I look after our Data Protection Portfolio from a pre-sales technical side. Every day I talk to existing and potential customers about server and data backup and recovery. During my conversations, I often ask them if they’ve lost any data or if they’ve had any server failures. Over the past year, I’ve heard many stories of a CryptoLocker or Ransomware virus causing data loss.
In this blog, I’ll explain what a CryptoLocker or Ransomware virus is, how you get hit by it, and I will you give five steps that can help you reduce the data loss and pain of this kind of attack.
A CryptoLocker or Ransomware attack is a computer program that searches for documents and spreadsheets (in fact any files) that you may have access to and encrypt them so you can’t open them. The only way to open them is to pay some money and receive a key that removes the lock, or by deleting the files and restoring the files from a backup.
Here’s an example of how it works;
Jane works in a finance department in a corporate company in Sydney, she has a standard Windows PC, when she logs on in the morning, Windows automatically connects some shared drives as part of her login script. In this case Jane has a Home drive (h:) where she stores her own files, a Group drive (g:) which is shared with everyone in her company, and a Finance Drive (f:) which she shares with other people in her department.
A couple of days ago Jane ordered something over the internet and she’s expecting a parcel to be delivered any time now. She receives an email from Australia Post saying a package has been shipped, it includes a link to find out when the packaged will be delivered. Jane clicks on the link, she downloads and runs the attachment, thinking it’s a standard PDF document.
Unbeknown to Jane, the email wasn’t from Australia Post, it is a fake email, the link she clicked on is a CyptoLocker program, it is now running on her PC, its accessing her mapped drives (h: g: and f:) and is very quickly locking all the files Jane has access to. It locks everyone’s access, all files can no longer be opened by anyone.
The only way to unlock the files is to pay some money and receive a passkey or delete all the files and restore them from a backup.
The above scenario with Jane is common, I’ve also heard of one case where the company fired the employee that clicked on the link, I thought this was a little harsh as it’s easily done.
Don’t let your files be hit as well, here are five steps (including some products) that can help minimize this threat and impact of this virus;
Step 1 – Stop the emails before they get to your inboxes – Install an email security solution;
These devices and similar solutions from other vendors scan all the emails as they flow into your organization. They are automatically updated with new ‘signatures’ when new viruses and exploits are discovered, if an email has a virus in it, it is automatically deleted or moved to a junk folder.
Step 2 – Restrict administrative or general privileges.
If the employee who accidentally clicks on the cyptolocker link doesn’t have access to some files then they won’t be able to be locked. Make sure your users only have access to files they need to do their job. Products like Enterprise Reporter will audit your file systems and give you valuable insight into who has access to what.
Step 3 – Continuously assess permissions
There’s always change in an organization, people leave, new people start, people change their roles. Maybe someone is temporarily given more access and it’s never taken away. Overtime access permissions change and they need to be monitored. Use a product like Change Auditor to monitor the changes verify your users only have access to files they actually need.
Step 4 – Monitor suspicious behaviour and monitor and manage endpoints
If you’re best efforts are thwarted and ransomware still gets into your environment, keep it from spreading unnoticed, be sure to set alerts and monitor your file activity. If a large number of files are changing quickly, that’s an early warning you may have a problem.
Step 5 - Backup backup backup !!
The last step – but the most important step. Make sure you have a good backup and importantly you can restore your files. Test this process out regularly, there’s no point running a backup if the restore doesn’t work. If you get hit by a ransomware program and you end up paying the fee to receive the key, you have no idea if it’s really gone or if it will simply start up again in the future sometime. Most customers I’ve come across who have been hit have relied on their backup for recovery. Rapid Recovery is a corporate backup and recovery solution. It is designed to back up in small incremental segments during the day, meaning that if you do need to restore, you don’t lose the changes you’ve made during the working day. It also has some technologies that allow very quick recovery of large servers.
That’s our five steps – all of these points are good practice anyway in standard IT environments. I hope this helps you out, if you need any further information please do not hesitate to reach out to me by email: Danny German.