Ransomware. The facts, figures and fallacy. And how to avoid it.

Being responsible for any aspect of a business is a demanding task and making good decisions requires the right information to base them on. Here, FCS outlines some of the issues around one of those problem areas on the rise and lack of decent information for you to understand and manage it, Ransomware.

If you haven’t heard of it then its time you did; before it meets you head on and steals your wallet.

Searching t’Internet (we are in Yorkshire tha knows) seems to produce a list of woeful tales and everyone from every part of the IT industry seems to have a solution that promises to make the problem go away though it is interesting that the major players are all saying that a good offsite backup is the primary defence.

Headlines such as these are common… ‘British firms were each subjected to an average of almost 230,000 cyber attacks in 2016, according to analysis from business internet service provider Beaming.’
(Read more: http://www.thisismoney.co.uk/money/smallbusiness/article-4120352/Smaller-firms-set-face-52bn-fines-security-breaches-cyber-crime-skyrockets.html#ixzz4W1eLWbBV )

Or, Lincolnshire County Council hit by £1m malware demand (http://www.bbc.co.uk/news/uk-england-lincolnshire-35443434). Well, at least pencil and paper sales are up. It’s a massive problem that’s only going to get worse. So, in this document, FCS want to present some of the hard to find facts, cut the self-promotion (though not entirely!) and explore some of the challenges and present the only 100% guaranteed solution to the problem, other than throwing all the computers out of the window that is.

Ransomwhatyacallit?

Ransomware is a form of Malware (mal=bad ware=software, think virus) where a 3rd party manages to gain access to your computer and encrypt the data stored on it, not the operating system files but Word documents, Excel spreadsheets anything you created and didn’t come from Microsoft or Apple (yes, Mac’s are vulnerable too). Encryption is a technique normally used to protect data from being seen or used by those we don’t want using it, the tax man for example. The BBC ran a (typically lightweight) video on this last year, http://www.bbc.co.uk/news/technology-38123403

When a hacker does this, it means your computer will only display a message giving you a means to pay a ransom (normally in untraceable Bitcoin (https://en.wikipedia.org/wiki/Bitcoin) to get it back.  You can’t use it until you do, and if you don’t pay up within a certain timeframe then your data will be gone forever.

Ok so the embarrassing mistletoe related pictures from the Christmas party will finally be gone, but, for the continued operations of your business - it’s a disaster.

What is the real scale of this problem?

A recent multi-country study by security software firm Malwarebytes found that nearly 40 per cent of businesses had experienced a ransomware attack in the previous year. Of these victims, more than a third had lost revenue and 20 per cent had to stop business completely. The real ransom amounts are hard to come by, estimates suggest and average of $679 per attack and in the USA alone Ransomware costs business something like $75Bn a year, that’s $8,500 an hour. In the UK, home users are counting the cost of their share of £4.5M in ransom payments.

We see horror stories everyday as hospitals in the UK are cancelling operations and shutting down systems to stop the spread of ransomware and get control back of their data such as Lincolnshire and Goole last year (http://www.digitalhealth.net/cybersecurity/48336/aggressive-ransomware-blamed-for-nhs-cyber-attack) while Barts Health NHS Trust seem to be the most recent (thought the jury is still out on this one) (http://www.digitalhealth.net/cybersecurity/48415/barts-health-nhs-trust-hit-with-ransomware-virus) . Last year alone some 28 NHS trusts confirmed they had dealt with at least one Ransomware attack in the past year (http://www.digitalhealth.net/cybersecurity/48153/28-nhs-trust-ransomware-attacks-reported) and a great many businesses, from large to small, suffered attacks over the past year or so.

It’s popular with criminals because they can hide themselves in the dark web via TOR (The Onion Router, see here for more info http://www.iflscience.com/technology/everything-you-need-to-know-about-tor-and-the-deep-web/ ) making the bad guys all but invisible to security and law enforcement services.

If you want to really scare yourself, take a look here http://cybersecurityventures.com/ransomware-report/ for the day by day techie view of what’s happening…

How about some serious facts and figures?

