Ransomware could really destroy your business – Make sure you are protected!

Ransomware –  Make sure your business is protected before it’s too late !

Local ICT companies that provide support services to local businesses are getting an increasing number of reports of systems being infected by what is known as Ransomware here in Malta. All over the world reports of businesses being heavily effected and indeed even going out of business because of this threat are being reported daily. In the US, the New York Times is treating this as a major issue. Many are labeling this threat a “Business Killer” because it can literally destroy your business. This type of Malware makes your files unusable and this includes your invoicing system and any other applications you may be using. Unless you have a backup of your data which is not also affected by this malware, you could potentially lose everything. It is extremely important that you have the correct protection and contingency measures in place. You need to be proactive as traditional antivirus solutions including corporate packages may simply not protect you against this threat.

The graph below shows the increase in the incidences reported to Mcafee recently. Mcafee is one of the leading anti virus solution publishers. There is no question that this type of virus is becoming a real problem. Read on to make sure your business is protected!

So what is ransom ware?
Ransom ware is a relatively new type of malware or virus. What it does is put you in a situation where you either pay a criminal (the creator of the virus) or you lose access to all your data. This includes MS Word Documents, MS Excel files, PDFs and many application software packages such as Sage Accounts and other popular products.  It encrypts or changes your data in such a way that there is no way of getting your files back except by paying the criminals who designed the virus. Once this happens you will be notified through a popup that appears on your screen similar to the one below. The criminals who are developing these new threats know that they can get caught easily if their money is delivered using traditional channels such as credit cards or Paypal so they request payment in Bitcoin which is a relatively new virtual (or internet) currency. These criminals choose to be paid in Bitcoin because they cannot be traced through it. In fact, this is the reason why Bitcoin is used for other illegal business such as trading in weapons and narcotics. The issue for us Maltese is that unlike in other countries it is not easy to find and purchase Bitcoins in Malta although it can be done.  In Italy for example, you simply look up people selling Bitcoin on Google and all you have to do is go down to the nearest public place with mobile in hand and your eWallet app installed, hand over your cash and the seller will send you the Bitcoins. They are after all simply numbers.

 
Figure 2 – Pop up screen that appears when you are infected (Could vary !)

So how do you get infected?
The most common method of infection is through email. At the moment a lot of emails are being sent under the guise of being from DHL or FEDEX because the creators of this malware are very aware that people are using eCommerce all the time and getting an email from these carriers is no surprise. This is not a rule as this malware is constantly evolving and the email could be disguised as anything. We have seen instances of this threat appearing as a response to a vacancy for example. Needless to say, companies looking for employees will be likely to open the attachment in this case. The sender could also be someone you know, so the advice “Don’t open attachments from people you don’t know” no longer applies.  
It has also been reported that this malware can also be spread through Remote Desktop Connections. To those of you who are not very tech savvy, this is a system which is used to connect to computers or servers remotely and usually used by branch offices or to work from home.
Another method that this malware spreads is through macros in Microsoft Word documents. Macros are small programs that provide extra functionality to Word docs and this malware will exploit this feature to deliver its payload. MS Word will warn you that a macro is a potential danger but if you get the document from a colleague, you are likely to ignore the warning.
Once you get infected, you will have no doubt of that this has happened. The malware will display a splash screen giving you instructions of how to pay the ransom and get your data back. There are many variants but most of the latest ones will ask you to pay half a Bitcoin if you do it in the first few days with the price going up if you wait longer.

What can you do to protect your data ?
The most obvious advice here is “Don’t open these email attachments!”. People who got infected will tell you that this  is easy to say but next to impossible to achieve in practice.
The key word here is backup ! You need to backup your data regularly and in such a way that Ransom Ware does not encrypt your backups as well!
Many of the regular antivirus solutions simply detect ransom ware when it is already too late. Most are good at removing the actual application but not before it deploys its payload. Furthermore, the malware will first finish encrypting your data and only display the ransom message when it is done. By this time it will be too late to do anything in any case.
The latest variants of this threat also attack popular backup systems such as Easus Backup. The first versions that appeared in the wild did not but the latest versions are becoming much more intelligent and are aware of measures that are taken to mitigate these threats. For example, the latest windows operating systems support “Previous Versions” which allow you to revert to versions of your data from dates in the past. The latest variants even erase these copies so that you cannot use this feature as a safety net.
The best solution is to use a backup system that backs up to a device that is not usually accessible through Windows. Windows Server Backup in the latest versions of Windows Server Operating Systems works just like this. You can dedicate an external USB drive for your backups and this drive is then not accessible through “My Computer”. This is a perfect solution and something which the criminal malware creators will have difficulty solving.  Unfortunately this type of backup is not something you can use on your personal computer but there are others that work the same way.  Another solution would be to connect your external drive while you are backing up and disconnecting it when you are done.
There are also a host of applications specifically designed to combat this malware. Most of these work very differently from traditional antivirus solutions. Most antivirus solutions look for a signature to detect a virus or a sequence of bytes through which it can be identified. Applications designed to combat this threat instead work using Heuristics which means they detect the process which actually performs the file encryption. Because they work in this way, regardless of what the malware creators do, if it involves encrypting your files they will discover it and stop it.  

Here are a couple of examples :
https://www.foolishit.com/cryptoprevent-malware-prevention/
Even the free edition will protect you enough for most purposes.

Or  http://www.surfright.nl/en/hitmanpro
Hitmanpro also have a free version which works in the same way.

Should you pay the criminals ?
The easy answer to this in NO! You are paying criminals and you have no guarantee that they will decrypt your files and give you your data back. You also cannot be sure that these criminals do not get arrested before they can keep their part of the deal or else skip the country because they have made enough money from poor souls like you!
On the other hand, if you don’t have any recent backups or if your backups have also been effected you need to ask yourself “Is my data worth €350?” If it is and many times it is worth much more than that, then paying is an option you should consider. Indeed it is like paying a thief who is robbing your house in the dead of night so that you don’t have to change your locks but in many cases this is the only option. There are many reports of users having paid the ransom and successfully got their data back.
Obviously paying the ransom will encourage more criminals to join in using this new method of extorting money from unsuspecting businesses but when it’s your data you simply might have no other option!

Written by Marcel Mizzi MSc BSc
GRTU Vice President (Finance & Admin)