Don’t Be Held Hostage! – Learn How to Keep Your Small Business Secure
Ransomware, a type of computer virus that encrypts data on infected systems, has become a lucrative option for cyber extortionists. When the malware is run, it locks victim’s files and allows criminals to demand payment to release them.
Your IT systems are held captive and inoperable until a ransom is paid. Along with the financial impact, it’s insidiously designed to cripple your business through downtime, disruption, and data loss.
The State of Ransomware Report by Sophos revealed that 24% of surveyed organisations in South Africa fell victim to a ransomware attack in 2020. Of those infected, 50% eventually paid the ransom to the hackers.
The good news is that there are effective ways to protect your business.
In this guide, you’ll learn how ransomware is spread, the different types of ransomware variants proliferating today, and what your business can do to avoid or recover from an attack.
How Do Hackers Distribute Ransomware?
Ransomware is mainly spread through email and rootkit attacks.
The former usually requires the recipient to take an action or make a mistake, like intentionally clicking a link in an email. The latter does not typically spread through user error. Instead, rootkit attacks usually happen automatically whilst browsing the web.
Let’s take a detailed look at each:
Email spam is the most common method for distributing ransomware. It generally spreads using some form of social engineering over email where victims download an attachment or click a link.
Fake email messages might appear to be from a customer or colleague asking the recipient to view an attached file. Or, the email might come from a hacker poising as a trusted institution (such as your bank) asking you to perform a task, like verifying a transaction.
Sometimes, ransomware emails use scare tactics by claiming that the computer has been used for illegal or immoral activities. Once the user takes action, the malware installs itself on the system and begins encrypting files. Your business can be compromised with a single click.
In this method, hackers install code on a legitimate website that automatically redirects users to a malicious site. The malicious site contains a software package, called a rootkit, which identifies vulnerabilities in the user’s computer.
For example, vulnerabilities present in popular business software or web browser extensions. The rootkit exploits these vulnerabilities on the user’s system and allows them to remotely install the ransomware virus.
In 2015, a study by cybersecurity vendor Sophos showed that thousands of new web pages running Angler, just one type of rootkit, were being created every day.
Rootkits are relatively easy to use, but require some level of technical proficiency. There are also options for aspiring hackers with minimal computer skills. According to McAfee, there are ransomware-as-a-service offerings hosted on the dark web, allowing just about anyone to conduct these types of attacks. This heightens the risk of disgruntled employees or competitors targeting your business.
Three Common Types of Ransomware
Ransomware is constantly evolving and new variants are always appearing.
While the following is not a complete or trending list of today’s ransomware, it gives a sense of the major players. The objective is to give you an idea on how each varies in its symptoms and impact, demonstrating how harmful ransomware is, and how important is active protection.
In July 2019, City Power of Johannesburg were hit by a Locky ransomware attack. Locky shut down the electricity utility’s entire system – including all databases, applications, network, and even their website. Some residents were left without power.
Locky, as in the image above, is typically spread in an email attachment disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. Once macros are enabled, Locky begins its work of encrypting the victim’s computer.
A Bitcoin ransom, generally around R150 000, is demanded when encryption is complete. The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking five million emails containing Locky attacks over the course of two days.
CryptoWall first appeared in 2014, and variants have appeared with a variety of names since then, such as Cryptorbit, CryptoDefense, CryptoWall 2.0, and CryptoWall 3.0.
CryptoWall is distributed via spam or rootkits. It only encrypts files with specific extensions, such as Microsoft Office, OpenDocument, images, and AutoCAD files. Once the dirty work is done, a message informing the user that files have been encrypted is displayed demanding a Bitcoin payment.
TorrentLocker is distributed through spam email campaigns. In the example above, the ransomware is posing as a postal service. In addition to encrypting files, it collects email addresses from the victim’s email contact list to spread malware beyond the initially infected computer. This allows it to spread within and between businesses more so than many other ransomware strains.
TorrentLocker also deletes the Microsoft Shadow Copy Service to prevent a system restore via Windows recovery tools. A comprehensive data backup and disaster recovery solution is thus essential for recovering from a TorrentLocker attack.
How to Protect Your Business from Ransomware: Education, Security, and Backup
It’s no secret that cybercriminals armed with ransomware are a formidable adversary.
And while SMBs aren’t specifically targeted in ransomware campaigns, small business in-house IT teams are stretched thin and, in some cases, rely on outdated technology due to budget constraints. This is the perfect storm for a ransomware nightmare.
Thankfully, there are tried and tested way to protect your business against ransomware attacks. A proper protection strategy requires a three-pronged approach comprising of education, security and backup.
Educate Your Employees
Your employees are your front line of defence.
According to a study by IBM, human error is the primary cause of 95% of cyber security breaches. It’s thus critical that your staff understands what ransomware is and the threats that it poses. Provide your team with specific examples of suspicious emails with clear instructions on what to do if they encounter a potential ransomware lure.