These are hard to come by as many victims don’t want to come forward, but, in a recent survey the following information emerged: (Source – Datto’s State of the Channel Ransomware Report 2016 – a survey of people like FCS about their findings around Ransomware)

  • According to 97% of IT service providers, ransomware attacks on small businesses are becoming more frequent, a trend that will continue over the next two years.
  • There is a large disconnect between IT service providers and their small business customers when it comes to feelings on the ransomware threat. The majority (88%) of former are “highly concerned” while only 34 percent of end users feel the same, likely due to lack of awareness.
  • More than 91 percent report clients victimized by ransomware, 40 percent of whom have experienced 6 or more attacks in the last year.
  • Around 31 percent of IT service providers have experienced multiple ransomware incidents in a single day.
  • CryptoLocker is the most common strain impacting small businesses as 95 percent report customers contracting this variant.
  • Less than 1 in 4 ransomware incidents are reported to the authorities.
  • The leading cause of a ransomware infection is phishing email scam followed by a lack of employee awareness.
  • Ransomware has evolved past today’s top defence solutions, as 93 percent of IT service providers report customers victimized despite Anti-Virus / AntiMalware software in place.
  • The most common impact of a ransomware infection is business-threatening downtime followed by lost data and/or device.
  • Paying the ransom doesn’t guarantee the return of data; 7 percent of IT service providers report recent incidents of end users paying up to no avail.
  • The average ransom requested is typically between £400 and £1600, however 10 percent of MSPs reported the ransom average to be greater than £4000.
  • Windows is the most common system infected by ransomware followed by OS X.
  • Only 3 percent of IT service providers report seeing a ransomware infection on a mobile device and/or tablet – but, that means mobile ransomware exists and in time will probably grow.
  • Ransomware is targeting cloud-based applications as seen by 35 percent of IT service providers, particularly Dropbox, Office 365 and Google Apps.
  • The leading industries victimized by ransomware: Professional Services, Healthcare, and Construction & Manufacturing.
  • The #1 most effective solution for business protection from ransomware is a backup and disaster recovery solution (BDR).
  • If small businesses has a backup and disaster recovery (BDR) solution in place, nearly 100 percent of MSPs dealing with ransomware have been able to resolve the issue.

Around 9 out of 10 of IT service providers have reported recent attacks amongst small business clients.

46% of Ransomware infections come from email, 36% are due to employees clicking links on social media and a further 12% are dodgy websites and malicious adverts. With only 1% attributed to poor security, thought that isn’t an excuse not to spend on security, Ransomware is just one of many critical problems we need to protect against.

The main cause of infection is down to targeted phishing emails and a lack of user training.

Think you can rebuild your business easily?

63% reported ransomware led to business-threatening downtime

48% lost data or had to replace hardware

Of the 42% who paid the ransom, 1 in 4 never got their data back. Which is why the FBI recommend you never pay. In fact, some strains of Ransomware don’t even have the capability to decrypt your data. Even if you pay there’s no way to get it back. Incidentally, a survey of IT professionals shows only 5% of them paid a ransom, so the backups were used to bypass the problem.

Even the cloud storage you have isn’t safe, 70% saw Dropbox infected, 29% Office 365, 12% google Apps, 6% box and 3% their salesforce data.

The information you store is important to your business; otherwise why would you pay to store it? In fact, it is business critical and without it your business would fail (if you don’t believe me simply turn off all the computers and servers in your office, all the printers too and see how long you last).

While the typical ransom demand doesn’t seem great, it’s the time taken to decrypt it that hurts if you pay, there is no guarantee that criminals will fully recover your data (in fact, many renege on their promises of data decryption), it’s often a laborious and timely process to decrypt the files, you need to work out how to pay in Bitcoins and one encryption does not prevent you from being attacked again. Isn’t it better to think protectively now, improve your general security and protect against Ransomware?

I heard a customer say he was going to talk to his AntiVirus company, the conversation went along the lines of ‘What am I paying them for?’.

