Ransomware – The Small Business Guide

As one of the fastest growing threats to small business, ransomware is definitely something to be concerned about. Much more insidious than any malware we have encountered in recent years, ransomware involves a malicious code that locks and encrypts files, databases and applications across an entire network, while the perpetrators demand a ransom for their release.

Once infected, a ransom note will pop up on the infected computer and demand a few hundred dollars to decrypt the data. While the annoyance factor is high, the tendency is to pay the ransom just so you can get back to work and be done with it. The alternative, it would seem, would be far more damaging. The time, resources and potential for failure are quite high. With the future of your business at stake, caving in to the ransom demand might not seem like such a bad idea.

While you may wonder if it’s worth all the time and effort for what seems like a pittance, just imagine that these cyber-thieves are repeating this process to thousands of computer networks at once and you’ll get a more accurate impression of the bigger picture.

To illustrate how quickly the risk is increasing, the network intelligence leaders at Infoblox recently released a report that shows a 35-fold rise in newly observed malicious domains in Q1 of 2016 (over the previous quarter). The combined financial loss for United States businesses affected by ransomware totals $209 million. When you consider that 2015’s losses – for the entire year – totaled $24 million, it’s easy to see that the threat is real.

History of Ransomware

Historically, ransomware can be divided into two categories: scareware and cryptographic ransomware. The former is just what it sounds like: an aggressive notification is delivered to the user warning of a threat that can be eliminated with a one-time payment of X amount of dollars. Dating back to 2005 or thereabouts, this method was largely unsophisticated, and targeted unsophisticated victims. Online crime was relatively new back then, and even the end result must have been quite complicated, due to the relative newness of digital payment processing.

Around the same time, a cryptographic code emerged, it is suspected from somewhere in Russia, by which files with certain extensions were encrypted. A message would then be delivered offering a help file which when executed would decrypt the files for a fee of US$100-$200, to be paid through digital currencies of the time.

Variants of this code have evolved over the years, with a type of scareware enjoying a brief resurgence around about 2012, but by 2013, what would be hailed as the new generation of cryptographic ransomware had arrived, in the form of CryptoLocker. By installing itself on a user’s system, CryptoLocker could encrypt and deny access to business-related document files instead of the whole system. The warning would go out to the user that if payment was not made within 72 hours, the decryption code would be destroyed, along with all files. Payment was most popularly requested in Bitcoin, a semi-anonymous digital cryptocurrency that could not be tracked. In its first year, it is estimated that CryptoLocker amassed an estimated revenue of about US$27 million.

Essentially, CryptoLocker was the mother of today’s ransomware. While 2013 wasn’t so long ago, the technology has evolved quickly, growing with a snowball-like effect into something that shows no signs of slowing down. Ransoms have grown as well; though the average ransomware attack demands between $200 and $500 USD, there have been a number of high-stakes attacks on businesses in more recent years, with some victims paying out well over $10,000 to restore their systems to working order.

How does it happen?

Before you can do anything about it, it is important to understand how ransomware ‘kidnaps’ your computer network. By having a good understanding of where the threats come from and how they work, you will have better insights into how to protect your data.

Ransomware is deployed through domains that are created specifically to host the malicious software. These domains are created by software packages that allow cyber criminals to ‘shadow’ legitimate domains. The compromised domains infect the user’s devices or network, and once downloaded begins to encrypt your files.

Sometimes the ransomware is hidden by inserting malicious URL’s into legitimate ad networks, forcing users to sites even if they don’t click on them. Drive-by downloads are common as well, a process in which the malware takes advantage of out-of-date browsers or operating systems to gain access to the network. Email can also provide a way in, by deploying an executable attachment that the recipient haplessly clicks on. These malicious files could be renamed to look like a PDF or Word file, but it is actually an EXE executable file.

The top three risks for ransomware or virus infection are:

  1. Email attachments
  2. Drive-by downloads
  3. Malicious links contained in emails

Each of these scenarios have one thing in common: they all have a social element. In almost every case of ransomware infection, the cause is traceable to a legitimate-looking email, website or ad network; something seemingly harmless that has lured the user into clicking on a link they probably never thought twice about.

Who is at risk?

If you think that your company is too small to be considered at risk for such an attack, think again. As larger companies and multinational enterprise generally have several layers of cyber defense, small businesses present an easier target for hackers.

Additionally, it is much easier to extract cash from a company under attack, compared to stealing credit card or other payment info, which is a crime that is becoming increasingly difficult to monetize.

