What is ransomware?
Ransomware is an unusual type of threat because it holds your files for ransom while leaving your systems essentially otherwise operational. A piece of malicious software enters your network and applies an encryption algorithm to your computer files, rendering them unavailable. The files are still there, and you can see them in a file structure, but you will not be able to open them with any program. Additionally, ransomware affects not just the device you are using, but any connected storage devices and mapped network drives. As a result, this type of malware poses a serious threat to your information systems. One infected device can bring your operations to a standstill. The person or group behind the attack provides information as to how to submit a payment, and in exchange, they will provide the decryption key. The attackers demand payment in some form of cryptocurrency, in order to maintain anonymity.
Some victims of ransomware attacks have not been confident in the integrity of their data backups and have paid the ransom to obtain the decryption key, and others have paid the ransom and obtained a key which did not decrypt the files. Both situations can be very expensive to your business.
How does ransomware gain entry to my network?
The purveyors of ransomware can inject the malware into seemingly innocuous documents, like invoices or estimates, or they can use internet links in an email to direct a user to a site that automatically starts a download and installation of the program. Documents containing macros provide an excellent opportunity to run the installer package without requiring direct interaction from the user. Some forms of ransomware take advantage of unpatched and unsolved vulnerabilities in the configuration of your devices and systems.
What are the most effective steps I can take to protect my business?
1. Deploy updates and patches in a timely manner. The operating system and application patches should be tested as soon as they are available, and applied to your systems as soon as your team can verify compatibility. Patching vulnerabilities will reduce the number of ways ransomware can execute itself in your systems.
2. Ensure that your technology team has an effective backup and restore process, and that they are able to fully test a restore from backup. Having a backup and restore procedure that you have validated will allow you to return your business to normal without paying an exorbitant ransom, still running the risk of not being able to decrypt the data.
3. Know the devices on your network and implement the same security procedures on any employee-owned devices touching your network that you have implemented on your business-owned devices. Maintain separate profiles on mobile devices, if possible, allowing only the business-facing profiles access to your network.
4. Disable SMB v1 on all devices on your network. SMB v1 is an outdated protocol and was the window that the creators of WannaCryRansomware exploited a few years ago. There may be some favorite processes that fail with the disabling of this protocol. If this is the case, you will need to perform a risk assessment against the cost you will incur with a ransomware attack.
5. Ensure that all your employees understand the hazards of active content like macros, and that they exercise caution in using them. Train them as well not to execute macros on documents received from external sources. Common documents like invoices do not need macros enabled, and in fact, such documents should be saved without active content before sending. If necessary, ask your vendors to send only documents without active content. Ensure as well that the appropriate teams understand the billing and payment cycles, and that they become suspicious of out-of-cycle documents and requests.
6. Train employees to be extremely cautious about clicking on links in emails. Messages with links unrelated to your line of business, messages themselves unrelated to your line of business, and messages with spelling and grammar errors should raise suspicions. Your employees should also not use links in emails to connect to websites of business contacts unless the employees have verified with the sender that the link is expected, and an explanation of the necessity of the link. When calling contacts to verify the validity of links in emails, employees should use their own contact source, such as a corporate address book, rather than a phone number in the message that contains the link. A message with a malicious link may also contain a compromised phone number.
Can I recover from a ransomware attack?
Possibly, but it will not be a pleasant process. Your best chance of recovery is a restore from a backup, and you will lose the records of transactions that occurred since the last iteration of your backup process. As explained above, paying the ransom may or may not produce a working decryption key. Attackers inexperienced in encryption and decryption have provided decryption keys which failed to release the files back to the owner. Prevention is going to serve you much better than hoping for a recovery, so take the necessary steps now to reduce the likelihood of infection.
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.