How to fight cryptoviruses (ransomware)?
Just imagine yourself coming to the office in the morning, starting your computer and wanting to start your work. Your e-mail client warns you that it is not able to open the data file. You try to open a document containing your unfinished project, it also will not open. So you check your documents directory and find out that all your files have a suspicious suffix (something like .VVV, .LOCKY, .CERBER) and you are not able to open any of them. Eventually, you find only one file that can be opened and contains a message something like: “All your files has been encrypted. You have 96 hours to submit a payment to receive the encryption key, otherwise your files will be permanently destroyed.” This note includes payment instructions for hundreds of US Dollars (most of the time in BitCoins).
You just have met the encryption virus face to face…
Encryption viruses are the ugliest members of the RasomWare family I have met so far. I am writing this note because you can prevent the case above. Don’t panic. You will know that there are solutions and that you don’t have to worry about closing down your business…
Short statistical introduction
According to the online information at barkly.com the statistics of ransomeware in 2016 are as follows:
- 47% of organizations have been hit with ransomeware in last 12 months.
- According to the FBI, in the 1st quarter of 2016 there were $209 million paid as ransom.
- The average ransom demand has risen to $679.
- In some known cases the ransom reached up to $20.000.
- Before being hit by ransomeware, 81% of IT professionals were confident they would be able to recover all their data from a backup.
- After a ransomeware breach only 42% of IT professionals were really able to successfully recover all data from their backup.
- 59% of ransomeware infections have been delivered via an e-mail containing a malicious attachment or a link.
- 24% have been delivered through Web sites.
So how to defend yourself?
It is clear to me that most people are reading this and similar articles at the moment they just found all their files encrypted and they are looking for info how to get out of this mess. But I still have to start with the most important advice – Prevention.
Prevention against ransomeware consists of a number of precautions. But the good news is that these precautions will help you in many other incidents endangering you data (HW malfunction, files deletion, targeted cyberattack, etc.). So how to do it?
- Train you users about internet risks – correctly trained users are aware of suspicious e-mail, they don’t follow any links they’ve received in e-mail. Just look again to the previous statistics – 59% of infections come in e-mails, 24% through web sites. That is 83% of infections, which could have been prevented by the user. I recommend these user training topics:
- What is phishing?
- How to detect malicious/phishing e-mails and web sites?
- What are operating system and application updates good for?
- Keep your antivirus software up to date – encryption viruses are delivered to your computer using the same ways as any other malicious program and therefore good antivirus could help.
- Keep your operating system up to date – updates patch operating system vulnerabilities which are often misused by (but not only) encryption viruses.
- Always use minimum privilege needed – encryption virus can reach only the files you have accessible as a user. If you are using your computer with admin rights and have all your data storages connected via company network, the encryption virus breach will be crippling.
- Monitor that your files are all right – some viruses, after breaching a computer, work very fast and they encrypt your files in a few minutes. Others work very slow – they encrypt just a few files every day and therefore they can coexist in your network for weeks before someone finds an encrypted file for the first time. In these cases restoring backed up files takes enormous amount of time because you have to dig through all your backups day after day and search when every specific file was last time correctly backed up.
- Check your backup processes
- I at least recommend backing up the following way:
- Make a full backup of your important data every week and keep them for several weeks.
- Make a differential backup (changes since last full backup) daily and keep them for at least one week. This way you will be able to “go back in time” to any day of the last week just using two backups – so you will not need too much time for the restore operation.
- Check your ability to restore data – don’t rely only on your backup software and its notifications about correctly finished backup jobs. Once in a while test that you can restore at least your critical data and that you can use them after recovery.
- Prepare no less than basic Disaster Recovery Plan – have prepared plan on how to recover data from backups. Plan like this has to contain the following:
- where is the backup media stored,
- which SW and HW is necessary for the recovery,
- credentials needed to access backup media,
- how to find a backup created on an exact day,
- where to recover data,
- how to recover data (e.g. how to recover database on an accounting server),
- how to verify that everything is working correctly after the restore process.
- Check your backup target
- Backup files stored inside your infrastructure could be reached by the encryption virus and therefore they can end up encrypted as well as your documents. Check that your backups are stored in some location which cannot be normally reached.
- Cloud storage (e.g. DropBox, GoogleDisc) usually only synchronizes your data. In this case all changed files on your computer are immediately mirrored to the cloud storage – including file deletion, encryption, etc. Cloud storage surely can be a good place to store your backups, but you have to appropriately adapt your backup proces.
- Make sure you have some off-line storage – I recommend to store critical data backup also on a medium (e.g. USB drive, DVD, tape) which is not accessible within your network and therefore is secure to a cryptovirus breach.
- I at least recommend backing up the following way:
This list of preventive measures significantly reduces the risks that encrypting virus breaches your computer or the company network, but if it does happen, you will be able to recover your data.
How to recover from a cryptovirus attack?
If you’re in a situation that you haven’t made any preventative measures and now you have maliciously encrypted files in your computer or on your network, you have very limited choices. In this situation I propose the following procedure:
- Disconnect any device which still contains unencrypted data. To be on the safe side, make a new backup of this data.
- Clean up computers from viruses – never rely on antivirus installed on the infected computer. You have to start antivirus from an independent media or some on-line virus scanner (like. ESET Online Scanner). It is better to clean up by several independent ways.
- Decrypt your files using a known decryptors – for some cryptoviruses there are ways to decrypt files using free public programs. For example you can get decryptors by Kaspersky Lab.
- Restore your data – if you have any old backups, use them. Some other files you can often recover from your e-mails, USB sticks, etc. Think if you can get uninfected files from your customers, co-workers, …
- Calculate how much the loss of data is costing you – Make a summary of your data – which you have recovered and which are lost. And try to figure out how much this lost will cost you before you consider proceeding to the next step.
- There is still the possibility to pay the ransom, but… – Yes, there are many companies, which paid the ransom. Some of them received the decryption keys and they recovered their files. Some of them didn’t even get a thank-you e-mail for hundreds of dollars paid. Some of those companies had to close down. Unfortunately, there are no statistics on your chances of getting your data back if you pay the ransom and I do not dare to predict it.
- And now go back to the preventative measures…