Conduct bi-annual formal training to inform staff about the risk of ransomware and other cyber threats. Likewise, ensure the message is communicated clearly to everyone in the organization (including C-suite executives), and not simply passed around on a word-of-mouth basis.
Implement Multi-Layered Security
Businesses must leverage multiple solutions to prepare for the worst. Today’s standard security solutions are no match for ransomware, which can penetrate organizations in multiple ways. Reducing the risk of infections requires a multi-layered approach to cybersecurity – rather than a single product.
At the first level, antivirus software should be considered essential for any business to protect against ransomware and other risks. Always ensure your security software is up to date in order to protect against newly identified threats. Likewise, keep all software applications (for example, Google Chrome, Sage Pastel, and MS Teams) patched and updated in order to minimize vulnerabilities.
Secondly, invest in cybersecurity software products that offer dedicated and ransomware-specific functionality. Sophos, for example, offers technology that monitors systems to detect malicious activities such as file extension or registry changes. If ransomware is detected, the software has the ability to block it and alert users rapidly – usually within seconds.
Adopt a Robust Data Backup and Disaster Recovery Solution (BCDR)
There is no sure-fire way of preventing ransomware in totality. Therefore, SMBs should focus on how to maintain operations despite an attack. One way to do this is a Business Continuity and Disaster Recovery Solution (BCDR).
Modern data protection solutions (like those offered by us at iSite Computers) take snapshot-based, incremental backups as frequently as every five minutes to create a series of recovery points.
If your business suffers a ransomware attack, this technology allows you to roll back your data to a point-in-time before the corruption occurred. The benefit of this is twofold:
First, you don’t need to pay the ransom to get your data back. Second, since you are restoring to a point-in-time before the ransomware infected your systems, you can be certain everything is clean and the malware cannot be triggered again.
Additionally, some data protection products allow users to run applications from image-based backups of virtual machines. This capability is commonly referred to as “recovery-in-place” or “instant recovery.” This technology can be useful for recovering from a ransomware attack as well because it allows you to continue operations while your primary systems are being restored and with little to no downtime.
At iSite Computers, our version of this business continuity technology is called Instant Virtualization, which virtualizes systems either locally or remotely in a secure cloud within seconds. This ensures SMBs stay up and running even if ransomware strikes.
Case Study: Taking Lesson from a Real-World Attack
What happens on the ground when ransomware hits a business? What lessons can we learn from the experiences of other SMBs?
Let’s look at a recent attack:
Spectra Logic is a data storage company in the US. Last year, in the early stage of lockdown, the company was attacked with a NetWalker ransomware virus.
It entered the company through a phishing email opened by a remote employee. From the employee’s device at home, it spread to the company network where multiple IT systems started failing as the virus took hold. Soon after, company files were encrypted, locked, and made inaccessible by ransomware…The business had grinded to a halt.
The ransom demand? $3.6 million in Bitcoin.
The company had cyber insurance, which meant it could have covered the cost of paying the ransom. There’s no guarantee, however, that cybercriminals will assist once the ransom is paid. They’ll simply disappear with the money – or return with another attack.
Fortunately, Spectra Logic had a solid business continuity and disaster recovery solution in place. This gave the company a viable chance of restoring their systems and data through backups. After consulting with the FBI and cybersecurity specialists, recovery efforts began. It took their staff five days of non-stop work to recover most of their systems and data. And only weeks after that, was there a level of normalcy.
Many other businesses hit by ransomware don’t have happy endings. Here are four key takeaways from this incident to apply to your business:
- Never pay the ransom – it is not a quick fix or guaranteed solution. This means your business must be prepared well before disaster strikes.
- Have a solid backup and disaster recovery plan. It was only thanks to their robust backup solution that Spectra Logic managed to recover so quickly. Without it, you risk losing critical data and months of downtime to a piecemeal recovery process.
- Be transparent about the breach. Ransomware is constantly evolving and businesses are still learning how to properly mitigate infection. Share your experience so others can learn and we can put cybercriminals on hard times.
Employee awareness. Unsurprisingly, it was the result of human error that ransomware had a doorway into Spectra Logic. Remember, securing your small business starts with employee awareness and training.
Ransomware is a real and daily threat to SMBs in South Africa.
Hackers are constantly adapting and their improving their attacks over time in the form of new ransomware strains, which means your business needs to always be up-to-date on protection.
The good news is that employee education and foundational safeguards go a long way. Ensure employees are constantly trained in cybersecurity best practices and implement multi-layered security to cover all your bases. Alongside, a robust backup and disaster recovery solution will minimize downtime and help you pick up the pieces if everything else fails.
Get A Free Cybersecurity Audit for Your Business
Is your business prepared for a ransomware attack?
Need to do something for your cyber protection but not sure where to start?
Get started with a free cybersecurity audit and consult from iSite Computers. We’ve been in the business since 2008, helping SMBs in South Africa with a fully managed IT offering and multi-layered cybersecurity solutions.
Give our cybersecurity experts a call on 031 812 9650. Or click here to schedule a free consultation session, and we’ll call you back soon.