Tackling Ransomware

Tackling Ransomware and the importance of backing up

Chris Farmer Backup, Managed IT Support Services

The importance of a backup solution when tackling Ransomware should become high on your to-do list, with the proliferation of the Crypto Virus, also known generally as Ransomware on both Windows and Mac devices.

A Crypto Virus, which are not as commonly known of, as adware, spyware or Trojan Horse are, work silently in the background and encrypt your data without your knowing. When the demand or ransom for money finally arrives, your data has already been encrypted.

Tackling Ransomware and the importance of backing up

An example might look like this, with a warning that reads;

‘Your personal files are encrypted!
Your important files encryption produced on this computer: photos, videos, document, etc. Here is a complete list of encrypted files, and you can personally verify this…
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 100 USD / 100EUR / similar amount in another currency.’

For those with less computer experience and to scare it says;

‘Any attempt to remove or damage this software will lead to immediate destruction of the private key server.’

Even if you did pay, it is very unlikely that the files will be decrypted and you have now lost your Data, your money and opened yourself up to fraud.

Most Anti-Virus/Anti-Malware vendors have tools to allow you to remove the offending Malware/Ransomware. But sometimes it does not work, or the Malware/Ransomware is too new and the Anti-Virus/Anti-Malware vendor have not yet developed a way of removing and restoring your encrypted files.

Virus and Malware

Viruses and Malware are very effective at what they do, they are designed to evade Anti-virus/Anti-Malware software.

They are engineered to search for any connected network device and infect. If your computer is connected to a network which has shared drives, these will also be encrypted. Any computer that potentially has no or outdated Anti-Virus/Anti-Malware Software or is missing the latest software updates to the operating system is another target.

Anti-Virus and Anti-Malware

Anti-virus and Anti-Malware software is very good, as long as you are ensuring that they are updated and that your subscriptions have not expired. Many Anti-virus and Anti-Malware software attempt to be Zero Day, which means that the software is intelligent and tries to decide what is good or bad, without waiting for an update from the Anti-Virus/Anti-Malware vendor. However, do they really work? I don’t think they will ever be 100% effective, but they are essential!

Operating and Patches

The operating system should also always be updated with the latest patches. This can be very annoying to build into your routine, but you must find a way of accommodating those updates.

A system that is fully patched and has active and up to date Anti-virus/Anti-Malware software installed, becomes a much harder target.

Attacks Within

An attack from within, will normally be as simple as someone bringing in a laptop and plugging it in to the network or connecting it to the Wireless network. There is no real way to stop those attacks from within, we can try to defend against, which is to ensure every other computer in that network has Anti-VirusAnti-Malware software installed and up to date and the Operating System is up to date and patched.

The only advice that can be provided, ensure that any employee who takes their computer home, understands that it is a tool and not a toy, use a work computer, just for work and not for anything else.

Importance Solution

The importance of a backup must not be underplayed and lie as importantly alongside your Anti-virus/Anti-Malware software and Operation System security updates.

Backup can be viewed as your last your last line of defense for your business and its data.

The importance of backups must not be ignored. However, some types of backup methods are at risk for also being encrypted.

Manual Backups

Some people might perform manual backups. This might be connecting an external USB Hard Drive and copying your data.

However, the very fact that the device is now connected, has put everything on that USB hard drive at risk.
The Crypto virus might immediate start encrypting any data it can see on that drive.

Automated Backups

Some backups provide scheduled backups; these might be simple process. For Instance, on a Monday it might copy your date to a folder called Monday on the USB Drive, on a Tuesday it copies all the data to a folder on the USB Drive called Tuesday and so on for the rest days in the week.

Then on Monday it overwrites everything in the folder called Monday on the USB Drive, and so on for the other days. As you can see, after 1 week you might have started to over write you good files with the bad encrypted files.

Again, if the USB Hard drive remains connected or you connect it periodically, it can still be encrypted.

As a backup goes, it works, but it has its weaknesses in regards to Crypto Malware.

Automated

Retention is a way to get several versions of the file and the only safe way to do this is to ensure that the files are backed up to a device that is not connected physically to the computer by USB for instance.

However, backups will still backup those encrypted files.

A good retention policy might be, every daily backup kept for 14 days and every full backup, completed on a Friday night is kept for 4 weeks, but once a month (1st Friday of the month) you keep for a year. So if you did not capture the issue fast enough, you can get something back.

What to Back up?

If you have a server, sharing files between users, then these must be backed up. You might consider also backing up a couple of the VIP computers. Some solutions, like our backup offering provide full image based backups of a computer, allowing for a full restore to a previous version, before the infection occurs.

Email is also important, if you have a server that hosts your email system internally, then protection should be configured accordingly.
If your email is hosted externally or you use Office 365 then you should be fine, those systems are normally well protected from such threats. However, any attached files that you may have saved from emails, if your system had been infected, will also be.
The good news is, if you have not deleted the original email, then once your system has been restored, you will be able to access those files, the bad news is, if you had made changes to those downloaded attachments and you have no backup, you will have lost that document with those changes within.

Summary

Virus and Malware attacks are becoming more common. For a small business it can be very debilitating.

Recovery might be simple, only 1 computer needs cleaning and repairing, but it might mean that all computers need to be removed from the network and one by one, need to be cleaned before being added back onto the network.

You should also not assume that your Anti-virus/Anti-Malware vendor will be able to stop every attack.

You need to be proactive in protecting your computer systems using a reliable method.

Backing up your data provides an effective way to keep versions of data over long periods of time. Allowing for a disaster to occur, not that you want them to, and recovery of your data.

When invoking a backup recovery, they may not be as fast as you want, but you will ultimately get your last known good data back, which might be a couple of months out of date, dependent on your backup policies, but you won’t be one of the statistics, when companies go out of business 6 months after a disaster.

Using SysPrep on Windows 2012R2 and Acropolis
Back up your data to avoid serious issues