21/03/16 Take Precautions - Protect your business from RansomWare - Updated August 2016
Ransomware - If this is the only news item from me that you read this year – please read this one!
What is a Ransomware Virus?
It is a virus that can enter your network from any of the PC’s or Servers that are connected to it and then encrypts your data rendering it useless as you cannot open or read the contents . None of the major Anti-Virus companies seemingly have products that will prevent all of these at source, in fact the first thing you will probably know is that you will see a message telling you that your data has been encrypted and giving you a ransom demand and how/when to pay it!
In many cases, companies are left with no choice than to pay a ransom to retrieve their data. Ransom values range from a few hundred pounds to a few thousand in the cases we know of. Quite simply, the hassle that recovering their data can cause a business, it is quite often the easiest and cheapest route is to actually pay up, but the worry then, of course, is four-fold…
How can I prevent this?
According to recent studies, 70% of the infections of this type of virus still happen by either opening an infected email attachment or clicking on a link in an email and downloading the virus that way. So, ensuring that all staff are aware of the issue and warned not to open any attachments that are from unknown companies or look suspicious [not simply PDF files]. If in doubt, don’t open them. If it is an important attachment someone will chase you about it via phone or a follow-up email.
Similarly, don’t click suspicious email links – links from unknown sources or those claiming to be from financial institutions. You are better off typing in the usual web address for a company and then surfing to the page you require – otherwise you could be on a duplicate, hoax site or downloading files without realising what they are.
Suspicious emails are also emails from known contacts, but are sent in an unusual context – if an email address is hacked or hijacked, the emails you receive claiming to be from someone you know, could well be from someone else entirely – so see if the email is of the usual kind that you expect from that person, don’t just trust it blindly based on the person sending the info. If in doubt, it is a good idea to forward the Email to an Apple device to open it [E.g. iPhone, Mac, etc.] as Rasonware does not affect the apple o/s.
Please keep your AV and operating system software up-to-date. Activate daily auto-updates of AV software and ensure that operating system patches and fixes are installed [Windows and Office Updates] are very important as it is reckoned that about 20% of attacks use known loopholes in software that you use [Browsers, Operating Systems, etc.], so if you keep up-to-date you will be better protected.
Finally, change PC and especially Server passwords regularly and make sure they are not obvious or too simple. Make them complex by containing numbers, letters, capitals and special characters. Most hacking is achieved by using standard passwords, such as Password1, etc.!
What if I get infected?
Once your data is encrypted, it is effectively “lost”. It is of no use to you unless you pay the ransom [and if the fee is less than £500, I would seriously consider paying it] as there is no way to get the data back to a readable format without the decryption key – there is no magic software to undo the encryption anywhere on the web!
How do you get back to normal after an attack?
The only way to ensure you can recover is via a precisely actioned data back-up plan. Only by deleting the encrypted data and restoring clean data from a backup can you then start to use the data again. This will involve some down-time as the data is restored, so it is not entirely painless, but it is the only way to recover and far less painful than starting your data from scratch again!
In the most recent case, our customer thought that their EMIR data was being backed up by their IT Company and they were re-assured that it was. They thought they were backing up the right files and folders, but they weren’t! This means they are now literally starting EMIR again from scratch with no data at all! They are not the first company to make this mistake and they won’t be the last!
So, what should you do now?
1. Check your backup procedure and make sure you can answer these questions:
Important: if you caught the virus yesterday and backed up last night your back-up will be infected. Multiple back-ups allow you to go back to previous copies, so if the last copy is infected you can go back to the day or week before [depending on your strategy]
This is better in case of any physical disaster on your premises, such as fire, theft, etc. but also, there is an inherent danger if you backup to another machine on the same network as the virus may move itself to any drives linked to the network. So local copies on LAN computers are no use in this case!
2. So, you have a back-up, how do you know it will restore the data you need?
Companies rarely test their back-up. So, please try and restore some files as soon as you can – check they are available and check they are readable. Test it. If you only test it when you need it, they may not work and it is then too late to avoid that sinking feeling!
As an example, see if you can retrieve the DAILY.DBF file from your most recently backed up EMIR/BOSS data folder on your external device/storage. Restore this one file to somewhere on your C: Drive - do not restore it to the live EMIR or BOSS folder. DAILY.DBF is a small, but always used file in EMIR and BOSS systems. Check the date on the restored file on your c: drive – check that it is the same date as the backup. If you are unsure then send the file on to us to check for you.
3. If you are unsure speak to us
Let me know if you have any issues and we will advise you which files to include/exclude in your back-up (free advice to Support and Maintenance customers)
If you don’t have a remote back-up solution in place, then we can take care of your back-up for you and we will monitor the whole backup process for you, ensuring your data protected onto our offsite, cloud-based servers.
If you would like clarification on any of these issues included in this news items or further help, please call us. As customers using EMIR and BOSS we want to ensure that your business continues to operate.
Gary Downes, Director
Solutions in I.T. Ltd