The GCS Blog

How to Get Rid of Ransomware

Posted by Joe Gleinser on Mar 21, 2016 9:23:47 AM
Find me on:

The biggest security threat of 2016.

Imagine catching up on email tomorrow morning. You read an email from someone you don’t recognize, but the message references an attachment about a past due invoice. Click.

Moments later, after attempting to review the attachment, the screen displays a message stating that the data across the entire company has been encrypted. You (and employees across the company) are locked out until you pay their ransom. A time limit is given, and you are notified that non-payment will result in never being able to access these files.

While it may sound far-fetched that this could all occur in a matter of minutes, businesses across the country have faced similar attacks.

In fact, today’s advanced viruses have to crippled organizations and cost businesses thousands of dollars.


What is Ransomware?

Ransomware is a virus more damaging and costly to businesses than those previously seen. The virus, believed to be introduced in 2013, targets users running the Windows and Mac operating systems and spreads through infected email attachments from seemingly legitimate email addresses.

While there are many forms of ransomware, common adaptations include Cryptolocker and CryptoWall. These and other variants attack businesses of all sizes that have financial or customer data worth encrypting.

The ultimate goal of each variation is to gain access to a single user’s computer. The virus then exploits this access to encrypt files on your network such that you will never be able open them without paying a ransom. It is a modern day hostage situation.

The attack effectively locks all employees out of their most critical files. The employee receives instructions on how they must pay a fee to decrypt (unlock) and recover their sensitive information.

How do I get Ransomware?

The most common method ransomware reaches employees is through an email-based attack. Known as phishing, the attack will begin with an email that appears to be from an official or legitimate source.

Each email contains a link or infected attachment, which gives the attacker access to the employee’s computer and the organization’s connected systems.

Employees often report receiving a message on their screen, with no ability to remove. Messages typically state that the organization’s data and files have been encrypted and that they must pay a fine (often in Bitcoin, not US Dollars) within a specific timeframe. These messages will often conclude that if the organization does not pay the fine, the encrypted files will be either deleted or shared publically.

Email is not the only way you can be infected. Sophisticated attackers can hack websites and infect you simply by visiting a website. With increasing frequency, ads appearing on websites you visit daily may infect your system.

Should I Pay the Ransom?

Our short answer is that you should only pay the ransom if it is the last resort.

The typical ransom for most businesses to restore their data is around $500. Not only can this be expensive for some organizations, but there is no guarantee that the attack will be resolved upon payment. This payment must be made in Bitcoin which causes additional complications. Buying the bitcoin is not easy and first attempts can take 3 to 4 days. This is usually longer than the criminals allow which can leave your files encrypted forever.

Some businesses have found that during the attack, cybercriminals have reportedly attempted to leave ways to regain access after an attack. After successfully paying the ransom, many are quickly targeted again a second time as they have proven to be willing to pay ransoms.

Businesses without a solid backup system in place are often left with few options. Without having the ability to recover at least a significant portion of their files, organizations not prepared for disasters or unplanned events are left to take chances and hope for the best.

Preventing an Infection.

While ransomware can be controlled, the best option for most businesses is to take control of their security before an attack.

While most organizations now have a traditional antivirus product, many of these applications are often are only able to take action after an attack has already started. As a result, antivirus is not enough to stop advanced attacks.

Specifically, Cisco’s OpenDNS completed an informal study in July 2014 on the blind spots in the average organization’s security program.

They found that most attacks happen outside the scope of traditional antivirus. In fact, over 91% of malware uses DNS in attacks, yet 68% of organizations did not monitor or filter DNS.

Have the Right Tools

Fortunately, prevention at this level is easier than ever for small and mid-sized organizations.

Cloud-delivered network security services like OpenDNS are a powerful, yet uncomplicated way to stop malware and phishing attacks before they reach employees. Effectively creating a “moat” around the organization, this next-generation security tool adds a deep layer of enterprise-grade protection to ensure businesses stay safe.

Communicate Effectively

Equally important, all organizations must consider educating employees on how to identify a phishing attack. This includes IT leadership creating effective documentation and communicate this across the organization.

Employees that are able to recognize threats are more likely to avoid phishing attacks which put the business at risk.

Have a Reliable Backup

Finally, while not preventing a ransomware attack directly, having a tested, regular backup allows an organization to better respond to attacks. Cryptolocker infections can last hours or days, and businesses still need access to their critical and sensitive data.

Reliable backup helps your organization recover more quickly during or after an attack. By restoring your systems to an earlier snapshot, data loss is minimized and the organization has more options for how to react to the threat.

Put simply, ransomware is used by criminals who cannot be trusted. Many organizations, including those that have paid the ransom, were not able to fully recover their data.


Summary

According to Dell’s recent security report, they found “breaches in 2015 succeeded not because the victims lacked security altogether, but because thieves found and exploited a small hole in their security program”.

Ransomware is a significant threat for small and midmarket organizations. Don’t assume that your business is covered by traditional antivirus software. If you want to keep your business secure, use a network-level approach to mitigate threats before they reach your employees.

To learn more about why antivirus is simply not enough to stop advanced malware like Cryptolocker, download our free solutions brief “Why Firewalls and Antivirus are Not Enough” today.

 

Topics: Security, crypto, opendns