Ransomware is a relatively new but rapidly growing threat that can affect any business, in any industry, of any size. It doesn’t require complicated coding, and as far as viruses go, creating ransomware is as accessible as deciding to start a pick pocket scheme. Unfortunately, for businesses, it also means that it is a relentless battle to defend against, and it requires constant supervision.
Most ransomware creators do not understand their victims or the size of the companies they are about to infect. Generally, the targets are random. Ransomware creators often attain hacked e-mail distribution lists, and send an advertisement for free-something, or save-something, or see-someone-famous so that the reader will impulsively click a link to a website that will automatically install and distribute the virus. The malicious links can easily spread via social media as well. When one person clicks a bad link, viruses can be programmed to immediately gain access to all of the victim’s social media contacts. This intrusion can send direct messages, as a personal endorsement to all contacts asking them to click that same viral link (perpetuating the life of the virus as long as at least one person is willing to click).
Does Everyone Else Know What to do Except Me?
How a responsible business owner is supposed to respond when affected by ransomware is still not common knowledge. Very rarely is the target a specific company, and it often blindsides victims into a panic mode. The typical response for those without a plan is almost always a series of desperate attempts to recover data, finger pointing blame, and then googling how to access cryptocurrency (to pay the ransom). In hindsight, most companies wished they had a plan, or had at least started a conversation on the topic. If this is you, you are not alone.
This past year alone, our support department has documented more than 75 cases that mention ransomware in the problem description. Some companies were left dead-in-the-water because the ransomware had corrupted every database and local backup that operated their daily business. As companies encounter this sort of behavior more frequently, they are conditioned to believing that ransomware is just a “cost of doing business.” Let me remind you – it is not, and there are ways to protect you and your data.
As we modernize our processes, and find ways to use technology in construction, challenges and threats will force us to protect ourselves. Just as we have hired Construction Technologists to increase our understanding of our business through technology, we must also encourage our Internal Infrastructure to create adaptable procedures to prevent attacks, and to have a recovery plan if and when an attack is encountered.
Here are some points to help along the way to securing your network from ransomware:
Create a Culture of Awareness That Actively Protects You from Ransomware
- User Education and Awareness – Providing education to anyone who may be connected to your network (by phone, computer, or any wi-fi enabled device) is one of the most effective ways to manage your security. If all users are made aware of the threats out there to both business and personal information, this could lessen your risk. Users should also be reminded casually of the company’s etiquette for online behavior involving links in e-mails, software downloaded from third-party websites, and use of thumb drives. These are all potential avenues of malware delivery, and bad habits in the office can lead to bad habits and intrusions at home.
- Setting up web content filtering helps prevent internet browsing to websites that not only are not related to business operations but also to locations on the internet that can be potentially malicious.
- Anti-Malware Ransomware is a crucial step in preventing ransomware from infecting systems. Make sure that your system is protected with Anti-Virus, Anti-Malware and is configured to scan all systems regularly. Creating layers of security like an onion will help catch something that was missed by another protection.
- Redundant Backups – Important data should be backed up in multiple locations. If files get corrupted, deleted, or encrypted on the file server, you may need to pull backups located on the server. If the server is lost in power outage, it might be necessary to pull backups from a RAID server that is external to the compromised system. Ransomware can only infect what it is connected to. Having an isolated back up every night will minimize the loss of data.
- Having an off-site backup solution or cloud backup is a newer method for recovery. It is possible to set this up as a temporary solution until you can restore your server. This can keep users working with little interruption.
Indicators that you might be under a Ransomware Attack:
- If applications produce multiple errors, or will not launch.
- There are missing files in commonly used folders,
- There are files with a strange extension, e.g.: “.crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters.”
- There may be accompanying note files such as: “HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt, RECOVERY_KEY.txt HELP_RESTORE_FILES.txt, HELP_RECOVER_FILES.txt, HELP_TO_SAVE_FILES.txt, DecryptAllFiles.txt DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT”
- Also, some users may see an actual message displayed on screen, sometimes without being prompted, or when trying to open a file or launch an application explaining that system files have been encrypted and providing instructions on how to contact the attacker to pay to unlock the data.
It is important to have a plan in place for what to do after a ransomware attack. We recommend formalizing a process with specific steps involving the right people and their contact information. There is no guarantee that if you pay a ransom that the attacker will release your data back to you. They could also turn and resell the information, or simply lock the data again at a later time after you have paid to get a second ransom. Authorities have been known to discourage paying the ransom for those reasons. Another issue with paying ransoms is that it encourages and rewards attackers for this bad behavior.
Cryptocurrency is an internet-based exchange used to complete financial transactions that are not regulated by any central authority. Its value, very loosely translated, is based on what the next person is willing to purchase it for. Many Ransomware payments demand cryptocurrency because it is not tied to any set of laws, and it is not backed or insured by anyone. Unfortunately for the ransomers, it can be tied back to a wallet, which can be linked to a person; While it is not as anonymous as asking for a bag full of cash, it is the closest to it in a digital world.
Here are a few tips to consider to get the business back up and running in a timely manner:
- Quarantine any affected system from the company’s internal network and the internet. Do not load any files from the affected system back onto your virus-free system until they have been fully vetted and confirmed to be malware-free by IT staff.
- Evaluate the extent of the files that have been encrypted, for each file type check available backups to see if the data can be recovered.
- One way to view a ransomware attack is to treat your situation like a power surge that has electrocuted your entire system. In this case, your local hard drives would be physically damaged, and unrecoverable in most cases. Consider the data that is encrypted by the ransomware as lost. If all business-critical data is backed up properly it will just be a matter of restoring systems back to a viable restore point. This situation can happen to any system for non-malicious reasons and is an eventuality that companies should be prepared for as well.
- If you are able to catch the virus quickly, and identify the scope of damage, you may be able to quarantine and remove all encrypted files. At that point, you can begin to restore the affected files to a pre-attack state. If this is the method you adopt, please be sure you enable antivirus measures to regularly scan files and activity as there may be remnants of the ransomware hiding.
- Reporting the attack early in the process is vital for two reasons: 1) More information about the specific ransomware might be available from the authorities that can help you save time and possibly locate where the ransomware may be hiding. 2) Ensuring that authorities have all pertinent information about new threats affecting businesses can help others.
If you or someone you know is being attacked by Ransomware, an FBI report can be filed at this address: https://www.ic3.gov/default.aspx
For help with restoring your HCSS software from back ups not infected, our HCSS support is here to help, and we will do everything we can to offer our time and expertise. If you have questions, feel free to contact support or comment below.