2017 seems to be the year of the mass ransomware attacks. First, there was the WannaCry attack in May and, a month later, there was Petya. Both these attacks caused widespread damage in thousands of organisations across the globe: most notably, WannaCry wreaked havoc in the NHS and Petya took down the radiation monitoring system at the notorious Chernobyl nuclear reactor. As it’s likely we’ll see more mass ransomware attacks in the near future, this post will look at the implications ransomware has for organisations and show you the steps you need to take to protect yourself.
What are the implications for an infected organisation?
Ransomware does more than mess up IT systems, it affects the people who depend on the organisations which have been infected. It has closed hospital A&E departments, stalled airport departures, caused power cuts and shut down ports. The implications of this are enormous. If someone is harmed by your failure to protect your own system from infection, there’s the potential for a lawsuit. And with so many potential victims, it could be an absolute field day for the ‘Had an accident at work?’ type legal firms. ‘Has IT negligence affected you? Claim now. Call us on 0800 862 0890.
Any lawsuit, however, will just be the grand finale to a whole succession of issues you may face. There’s the cost of restoring your IT services and data, the loss of revenue whilst you are offline, and the long-term damage to your reputation. In addition, you may need to change systems and procedures to reduce future risk and, in case it does happen again, put a credible Plan B in place. When you take this into account, it’s not surprising that 60% of SMEs go out of business within 6 months of a cyber attack.
What is ransomware and how does it infect a system?
Ransomware is a type of software that encrypts the data on your system or stops you getting access to your operating system. It prevents software from running and information from being accessed. All you are left with is a screen telling you that you need to pay a ransom in order to get a key that will decrypt everything or which will restore OS access. Details of how to pay and how much are also given. To frighten you into acting quickly, the amount goes up the longer you wait to pay.
The main way ransomware infects a system is through someone opening an attachment or clicking on a link in an infected email. It can also be transmitted by visiting infected websites or clicking on malicious adverts and popups. Once downloaded, the malware will begin to look for vulnerabilities in the software in your computer. If it finds them, it will be able to run the ransomware program and take over your computer. If it doesn’t find the necessary vulnerabilities, it will remain dormant.
What makes ransomware particularly pernicious is that it can spread quickly from machine to machine across a local network. One of the ways this is done is via the ‘EternalBlue hack’. Here the malware exploits a weakness in the Server Message Block (SMB) protocol that computers use to communicate with each other. Another method is to steal administrator credentials which enable it to remotely install the ransomware on other network machines using the PsExec and WMIC management tools.
How to protect your organisation from ransomware
- Change the way you update software
Many types of ransomware need to exploit vulnerabilities in older versions of software in order to take over a computer. This often means that the fix needed to protect a system from infection already exists. Microsoft, for example, had released a patch to safeguard against WannaCry eight weeks prior to the outbreak. Those who installed the patch were immune, those that got infected had only themselves to blame.
The issue for the organisations that were stung was probably one of poor IT management. A well-managed system ensures that all updates and security patches are installed as quickly as possible. Indeed, most updates can be configured to install automatically or be scheduled for installation at convenient times. Changing your approach to managing updates and ensuring that it is built into your IT policy is crucial to keep your system protected against evolving threats. If you find this difficult to achieve, then changing to a managed hosting package is the best option, as your operating system will be updated and patched for you by your service provider.
- Use powerful antivirus, tough firewalls and spam filtering
Cybercriminals have been very clever at developing stealthy versions of ransomware that some antivirus programs find hard to detect. For this reason, it is important that you choose a reputable antivirus vendor, such as Symantec or Kaspersky Lab. These companies are likely to be the first ones to detect and block new strains of ransomware.
Equally important is that your antivirus program is set to automatically update. This way, any new threat can be added to its library and detected. At the same time, you need to maintain a robustly configured firewall and filter out as much spam as possible, especially as spam email is one of the main causes of infection.
For those whose system is hosted, many of these services will be available from your vendor. At Web Hosting UK, for example, we have advanced malware Site Scanner with vulnerability alerts, Fortigate Firewalls and Spam Experts for your protection.
- Train your staff
As the majority of infections come from staff clicking on malicious links or visiting malicious websites, it is important that you train your staff to know what to look for and how to surf safely. The things they need to watch out for include:
Does the email sender’s name match up with the email address? Dodgy emails often appear to come from legitimate sources but the address in the ‘From’ field may give you a clue that it’s fake. For example, if it looks like this: From: WHUK ([email protected]) when it should be this From: WHUK ([email protected]).
Does the hyperlink send you to a legitimate website? By hovering the cursor over the hyperlink, the URL will appear (both in emails and on browsers) and this should tell you whether it is sending you to the right site or one which looks suspicious.
Look for emails that say they need to verify your account information or login details. Legitimate companies don’t send these out.
Look carefully for badly written emails that purport to come from genuine sources. ‘Hello This is you bank. We need you log on. Make quick or your account is blocked. Click here.’ Some are not so easy to spot.
In addition to training your staff, you may want to amend your Acceptable Use Policy, to ensure that safer procedures are followed.
- Always backup your data
If the worst happens, you need to be able to restore your system as quickly as possible and the best way to do this is to regularly back up your data. This way, you can reformat the hard drive and restore everything swiftly and simply.
What to do if your system gets ransomed
If your system gets attacked, the first thing you should do is disconnect any infected machines from the local network and the internet. This will isolate the infection and prevent it spreading to other parts of your system.
It is important to get technical help as quickly as possible as some ransomware viruses have a built-in incubation period designed to help them spread to other machines before displaying the ransom screen. Petya delays the ransom for an hour, so by the time you see the ransom on one machine, there may be others already infected. If your system is hosted by a vendor, contact your technical support immediately.
Do not be tempted to pay the ransom. There are usually other ways you can resolve the problem, especially if you have your data backed up. Besides, some ransomware attackers don’t respond or send out keys which don’t work. All they want is your money.
For those who have been hit by the Petya virus, there is no point in paying as the email address you are asked to contact the criminals through has been blocked. The scammers cannot receive your mail or send you the key. Your money will be wasted.
Ransomware has become a major problem for organisations across the world. Not only does it affect their systems, it takes services offline and puts people at risk. Hopefully, the information here will have given you a better understanding of how ransomware works and what you can do as an organisation to protect yourself.
If you are an organisation looking for hosting that provides a wide range of security features, assistance with compliance and 24/7 technical support, check out our wide range of web hosting services.