Of course the Antivirus community are quickly organising themselves to offer decryption tools, but, and it’s a big but… these do not protect against the initial infection. There is no guarantee that the encryption you have will be handled by the current crop of tools and if it isn’t then you may have to wait weeks to get a tool, if it is even possible to create one. AV companies need to see a sample of the code before they can do anything about it, if 3 out of 4 incidents aren’t even reported then there’s fewer samples to investigate and the other difficulty comes from the way it works, it’s encrypted so how do you get a sample of the exact malware you have on site? In addition, of the 4 million samples security company McAFee Labs (now Intel Security) saw in Q2 2015, 1.2 million were new. So, the writers are changing the code all the time to avoid detection and the chances a ‘generic’ Ransomware killer can be developed is incredibly small.

What should I really be doing to protect my data?

If Ransomware hits you then unfortunately your options are a little limited.

  • Pay up
  • Reinstall the Operating System from scratch and kiss your data goodbye
  • Restore from a backup

Ok, 1 and 2 are not great options. But what about 3? The files that are encrypted are your documents and user created files, if these are copied to a server and that server is backed up using the FCS backup platform we can quickly and easily push the data back for you. No trying to find a tape that works, not waiting 2 hours to index and find the files, no hassle. Just a quick phone call, 24x7x365 and we’ll help.

We consult to understand the RPO (Recovery Point Objective – how often a backup is taken, every day, every hour, every 15 minutes…). What your business needs is written into a policy that we apply to your backup solution.

Then we look at the RTO (Recovery Time Objective – The average time to get your computer working again from a backup) Again, this can be days if you are relying on tape (where are your tapes stored, how quickly can you get hold of them?), certainly hours at a minimum. Again, this is figured into our solution and we build a policy to suit your business needs.

The lower the RPO and RTO objectives are then the more costly a solution you will need, but FCS don’t apply the ‘one size fits all’ methodology.  We use a mix of products and strategies and can categorise different data in different ways so you don’t pay high prices for the data that’s non-critical.

The most effective means to protect against ransomware is to make sure you have multiple copies of your data, one of which is one site for speed and a copy of that stored off site through our backup and recovery service.

FCS use a variety of tools, all market leaders, to provide a best fit solution for your company and data. We would recommend that your data is stored in our data centres, de duplicated to save transmission of something you already have securely stored (how many copies of the company phone list do you really need?), compressed and encrypted to make sure it’s as secure in flight as it can be. Also, once the first backup is pulled into our cloud (which can be from disk etc.), we only take the changes you make minimising the upload strain on your Internet connection.

So, we only move what needs to be moved, only copy the changes and it’s encrypted. No one can see it, not even us – you keep the encryption keys – there’s that encryption again. But this time it works for you, not against.

We can do much more than that for you though. We can make virtual copies of your servers in our cloud and make them available if you get flooded, suffer a theft or other catastrophic failure.

FCS offer an ‘air gapped’ (no actual file share type connection) and encrypted platform dedicated to protecting your data stores your data off site in a safe way that also comes with a service supporting it that means all you need to do is call to get your data back.

Above all FCS understand that every installation is different. They may share some elements just as most people have arms and legs, but, we don’t all wear the same sized clothing.

One that test restores your data every day to ensure it is 100% recoverable. We even email a report to let you know what your ‘readiness state’ is. That way if there is an issue you can work with us to resolve it before it becomes a problem.

It makes sense to follow a few rules…

  • Understand what data you have and where it is stored.

This is going to become much more important when GDPR regulations are enforced (we’ve had the regulation for a while now but people are only just starting to panic about it). This means you need to be very selective about what data you store, where you keep it and who can access it. Make sure mapped drives need a password entering every time so a virus can’t gain access. Some ransomware families like VirLock and Locky are able to access and encrypt shared network drives, spreading the ransomware infection across an entire organization.

Limit users access to what they really need and nothing else, they always want access to everything, use VLANs as you would for PCI/DSS to limit access and implement permissions to files and folders. If a user can access files, it's likely an attacker or malware compromising that user will be able to access them, too.  

