transformation Techniques
Tools that inspect and modify URL’s or files before delivering them to your inbox to mitigate potential attacks (e.g., Microsoft Office 365 Defender, Fortinet Forti Mail etc.)
Endpoint Detection & Remediation
Automated quarantine of any device infected by a threat that was able to bypass phishing detection tools and firewalls. EDR can detect payloads that may have bomb timers or other persistent footholds that antivirus alone cannot detect.
Disaster Recovery strategies should include:
Regular Data Backup & Restore Testing
Take data backups daily or every few weeks. Test data backups to ensure recovery is possible. Never leave your data backup connected to your network, or it may be compromised in an attack. Always have offsite and redundant data backup, especially for server backup. Your IT company can help you with your Disaster Recovery Solutions.
Golden Images for fast operating system recovery
Data such as files is one part of a disaster recovery plan. You must also be prepared for total computer system wipe and re-installation. Depending on your business and software requirements on each station, this can vary from 1-3 hours or more, per computer. Staff are unable to work during this process. Golden images or virtual machines used in a Windows Virtual Desktop environment are fully restorable in just a few minutes. Be sure to speak with a small business IT consultant to assess your downtime tolerance and build your IT systems accordingly.
Know in advance if you plan to pay a ransom or not. Have a conversation with your legal professional and know your legal obligations.
This is not an exhaustive list, nor is it tailored to your business, your current IT systems, or any IT security improvements you may need in order to prevent ransomware and cyber threats from interrupting your business. Speak to your IT consultant to create a strong cyber security position for your business.
What is the best way to respond to a ransomware infection?
If you are facing a worst-case scenario, and are infected with ransomware, here are steps to take:
- Determine & Disconnect - Determine which devices are infected and isolate them from the rest of your network immediately.
- Unplug – IF you are unable to remove devices from the network (waiting on IT support) unplug and shut down all infected devices to prevent the further spread of ransomware.
- Contact your IT provider immediately so they can begin to mitigate further data loss and triage and plan for data recovery, beginning with the most critical systems first.
- Wipe and reload all operating systems and restore data.
- Change all login credentials.
- Implement your response plan along with legal and IT consultants.
- Contact law enforcement – Report the crime.
- Review the incident to understand how infection occurred and how to improve security moving forward.
- Discuss with team to further educate all staff on cyber security and risk.
Cyber Security is no longer optional.
Cyber criminals continue to evolve. The technology landscape changes moment to moment and in just a few short years, what was good enough becomes obsolete.
Schedule your free consultation to have your IT security reviewed and improved.
Ready to make some changes?
Speak to our Toronto IT Consultants for options & an estimate.