According to the TrendMicro Security Intelligence Blog, new ransomware strains are specifically targeting businesses, looking for web server and database files. There are strains that are specific to educational institutions, hospitals and not surprisingly, messaging apps, and it would seem that nobody is impervious to the threat. Disguised as relevant information, software updates and embedded within actual emails from people you know, the danger often comes from a known and trusted source. Vendors, people in your contact list, and even employees can be the carriers, and nobody is any the wiser until it’s too late.

How do I protect my small business from ransomware?

Small businesses can be at risk for a number of different reasons. Often, they don’t have a regular process for file and system backup. They also don’t have a cyber safety training program in effect, meaning their employees may not have the tools with which to protect themselves. Lastly, many small businesses do not have the resources, either technical or financial, to combat a ransomware attack once it has happened, which means that they usually end up paying.

The rapid advent of these threats is likely to increase as businesses connect more devices to the ‘Internet of Things’, meaning smart devices that automate processes within the office, such as an app-controlled coffee maker, light dimmer or smart doorbell. Anything on the network that can be used as an access point is vulnerable, and the more things that are connected, the greater this threat becomes.

Sometimes, having a good firewall is simply not enough. With today’s trend towards BYOD (bring-your-own-device) and the prevalent use of mobile devices in business situations, it is more important than ever to protect your assets, to educate your workforce and to plan for the worst-case scenario in all instances.

The best strategy is to mount a layered defense: good backups, discretion when clicking on links in emails and websites, a good anti-virus software package, and a product that specifically specializes in ransomware is key.

The worst thing you can possibly do is nothing.

Here are some steps that you can take to reduce your chances of being infected by ransomware, and hopefully mitigate the risk if such an attack should succeed:

  1. Backup: Once infected, the only options are to pay the ransom, lose the data, or be able to restore from a backup. Where real-time backups will just synch back to your encrypted files, a robust backup system will allow you to restore your files and apps to a time before the attack occurred. Once your files have become encrypted, this is the only viable option to get you back on track. Your backup system should include a distributed solution that keeps copies in different locations. Backups should also exist on different media, in case the infected node gets access to your repositories and archives. It probably bears mention that you should ensure all ransomware is removed from your systems prior to restoration. Use the 3-2-1 rule: make three backups on two different media, and one in a completely separate location.
  2. Prevention: a good training program should be in place to ensure your workforce understands how to recognize incoming threats. The ability to spot social engineering tactics is key, as is avoiding ‘clickbait’. Open all attachments with caution, even if you think they are coming from people you know.
  3. Protection: Keep all browsers, software and operating systems updated to prevent vulnerability through flaws in outdated versions. Minimize administrative access and have a whitelisting strategy for applications and downloads. Making the move to a more robust managed security solution provides greater control.
  4. Don’t pay: while it may be tempting to pay the ransom just so you can get on with business, by doing so you are feeding an incentive for these crooks to continue on their nefarious path. After all, how can you be sure that you will actually get your files back after you do pay? They are criminals, after all. The likelihood is that they will reinvest the money you paid into developing newer, more destructive malware. Also, because you have paid once, there is a possibility you will be re-targeted because you paid the first time. You’re no longer just a prospect, you’re a qualified lead.
  5. Keep working: if you’ve considered moving your business systems into the cloud, the time has never been better. Advantages to cloud computing include heightened security, malware protection and more robust authentication that greatly lowers the odds of an attack. Choose a service that offers multiple layers of security, data loss protection and malware scanning. Even if your local machines become infected, you should be able to reconnect to your cloud service without too much downtime at all.



Ransomware protection products for small business

Fortunately, protecting your small business from ransomware is not difficult, but it does take a focused approach. Depending on your network configuration, there are several products available that can help reinforce your efforts. EC-MSP recommends TrendMicro for email and endpoint security.

TrendMicro offers several solutions suitable for small businesses, aimed at protecting your systems at entry and endpoint. Using a combination of file risk assessment, advanced analytics, exploit detection and web reputation monitoring, it protects email by blocking malicious threats at the gateway. Endpoint protection mitigates risk of ransomware with another layer of security, blocking known ransomware as well as preventing users from accessing sites that are known delivery points. It also monitors for suspicious behavior that is associated with ransomware, providing a worry-free solution that is both effective and affordable.

Protect your small business today

In 2016, there is no time to waste. Business moves at the speed of sound, and any interruption of service could potentially cost you everything. With the threat landscape growing at an alarming rate, you really can’t afford not to protect yourself. By arming your workforce with the knowledge and tools to help you avoid a ransomware attack, you will be helping to stop the advance of one of the most insidious types of crime the world has ever seen. While there is no sign that this threat will disappear any time soon, a little prevention will yield a lot of defensive power.

If you are concerned about ransomware and its potential risk to your business, call EC-MSP today. We have several small business solutions that can help reinforce your IT infrastructure and protect your data from harm, no matter where it comes from.