Click and Deliver
Daylight robbery without the overheads of a horse or mask
Ransomware is an ever-growing threat to businesses. In the last few months three of our clients have fallen victim. We've seen one strain of Cerber 4.0 and two Aleta infections. Both variants do not have a decryption tool available at the time of writing.
What is ransomware?
Ransomware is a form of malware that's commonly spread via spam emails. It can encrypt all the data on a computer or server but leave the system files. Once the encryption process has completed some form of ransom note will be displayed. This could be a text or HTML file on your desktop or a default screen, stating what has happened and the steps to get your files back at a cost.
Experience with ransomware
When ransomware attacks on a business network, they are usually programmed to find and encrypt network drives. It is important to find the source of the infection and remove it from the network to try and limit the damage. Depending on how aggressive the ransomware is, it may warrant the whole network going offline to prevent the spread.
Once we are confident the ransomware has stopped spreading we will go through each PC by hand. Virus scans are run and if any of them return anything ransomware related they will be removed from the network and rebuilt (fresh Operating System install). Once all infected machines are off the network, and the remaining PCs have come back clear, we will restore data from backups taken on the previous days.
Luckily, in our cases the users who downloaded the infections had limited network access. This hindered the ransomware’s ability to spread through the network.
What are we doing to prevent this?
Currently we are trialling Webroot on a couple of our servers. Webroot has a small installation package and doesn’t need manual definition updates, as this is all done via the cloud. We also chose Webroot because it has a rollback function. It monitors processes and give them one of three labels: Good, Bad or Unknown. Good is obviously allowed, Bad is blocked and Unknown will be allowed to continue running but flagged. All changes made by this process will be logged and if the system deems it to be a bad process it can rollback all the changes it made. I am only aware of one other program which offers this functionality which is Kaspersky.
Webroot is new to the scene and almost untested so it was a bit of a risk giving it a go. In independent tests, it is always in the top 3 with the heavy weights of the Anti-Virus world such as BitDefender and Kaspersky. So far, we believe it has prevented one other outbreak of ransomware on one of our terminal servers.
In addition, we are considering revamping all our client’s server permissions, and tightening network access; this is not because we don’t trust them, but in this kind of scenario if the user cannot access the Network, neither can the ransomware.
Lastly, we want to work on educating our users. Making people aware of what to be looking out for as practically all instances will come down to user error. We regularly tell our clients if anything comes in which they are unsure of, to send it over to us and we will look it over. And no, you have not won $1M in a competition you didn’t enter…