  • Assume the worst will happen and sooner than you would like

Security guys are always saying ‘it’s not if, but, when’. This is hard learned and taken for granted by anyone working in IT, especially security. Like Murphy’s law (whatever can go wrong will go wrong) there’s no guarantee of when something might happen, only an inevitability that it most certainly will. You will lose a disk to hardware failure. You will have a machine die on you. You will have tape failures (and a tape snapping in the drive and wrapping itself around the works isn’t an easy fix) and other issues.

  • Educate your users.

Explain to them what Ransomware is, how damaging it can be and why they don’t need Facebook at work, much less to do the ‘Which Ancient Egyptian Pharaoh were you in a former life’ quiz. Take a look here https://blog.barkly.com/5-tips-keeping-users-safe-from-spear-phishing for more information.

  • Use up to date protection across the network.

You need a firewall, preferably a ‘Next Gen’ one that looks at much more than where the connection comes from and where it’s going. Get one with IPS integrated and turn it on.

Install up to date AntiVirus Software, don’t fall in to the false sense of security AV marketing people try to lure you with. AV won’t stop everything but it’ll stop some of it and make sure it updates engines and definition files as frequently as possible, not weekly or daily, but hourly or better if it can. Sorry, but, there really is a difference between the free AV and the paid for stuff, and cheap AV is not as good as expensive AV. You really do get what you pay for. Avoid anything that tells you it can stop 100% of everything. It can’t. It never will. It’s a fib.

All Operating systems and applications should be patched as soon as patches are available. While some Antivirus tools incorporate a patch monitor, use a patch monitoring system like Secunia CSI (http://secunia.com/support/download/) to identify how badly out of date some of your software is and use the original vendor application, or your trusted source, to update it rather than downloading anything from an unknown site.

Add an email filtering service, if email is the gateway then being able to prevent it getting to your users is better than education. It won’t stop everything but once the service knows email from an address is malicious you won’t get them anymore, the same as if they see and content (links or files) is malicious. Think about it, if an email protection service provider has thousands of customers, chances are they’ll catch the bad stuff before it gets sent to you and they’ll block it.  

Web Content Filtering is a great way to ensure links to bad sites containing malware are blocked, and guess what? Lots of the blocked ones will host quizzes about what kind of Ancient Egyptian Pharaoh you might have been.

  • Backup, backup, BACKUP!!

I know, you do that to Dropbox (Oh, err… that can be encrypted as we mentioned above) or a storage unit on your network (Oh, err… yes we covered that above too didn’t we, anything connected to the network is at risk ) and to tape.

As a form of Backup, tape has its place; it is good for archived storage but one of its problem is the restore times are far too long. And the reliability of an entire tape of data? Not great, reports of 50% failure to recover from validated tape backups are far too common to ignore, or trust the technology.

Of course Tape and Dropbox aren’t the only methods to backup your data, but anything mechanical has a risk of failure, tape especially. If you remember the days of VHS then you’ll remember what happened to the tape that you’d always use to record soaps or top of the pops, after a few recordings the picture would start to become noisy and eventually be unwatchable. Guess what? The technology is the same for data backup tape which is why tapes have a finite life. Most people exceed this as they don’t understand why they can only use a tape 20 times. Couple this with stringent storage requirements (not in the boot of the car on a frosty night or a sunny morning, not near mobile phones or other electromagnetic devices – or being left in the tape drive longer than necessary).

  • Restore, Restore, RESTORE!!

The last step in this chain is to make sure your data restores. Not a verify cycle, but pick an old machine and restore to it. It should power up and run like the original when it’s not on the network…

If it doesn’t restore properly then the time to find out is now. Not when your main billing platform or email server is struggling to power up. Make sure you do this with every backup you take. There are lots of reasons why backups fail and ironing out those issues before you urgently need to restore something is by far and away the best way. 

