Please take note of an old concept but very current threat to your business.
Ransomware from your perspective
- Sannie in reception will receive an email from someone she may or may not know.
- Because Sannie is such a trusting person, she'll open the attachment of said email - which will be disguised as an invoice, scanned document, fax, contract, bank statement or any other seemingly important businesslike document.
- Within the next hour, ALL your business data on her machine and all connected servers will be encrypted - typically your files will end up having a .VVS extension or something similar.
- Next to each file, you'll find a text file and webpage which will tell you that your data has been encrypted with a RSA public and private key. Should you care to follow the provided links, you will end up on a website asking for USD$500 in bitcoin ransom within 2 weeks to decrypt your data. You may or may not pay depending if your business will close doors without the data. If you pay, you may or may not receive the key or may also get another demand for more money.
What really happened
- Sannie opened a Trojan virus which downloaded Ransomware which then executed and encrypted every single data file her computer had access to.
- Unfortunately the Trojan is a simple application (usually a text file type script) and therefore easily manipulated in fooling your Anti-Virus software
This is not in theory. This happened to one of our business customers on Wednesday this week at 4:30PM in the city. And we have yet another second hand report today from yet another non-customer business.
Every single day new IT viruses are born about which no anti-virus (AV) knows anything until it first destroys someone's data, then only are all the AVs updated to check for it. Do not be lulled in a false sense of security! An AV will protect you from 99.9% threats, but never, ever against 100%
Your risk mitigation options and defences are
To train your employees to NOT open any attachments they were not expecting. And even then, to only open very specific types of attachments. This also goes for clicking links and also in both their business and personal lives and environments. Do not assume an email is safe because it came from someone you know - the very next thing most of these ransomwares do is to email themselves out from your Outlook to everyone you know. So all Sannie's friends will receive an email from Sannie and think it is safe?
If you have proper backups you can walk away from this event with a bruised ego, a nice story to tell around the braai and may be the loss of a few mins worth of work - which is exactly what we did for our customer - who also happen to be a backup service customer - i.e. we simply restored all his data overwriting the encrypted versions again with the original versions, and since we have months worth of snapshots, it really only becomes a question of find the newest possible backup to restore and if the backups were done properly.
It is obviously important to have the best possible AV you can afford, and even multiple different AVs at different weak points - for ex. one on your computer, a different one on the server in the office, different one on the mail server, etc. Thereby the Trojan will need to beat not one but various different AVs. But as said, no AV will, should or can ever guarantee you 100% safety - if they do, you should start finding a new AV as your current one is being insincere. Your best options remain Training and Backups for 0.01% of viruses, whilst using AVs merely to fight off the 99.9% viruses. It only takes one successful virus to ruin your day, your year, your business and may be even your life.
You haven't been infected yet, but you have a suspicious file or email?
Good on you for not executing the file! You can:
- Upload it to Google subsidiary TotalVirus
- Or; Email it as an attachment to firstname.lastname@example.org and put SCAN in the subject of your email
In both cases the file will be inspected by more than 50 different Anti-Malware suites and the results provided to you and you can then judge the safety of the file or email.
What are your immediate remedial steps
Luckily ransomware is also it's own worst enemy, as it immediate encrypts ALL files - which means everyone notices it immediately. And the machine on which it executed first (Sannie's machine in my example) will also have encrypted all the private documents found in private space on her computer (like My Documents). Whilst the rest of the uninfected computers will simple see their "server drives" (to which Sannie had access) have been encrypted, but nothing on their own machines' drives will be affected.
So, your immediate steps are
1. To go through the office fast and find the guilty machine. Then unplug it's network and and power cables even if you have to yank them from the walls (they cost R10 each and is nothing compared to your data). The longer you wait, the more files will get encrypted.
2. Call IT asap to sort it out and limit the damage. For this may not be the end of it. As said, the hackers could already be busy on your LAN with other operations and/or the trojan could still be emailing itself out thereby propagating the issue to all your customers and suppliers.
3. Never pay the ransom. It is ransom after all, and the idea is to see for how much you can be fleeced. There are reports of people paying $50,000 and still not getting their key to decrypt their data. The $500 therefore is just the beginning.
And please, do not fire Sannie if this happens to you. More than likely she'll be one of your best employees, always eager to get going with the next thing, everyone trusting her and she them. She didn't ruin your life, the ransomware guys did. Everyone being human and inquisitive by nature, it could just as easily have been you to click the attachment. If anything remains of your business, it will be exactly people like Sannie who will help you rebuild everything.