15 Jun 2016

Ransomware is rising [again] and is sadly becoming a booming business for the “bad guys”. I will spare you the definition, there are plenty of good articles out there explaining what it is. What I wanted to focus on was prevention.

But first, let me talk about one of my customers and why I decided to write this article (even if though it seems so obvious). The person in question handles accounting and receives all accounting related emails. He got an email stating he had an unpaid invoice. He didn’t know the sender (strike 1), but it could still have been “real”. The email had an attachment, instead of inline text, so he had to open that attachment (strike 2). The attachment was actually an encrypted zip, but “luckily” the password was provided, so he entered the password (strike 3). At which point the program encrypted his entire PC. Unfortunately, that PC contained the entire accounting for the company with the backups on an attached external hard drive (which also got encrypted…). I don’t need to tell you what happened next (they paid), but I will tell what did not happen next (they did not implement a layered security approach and a versioned [offline] backup solution).

Protecting yourself from ransomware is not that different from protecting from any malware, layered protection:

  1. User education, they need to understand that it is the wild wild west out there. Some users will still click, but the fewer click, the less you need to rely on your other layers.
  2. An up to date end point protection on all devices (it’s useless if it not up to date, make sure you get (and read) regular reports that your end point protection clients are working).
  3. A backup solution that keeps versions of your data somewhere else (if you do not have versions, the encrypted/ransomed copy will overwrite your backed up copy).
  4. A firewall that actually inspects all network traffic coming from the Internet for malware (it also needs to be up to date and getting good reports will help you be pro-active (why is that PC connecting to Russia every night when no one is in the office?)).
  5. Malware inspection on “your” email servers for inbound and outbound emails (less chance of causing issues on your customers and partners).
  6. Additional protection: block encrypted zip in your firewall and emails. If you need encrypted zip for your business, keep the file in an online drive like Box or OneDrive and send a link to the file.
  7. Additional protection: If you receive a suspicious email and you really, really, really need to open it (an old fashion phone call to the sender or the sending company is a much safer option), wait a couple of days to avoid 0 day attacks, open it form a PC that can be wiped clean if needed and disconnect that PC from the network. (but really, don’t open that email/document/program/attachment, ever)
  8. If it happens to you or you suspect your device may be affected by malware. Re-install the OS entirely, don’t run an anti-malware (or 3) and hope they caught everything.

Steps 1 to 6 should be a given for all organizations, large or small (if it’s not, get someone to help you).

Steps 1 to 3 are also really easy for home and should be the basis of safe computing at home.

Ping me if you have any questions and be safe!

Loïc