  • Develop and test a Disaster Recovery plan

Remember the ‘it’s not if, but, when’ quote? A disaster of some form will strike your business at some point. Being prepared for this is not only a good move, but, auditors will fail most companies if a DR plan isn’t in place. Make sure you are ready to handle flood, fire, theft, human error, power loss, terrorist events impacting your location, bad weather… The list is quite a long one, but, getting a plan in place and tested before it is needed will help you sleep at night. Like digital Horlicks.

One last citation from the report…

With Backup and Disaster Recover in place 95% feel more prepared.

With Backup and Disaster recovery in place 97% have quickly resolved the issue, without only 68% fully recovered – but it took a long time.

FCS also offer an email protection solution that stops malware, spam and importantly is probably the most effective way to stop your users seeing malicious emails in the first place. Not the only thing you need, but a great addition.

We can also backup Office 365 data, Salesforce and almost anything you have on site.

We’re ISO27001 certified which means we are safe and secure, in fact we backup our data centres to other data centres 200 more than miles apart, so if the very worst happens to one of them we can always get your data back.

There are no worries about it being internet based because we encrypt your data before we send it and store it encrypted, the only person with the key is you. We can’t see your data, neither can anyone else – unless they have your key so it is safe both ‘in flight’ and ‘at rest’. In fact as we perform 'incremental forever' data transfers it's much more difficult for a wrongdoer to get your data. 

In conclusion, there is a lot of speculation and guesswork around regarding Ransomware and few solid facts and figures. It is safe to assume that you will be affected by it in the future and plan for that, even if you already have been, in fact lightening normally strikes twice in the world of IT. An offsite backup is the only way to ensure you have recoverable data and a clear-headed support resource when you need it. And guess what? Those mistletoe pictures will still be on someone’s phone or cloud backup, which kind of proves our point.

It’s also useful for the following:

  • Supporting compliance (see ISO 27001 Section 12.3.1 for more information)
  • Protecting against Human Error (accidental deletion)
  • Protecting against Hardware Failure
  • Part of your Disaster Recovery Planning

Just when you thought it was safe to go back in the water…

Of the ransomware attacks against your customers, had they implemented the following?

  • Anti-Virus Yes 93%
  • Email and Spam filters Yes 77%
  • Patched and updated systems Yes 58%
  • Ad/Pop-up blockers Yes 21%
  • Had delivered Cyber Security training Yes 14%

Then we find that 63% saw Ransomware spread across the network and only 31% had a limitation to a single system, 7% saw multiple infections with both characteristics.

  • And if you think UK based business is less susceptible because of something your Internet provider or support company is doing, we are the third largest impacted country, behind the USA and Japan.
  • Almost three-quarters (74%) of UK small and medium-sized enterprises (SMEs) think they are safe from cyber-attack, despite half of them admitting having suffered a data breach, according to a report by Juniper Research.
  • The research found that 50% of small businesses have suffered a data breach, two-thirds of them in the past year.
  • Most (86%) of the SMEs surveyed also think they are doing enough to counter the effects of cyber security attacks.
  • More than a quarter (27%) think they are safe from attack because they are small and of no interest to cyber criminals.

There is something wrong here isn’t there? Everyone thinks they are doing enough to protect themselves, but these attacks are still successful and how can 50% of people have a breach if 86% are doing enough to stop it?

I’ll stick my neck out here and say 86% think they are spending enough. But certainly not doing enough and to the 27% who think they are too small I can categorically say that home users get hit and small companies go out of business if they get hit. This is a common thought amongst business owners. Do they really think these guys target a business on their ability to pay up?

All it takes is an email or phone call to get the experts to advise you without obligation on what needs to be done, how to do it and even implement and run it for you, giving complete peace of mind.

It doesn’t cost as much as you think and is certainly a lot lower cost than dealing with a hit. If you already have off site backups why not see how our approach can greatly reduce your costs?

Why not call FCS and see how we can help? 

 

FCS. Make us your first resource, not your last resort… 

Back to latest
Suite 1, 1812 Building, Wheatley Park, Mirfield WF14 8HE T 0333 666 999 1
All rights reserved. Copyright FCS Protect 2022. Created with love by Fantastic Media.
Loading