Beat ransomware – back up, don’t pay up

Ransomware is no longer an amateur pursuit, it’s serious business.

Ransomware is one of the fastest growing threats online, both for businesses and consumers, and sometimes both get caught up in the mix. A recent example that made headlines concerned "Mr Chow's" Chinese food chain, which had its corporate site hacked, resulting in prospective diners being served up a smorgasbord of malware, courtesy of the Neutrino exploit kit. Infected visitors were then served a bill of £573 (1.2 bitcoins) in order to retrieve their data.   

This is one example among many - in some industries Ransomware attacks have doubled or even tripled, because the threat is evolving - indeed security firm Webroot identified that over 98 per cent of infections were seen by only one target - making it harder for traditional anti-virus to detect. The polymorphic nature of malware - changing name, site, path, behaviour and vendor info to avoid detection – makes the traditional AV job more difficult. Unfortunately, vendors are often slow to release updates or patches on potentially infected or prone to infection software, so exacerbating the problem. More sophisticated strains of malware are now available, such as Nymaim Trojan and Locky, which have enabled criminals with little technical knowledge to begin ransomware attacks.   

According to a recent investigation, 47 per cent of NHS trusts and 39 per cent of UK universities were attacked by ransomware in the past year.  Separate research from Datto (Datto’s 2016 Global Ransomware Report has found that 95 per cent of IT service providers worldwide have seen customers struck down by Cryptolocker attacks - the problem has reached epidemic proportions.  

Serious business

The first important point about Ransomware attacks is that they’re not new, and this fact in itself is highly significant. Cryptolocker made a big splash back in 2013, and that intervening period has been one of energetic perfection of malware. Early ransomware was in some cases imperfectly coded, so encryption keys could be recovered, intercepted, and in some cases the same private key was reused.    

Unfortunately, the threats we face in 2016 have been refined beyond these simple errors. Criminals have also refined their ransom collection procedures to maximise conversion rates, even going as far as creating online tutorials to help victims setup Bitcoin wallets. This is no longer an amateur pursuit, it’s serious business. If there was any doubt, several cybercriminal set ups operate 7x24x365 help desks, just to make sure.  

In tandem, the tolerance of SMEs for enforced downtime has become extremely small. Smaller businesses are particularly vulnerable, and are not only more likely to become infected in the first place, but also much more likely to pay up.

Best practice

So what can SMEs do to protect themselves? It’s a three-pronged approach of best practice: education; updates and patches; ensuring their Backup and Disaster Recovery strategy, tools and specialists are up to the job.   

Education might well prevent infection in the first place, as a large percentage of ransomware relies on clicking on infected email attachments or links to infected sites. However, while this may reduce your overall risk, criminals are increasingly sophisticated in their techniques, for example compromising legitimate sites. In some cases, employees are clicking on a link to their company website, which unbeknown to them has already been hacked.   

Ensuring that the business' desktop browsers, OS, applications and so on are kept up to date is the next best practice step - outdated software is an open door for attackers, as it may contain known vulnerabilities which are easily and (most importantly) cheaply exploited. As part of this step, ensure that you’re running reputable anti-virus and anti-malware software, and that it’s auto-downloading the latest signature files and scanning your machines regularly.

However, relying on traditional AV tools as your final line of defence is a flawed scheme, as criminals are dedicating serious time and effort to defeating them. Indeed, initiatives such as crimeware-as-a-service see hackers receive advice on setting up their own ransomware sting, and pocketing as much as 85 per cent of ransom payments.   

Finally, institute a robust backup and disaster recovery plan. In the case of a ransomware attack, you’ll be able to roll back to a non-encrypted version of your files, but making provision for this will also serve you well in the event of a localised incident like a fire, flood or hardware theft. Depending on the size and scale of your business there are a wide range of options here, but considering hybrid cloud systems is a particularly good plan for businesses with short Recovery Time Objectives, such as e-commerce stores. 

Win-win situation

Hybrid cloud backup and disaster recovery solution setups provide super-fast restore times from a local hardware component, which itself is backed up to the cloud regularly. In the event of a local incident, such as a flood, the backups are available in the cloud, and can be remotely restored to another physical location. This arrangement provides both the benefits of the cloud (unaffected by even regional disasters), and on-premises hardware (blisteringly fast restore times).   A real example of backup and disaster recovery beating ransomware, was when Managed Services Provider CiT helped agricultural feed supplier Harbro beat the CryptoLocker virus. The virus entered Harbro’s system via email, in the form of a false invoice opened by an employee.    

Crytolocker would have wreaked havoc, but CiT detected the infection when they saw oversized backups on a backup and recovery device - SIRIS. CiT had the backups pre-scheduled on a regular basis, so the sudden change in size served as an alert. This also enabled CiT to track the Crytolocker to the affected machine. Once identified, CiT performed instant virtualisation to their on-premise device through their own portal, ensuring that the business saw almost no disruption. 

From a data perspective, CiT was able to quickly restore the 120,000 corrupted files by going back to an hour before the virus struck.    Overall, it looks as if the ransomware threat is here to stay, but with a few best practice security and disaster recovery steps the worst impacts can be mitigated. The benefits of following these steps reach beyond ransomware too, a genuine win-win.

Andrew Stuart, MD, Datto EMEA

Image source: Shutterstock/Nicescene