Don’t Be Held Hostage

AJ Piscitelli
AJ Piscitelli

FeneTech’s A.J. Piscitelli warns of the dangers of Ransomware in his latest post, “Pay up, or never see your files again!”, outlining this ominous threat to your company’s files, but offering ways to ward off the bad guys.

Pay up, or never see your files again!

Working at FeneTech, I have an opportunity to see a lot of different networks and work with IT professionals with varying degrees of expertise. It’s an awesome experience and I’ve learned a lot from individuals all over the world. There is a massive threat to any network that has any seasoned IT professional concerned. It’s called ransomware. If you haven’t heard of it, you should really pay attention.

Most malware in the past would simply turn your computer into a zombie slave and force into a botnet, or try and gather as much personal information for identity theft. Ransomware is much more nefarious and is becoming an increasing and dangerous threat. Ransomware works by encrypting all of the files on the network with a key. The files can’t be accessed without the key. In order to get the key, you have to pay anywhere from $500 to $50,000. Sometimes they send you the key, sometimes they don’t.

I’ve read or heard enough horror stories from ransomware, but have had the fortune of not dealing with it up close. During a recent visit, one of my customers got hit with ransomware. It took the customer down for a day. This particular ransomware didn’t just hit mapped drives, it looked at all network shares that the customer had connected to. This meant even the order attachments and machine interface files were encrypted, as well as any other shared network folders for their other business files. The IT staff was able to get the files restored from backups. They were lucky.

Being able to be part of the forensic analysis, I was able to conclude with their IT personnel that this all started because an order entry employee opened up an email attachment containing the ransomware. However, it would be a mistake to reprimand the order entry person. The email looked innocent enough, and could have been a legitimate customer’s order. The customer had competent IT staff who was running well known anti-virus software on all of their computers, but it did not stop the ransomware. Submitting the ransomware to be analyzed against known viruses showed that only two out of 57 leading virus databases would have detected it. In other words, having Symantec, Trend, Microsoft Endpoint, AVG, MalwareBytes, or Kaspersky installed on the machine wouldn’t have helped in this instance. None of their databases detected the ransomware as a virus. Not to say that there is anything wrong with their software, but it’s important to understand that no protection can stop everything.

There is another methodology that can be used to prevent ransomware, as well as some other viruses. You can do this by preventing executable files from running in folders that viruses and other malware like to reside. For example, the user’s TEMP directory. This can be done via group policy. Unlike a traditional antivirus, this methodology isn’t continuously running, using up CPU and RAM resources to scan files when they are loaded. CryptoPrevent (https://www.foolishit.com/cryptoprevent-malware-prevention/) is a piece of software that you can run on your machine to easily lock down these folders. Their free version will allow you to lock down the most commonly abused folders. One note of caution, this will prevent any executable from running, regardless if it’s good or bad. This means that some legitimate software updates will fail to run (usually with an error message). You would simply need to disable the protection any time that you needed to update that particular software.

Even with the above tactics, ransomware isn’t entirely preventable. The best strategy is to ensure you have frequent backups that are taken offline. Backing your files up to your external hard drive doesn’t do much good if the external hard drive is constantly connected. Ransomware will simply infect the backups. The backup media needs to be “air-gapped” or physically disconnected in order to be protected.

Alternately, cloud services are becoming more and more popular for backup, but versioning capabilities is most important. If you’re syncing your files to the cloud without versioning, the encrypted files will overwrite the good copies during the next cloud sync. With versioning, you can always go back to the previous version that should still be unencrypted. There are several services that offer this capability, all with varying costs.

Bottom line, ensure your files are backed up and validate those backups. Otherwise you might be paying up, in one form or another.

For more information, here are some good articles on ransomware: