– What is Ransomware
– How Does Infection Occur
– What Can be Done to Avoid Ransomware
What is Ransomware?
Also known as Crypto-Ransomware, Ransomware is a type of malicious software or malware designed to encrypt and block access to files on an individual’s computer or company’s computer system until a sum of money is paid as ransom. Encryption is done on a file level affecting many different file types including Microsoft Office documents, pictures, music, and video files.
05.12.2017 – Largest Ransomware Attack in World History
On May 12, 2017 a massive Ransomware attack spanned over 75,000 infections in 99 countries making it the broadest, most damaging cyberattack in world history. The “WannaCry” Ransomware attack locked all files on infected computers and asked for a Ransom payment in exchange for file control. Affected computers were given a $300 ransom with six hours to pay while the ransom increased each hour of non-payment.
“WannaCry” spread by taking advantage of a Windows vulnerability that Microsoft had patched back in March of 2017. Computers & networks that hadn’t updated their systems with the new security patch were left vulnerable. Around the world, millions of dollars were lost in productivity. Hospitals, local governments, universities, and countless businesses were hugely impacted in the wake of this unprecedented cyber attack.
How Does Ransomware Infection Occur?
Email Based Attacks
Email based attacks are executed via Ransomware laden email attachments from someone you may or may not know. Hackers are banking on you opening the attachment without thinking twice. Once the attachment is downloaded and opened you may see a generic Windows error, all the while the Ransomware software is installing in the background. At this point your system is infected. Alternatively, the email may not contain an attachment at all, but a clickable link. Clicking the link will bring you to a Windows error, or webpage. In the background the Ransomware is downloaded and installed without your knowledge.
Web Based Attacks
Web based attacks occur via pop-ups and browser add-ons. You may be on the internet and an internet window may pop up explaining that you have a virus. It may also say, “click here for virus removal.” Alternatively the pop-up may come with audio, audibly explaining to you that you have a virus giving you a link to click to remove the virus. These pop-ups occur very fast and count on you instinctively clicking on a link to get rid of the pop-up. Sometimes the pop-up has a false X button on the top right of the window. Hackers are banking on you clicking the link or the false X button to close the window only to be infected.
Software Based Attacks
Software based attacks occur secondary to Web and Email based attacks as the Ransomware infection may come through the web or an email, exploiting a software security hole or a Windows operating system vulnerability and automatically installing Ransomware. Ransomware generally exploits operating system vulnerabilities but they can also exploit Microsoft Office, and other third party application vulnerabilities.
The Five Stages of Ransomware
The Installation of Ransomware is executed unknown to you on the background of your computer via fraudulent download or phishing email. Installation takes just seconds and once installed contacts hacker servers. Once a successful “handshake” occurs between the hacker server and your computer, the server automatically generates cryptographic keys it then uses to encrypt all local & network data. Once keys are created, the newly installed software will seek and encrypt files and documents both on the local computer and across the network. Once encryption is done, a screen will display with ransom payment information, a time limit, and a cost. Alternatively there are also Ransomware types that leave a document in each encrypted folder with instructions on how to decrypt.
How Can Law Firms Avoid Ransomware?
Education is probably the very best, most cost efficient way to fight Ransomware. No one should open an attachment within an email or click a link from someone they do not know. Even for email where the sender is recognized, if the request looks strange, the email address may be spoofed to look like a fellow firm member. If the email looks vague or the reference within the email looks incorrect, more than likely it is a phishing email. This same rule goes for web access. As long as your staff sticks with legitimate work related websites, the likelihood of a web based Ransomware attack can be lowered dramatically. At the end of the day if you are unsure about an email or a webpage email your I.T. staff, they should have the tools to test for embedded Ransomware. Rekall offers free onsite training sessions which educate staff members on how they can avoid triggering a firm-wide Ransomware epidemic.
Anti-Ransomware Spam & Web Filtering
Coupled with education there are technologies that aid in the avoidance of Ransomware. Top email spam filtering services now offer anti-Ransomware subscriptions. In this way Ransomware laden emails are stopped before they reach your inbox. Rekall’s spam filtering service blocks around 45 Ransomware attempts weekly for our law firms. In conjunction with spam filtering should come an enterprise level firewall. Enterprise level firewalls should come with anti-Ransomware services which automatically block web based Ransomware as your users navigate through the internet. These technologies take the guess work out of email and website safety and heavily aid int he fight against Ransomware.
Best Practice File & Folder Security Permissions
Ransomware follows network permissions and will only encrypt files over the network that the triggering user has access to. This means that if your I.T. company follows Microsoft best practices regarding file & folder security, the likelihood of a total encryption situation is lowered significantly. Users should only have access to what they need and nothing more. They also should not have access to other workstations, only their own. Proper file & folder security across the network will limit the amount of data encrypted as a whole. The less data encrypted, the lower the chances of a full production halt within your firm.
Ransomware Proof Backup Services
Do not backup to USB devices as a primary backup method. In almost 100% of the Ransomware situations that Rekall has been called to handle, the USB drive is also encrypted along with all firm data. Utilize a cloud based image level backup of all servers with a high retention, 15 to 30 days. Rekall offers this as a standard Backup/Disaster Recovery service. Other than being in the cloud, this is the very best type of backup for fast recovery from Ransomware or any kind of system malfunction.
Operating System & Software Patch Management
Your I.T. vendor should be remotely managing Windows desktop, server & third party application updates on a regular, scheduled, automatic basis. This service will plug any security vulnerability holes automatically and keep your firm 100% secure. Not a single Rekall client was affected by the “WannaCry” Ransomware attack of May 2017 due to this service which costs clients only $6/workstation per month. It’s an inexpensive solution that offers a fantastic value.
Move to a Private Cloud
Finally, if you find all of this way too overwhelming, forget it all and move your firm to a private cloud. Rekall’s Private Cloud offers all these services bundled together at a low monthly rate offering the highest level of security and the least amount of I.T. management headache.