Ransomware – Support your favourite cyber criminal
If you learn one thing about IT this year let it be this!
What would you do if all your data was deleted today and not just the data on your PC but across your network and all your back-ups too?
According to an industry study by The Diffusion Group, 60% of companies that lose their data close down within six months of the disaster and a staggering 72% of businesses that suffer major data loss disappear within 24 months.
You could easily find yourself in this situation simply by opening an email attachment!
Ransomware is a type of malicious software that restricts access to the computer it infects and demands a ransom to be paid for the restriction to be removed.
This is not a new phenomenon having been around in different guises for a few years, however when a new version or delivery method appears the effects are immediately apparent from the calls we receive.
The last and current version Cryptowall (and variants) is mainly delivered via email as an attachment. The most common is with a subject of “My Resume” with a .zip file attached. If the file is opened nothing obvious happens and the user normally continues to work away. In the background the program has been launched.
The virus will then attempt to encrypt all common files making them impossible to open. It will encrypt all files on the local computer, then attempt to spread across your network to other PC’s, servers and backups. It can also spread to offsite backups.
Once it can find no files to infect it displays a pop up similar to the below.
This informs you what has happened and that you are to pay a ransom (amounts differ from a few hundred pounds to thousands) to receive an unlock code– the payment is untraceable.
There is normally a countdown on the pop up (very 1970’s) and if you do not pay your data is permanently locked.
There is much dispute as to whether paying the ransom does allow you to unlock with stories of more money being demanded.
This infection is not fussy as to who it infects we are aware of at least one police force and a retired lady with a 6 year old PC.
What can you do – you could pay but there is no guarantee this will work after all the people who infected you are not known for their customer service. Seriously you must ensure you have a proper backup of all critical data and preferably on a son, father, and grandfather rotation. This allows you to delete all encrypted data and restore for your last backup.
This is assuming you have not allowed the infection to spread to your backups!
If you have insufficient backups or they are infected and paying does not work – that’s it! No data, you may well find yourself back at the start of this article.
What can you do to prevent this –
Discuss with your IT department or support company what backup routines you have in place and if insufficient change immediately. If unsure call a reputable IT company.
Discuss blocking of certain attachments at source on all emails – a good reason to use Exchange email.
Ensure all staff are aware they should not be opening any attachment they are unsure of. Just because the email came from a known email address does not mean it is safe, many of these viruses are from spoof email addresses so you will trust them. Email policies are highly recommended for many reasons and every company should have one in place.
Make it clear to staff that IF they do open anything suspicious they must inform IT support immediately – Just last week one of our customers opened one and it infected 16000 files in 20 minutes! Leaving it overnight or the weekend will result in all your data and backups being encrypted.
Unfortunately even the best antivirus programs will not pick this up so please do not rely on them. Antivirus software is rather like getting your jabs before you travel to an out of the way place – if you then jump off the plane and drink out of a puddle the likelihood of you becoming ill is very high despite getting the jabs!
Garry Moore (Managing Director)
Genmar (UK) Limited