What should you do if you become a victim of ransomware like Cryptolocker, Locky or Jigsaw? Do you pay the criminal who has infected your system? Will you pay via prepaid credit card or bitcoin? Do you know how to use Bitcoin?
There are options to paying the extortion fee.
I’m sure you have read or seen on the news about the California hospital system that paid a ransom to gain access back to their data. But did you know there is also a Baltimore area hospital, a Houston benefits firm, at least 2 Massachusetts police departments, and a Chicago area police department that have all paid ransoms for access to their files? This demonstrates that it is not just large organizations who are falling victim to ransomware. Many smaller organizations, both public and private, have had their systems compromised by various versions as well.
Many of these companies are forced to pay the ransom because they had no backups of their data. If they had a good network security and backup procedures in place they possibly could have built a new virtual machine or even a new physical server and restored the data to the same location, provided the bad guys didn’t wait a period of time before notifying the victim of infection thereby potentially infecting the backups as well. Instead they ended up paying ransoms of between $400 and $18,000 – most commonly in the bitcoin cryptocurrency. As part of this process, companies are forced to a) learn what bitcoin is; b) acquire bitcoin; c) understand what a bitcoin wallet is; d) figure out how to transfer bitcoin from their bitcoin wallet to another user; and e) trust that the person holding their data hostage does not come back and ask for additional payment; and that they would actually provide a key to unlock the data.
You don’t have to be the one who pays the ransom. There are options to try and unlock the data on your own. There are software tools out there, some commercial, some not. Here are links to a few free decryption tools.
- Cisco has released a tool to help with Teslaware infection.
- Kaspersky has released a tool to help with Coinvault and Bitcryptor infections.
- EMSI Software has released a tool to decrypt files infected by HydraCrypt and UmbreCrypt.
So, what’s the best option? Avoid the whole ‘to pay or not to pay’ conundrum by properly protecting your network assets and backing up your companies data! Network Security and Backups are not optional! They’re critical to your business success. Even if you don’t fall victim to ransomware, what would you do in the case of a disaster (read flood, fire or tornado)? Could your business survive a complete data loss that no ransom could replace? Most could not.
At a minimum, backing up critical data to an external hard drive or a small storage array is easy and inexpensive. That way you at least have a copy of your critical data somewhere other than on the server where the data resides.
Small businesses may only have one to five servers. This is fairly easy to back up to a small redundant NAS array. Something like a WesternDigital MyCloud for Business, a Drobo, or a Netgear readyNAS. There are also many inexpensive roll your own solutions where you purchase the chassis and add quality hard drives for a DIY NAS or SAN solution.
But what to backup? How much storage do you need? The basics are a full weekly backup that gets stored for a month, complemented by daily differential backups that are rotated every week and an annual full backup that gets stored for a year (unless it’s financial data, that, you pretty much keep forever). This way if your server is compromised you can restore last weeks full weekly plus each relevant daily differential backup up to the point of the infection. Take care to not restore the infected files in an encrypted state. Do the math to determine the amount of storage you need.
For those larger (but still small by enterprise standards) businesses that have 10-25 servers, which hopefully in today’s world would be virtual machines, there are options to create backups of those virtual machines. Additionally, this makes it easier to develop a comprehensive Business Continuity plan using options like Vmware SRM or Veeam as a backup and migration platform. For larger more Mid-size to Enterprise organizations, you should already have the backup process worked out and be using at a minimum SRM/Veem type solution or possibly a SaaS service to create off-site backups that can be easily restored.
After restoring data, you should scan ALL systems for the origination of the infection (email, missing server patch, compromised USB stick etc). Your IT department or consultant should be able to point you to the right tools to make sure the problem is gone.
To make sure the problem does not reoccur, you need to make sure you have the right security systems and process in place.
Email – make sure you are scanning all inbound and outbound email and attachments; if you are using a SaaS service for email, are they scanning your traffic both inbound and outbound.
Servers & Desktops – implement a proper patch management strategy, Flash and Java are notorious for having security holes.
General Network Traffic – scan all network traffic for malware, and use Content Filtering to enforce policies. Infected Ad Network protection – filter out ads at the gateway level, your users will thank you for not having to see annoying ads. There are commercial and open source solutions for all these tasks.
What about you, are you protected against ransomware? Have you been a victim or know someone who has?
-- this post originally appeared on LinkedIn --