Don’t be held hostage

Date: 2 August 2016

FeneTech’s A.J. Piscitelli warns of the dangers of Ransomware in his latest post, “Pay up, or never see your files again!”, outlining this ominous threat to your company’s files, but offering ways to ward off the bad guys.

Pay up, or never see your files again!Working at FeneTech, I have an opportunity to see a lot of different networks and work with IT professionals with varying degrees of expertise.It’s an awesome experience and I’ve learned a lot from individuals all over the world.

There is a massive threat to any network that has any seasoned IT professional concerned. It’s called ransomware. If you haven’t heard of it, you should really pay attention.

Most malware in the past would simply turn your computer into a zombie slave and force into a botnet, or try and gather as much personal information for identity theft.

Ransomware is much more nefarious and is becoming an increasing and dangerous threat. Ransomware works by encrypting all of the files on the network with a key.

The files can’t be accessed without the key. In order to get the key, you have to pay anywhere from $500 to $50,000. Sometimes they send you the key, sometimes they don’t.

I’ve read or heard enough horror stories from ransomware, but have had the fortune of not dealing with it up close. During a recent visit, one of my customers got hit with ransomware. It took the customer down for a day.

This particular ransomware didn’t just hit mapped drives, it looked at all network shares that the customer had connected to. This meant even the order attachments and machine interface files were encrypted, as well as any other shared network folders for their other business files. The IT staff was able to get the files restored fro backups. They were lucky.

Being able to be part of the forensic analysis, I was able to conclude with their IT personnel that this all started because an order entry employee opened up an email attachment containing the ransomware. However, it would be a mistake to reprimand the order entry person.

The email looked innocent enough, and could have been a legitimate customer’s order. The customer had competent IT staff who was running well known anti-virus software on all of their computers, but it did not stop the ransomware.

Submitting the ransomware to be analyzed against known viruses showed that only two out of 57 leading virus databases would have detected it. In other words, having Symantec, Trend, Microsoft Endpoint, AVG, MalwareBytes, or Kaspersky installed on the machine wouldn’t have helped in this instance.

None of their databases detected the ransomware as a virus. Not to say that there is anything wrong with their software, but it’s important to understand that no protection can stop everything.

There is another methodology that can be used to prevent ransomware, as well as some other viruses. You can do this by preventing executable files from running in folders that viruses and other malware like to reside.

For example, the user’s TEMP directory. This can be done via group policy. Unlike a traditional antivirus, this methodology isn’t continuously running, using up CPU and RAM resources to scan files when they are loaded.

CryptoPrevent (https://www.foolishit.com/cryptoprevent-malware-prevention/) is a piece of software that you can run on your machine to easily lock down these folders. Their free version will all you to lock down the most commonly abused folders.

One note of caution, this will prevent ANY executable from running, regardless if it’s good or bad. This means that some legitimate software updates will fail to run (usually with an error message). You would simply need to disable the protection any time that you needed to update that particular software.

Even with the above tactics, ransomware isn’t entirely preventable. The best strategy is to ensure you have frequent backups that are taken offline.

Backing your files up to your external hard drive doesn’t do much good if the external hard drive is constantly connected. Ransomware will simply infect the backups. The backup media needs to be “air-gapped” or physically disconnected in order to be protected.

Alternately, cloud services are becoming more and more popular for backup, butversioning capabilities is most important. If you’re syncing your files to the cloud without versioning, the encrypted files will overwrite the good copies during the next cloud sync.

With versioning, you can always go back to the previous version that should still be unencrypted. There are several services that offer this capability, all with varying costs.

Bottom line, ensure your files are backed up and validate those backups. Otherwise you might be paying up, in one form or another.

For more information, here are some good articles on ransomware:

https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

https://en.wikipedia.org/wiki/Ransomware

http://www.digitaltrends.com/computing/what-is-ransomware-and-should-you-be-worried-about-it/

https://www.cloudwards.net/why-businesses-should-care-about-ransomware/

600450 Don’t be held hostage glassonweb.com

See more news about:

Others also read

VITROCHAVES talks about customer orientation, the importance of reliable solutions, and 40 years of growing together with LiSEC.
In the ever-evolving landscape of our industry, where flat glass, windows, and doors meet innovation and ingenuity, a new revolution is at our doorstep, Artificial Intelligence (AI).
A+W Software, a leading software provider for the flat glass, window, and door industry, is pleased to announce the addition of Charlotte (CJ) MacLean to our growing Customer Service team.
The LiSEC subsidiary in Australia has experienced remarkable growth, a testament to its commitment to excellence and innovation.
A+W Software is pleased to announce the addition of Mr. Korry DuMont to the A+W Software team, bolstering our customer service support presence in North America.
A+W Software presents the latest A+W Cantor version at Fensterbau Frontale 2024

Add new comment

From industry

Polígono Lalín 2000
36512 Lalín Pontevedra
Spain

Ctra. Estación Km. 15.8
44415 Rubielos de Mora Teruel
Spain

NEWS RELATED PRODUCTS

A+W Software GmbH
LISEC Austria GmbH
LISEC Austria GmbH
Diamon-Fusion International, Inc.
A+W Software GmbH