By Dave Moore
“Your personal files are encrypted by CTB-Locker. Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer.”
Wow, there’s a screen you never want to see! Millions have come face-to-face with messages like this, though, helplessly trapped as one of the Internet's biggest extortion schemes reveals itself.
“Private decryption key is stored on a secret Internet server,” the ransom note continues, “and nobody can decrypt your files until you pay and obtain the private key. You only have 96 hours to submit the payment. If you do not send money within provided time, all your files will be permanently crypted and no one will be able to recover them.”
Sadly, the Internet crooks behind this ransomware (software demanding a ransom) attempt aren't kidding around. If you don't cooperate with their demands and pay the ransom to release your kidnapped computer, your precious documents, spreadsheets and photos will be gone, forever. They may be gone even if you do pay the ransom; you just don't know.
2017 was the year of Locky, NotPetya and WannaCry ransomware savaging Internet users, with billions of dollars lost, data destroyed, worldwide shipping disrupted, and reputations damaged. Ransomware victims included auto manufacturers like Renault-Nissan shutting down and British hospitals turning away patients. According to the FBI, over 4,000 ransomware attacks occur every day [note: link opens a PDF].
SentinelOne reports that:
Many times, the greatest harm to a business comes not from the ransom amount, but the downtime incurred, and other collateral damages. With the average ransomware damage per business approaching $1 million, many small businesses simply closed up shop and declared bankruptcy.
Even though they are the most attacked and hacked businesses on the Internet, many small- and medium-sized businesses (SMBs) do not have dedicated IT staff to make sure proper cybersecurity protections are in place. Internet safety training is nonexistent. Ignorance and apathy have built an entire unprotected class of Internet users.
Due to competing priorities, business owners and staff focusing only on business success are unaware that they are like Indy 500 drivers without helmets or seatbelts. This article is written with SMBs in mind. Larger, enterprise-class companies will likely have much more involved and much more expensive protections in place.
There are only a few possible responses to a successful ransomware attack:
Pay the ransom and all is well (good luck with that).
Refuse to cooperate and lose everything (the most likely outcome, anyway).
Defeat the ransomware, crack the encryption and regain control of your systems (unlikely, but some have succeeded).
Restore everything from secure backups you already have in place and thumb your nose at the bad guys (the happiest outcome of all).
How can ransomware be countered? Naturally, all of the usual network security "best practices" need to be in place:
update operating systems and programs
disable vssadmin in Windows
use high-quality email-scanning behavior analysis anti-malware
properly configure servers, routers, firewalls and network filters
limit use of administrator accounts
and the list goes on, all the things any competent network security pro already knows
Of course, the SMB then has to follow through and actually hire those security pros, and give them the freedom (and budget) to do a proper job. The days of letting one of the cashiers act as IT staff because they "know about computers" should be long gone.
Most ransomware attacks succeed, not because of bad network security, but because someone, somewhere got tricked into clicking the wrong thing. Internet safety training is serious business. Employees need to be trained in meaningful ways, instead of IT staff simply running "gotcha" spear-phishing tests every six months and pushing out dumbed-down online "security" questionnaires and videos featuring cartoon characters.
When people are properly taught the dangers involved in opening the wrong email attachment, clicking an email link, giving out your password to the wrong person, visiting an infected website that exploits out-of-date browsers and apps, clicking on infected "malvertising" ads and installing the wrong apps, the company immediately becomes safer.
It is my experience that when employees are treated like intelligent adults, properly taught, and understand the how's and the why's involved in letting the bad guys through the door, a business's security posture improves dramatically. Because they are treated with respect, employees establish a stake in the situation and take a righteous place as guardians of the company's overall safety. They are the first and the last lines of company defense and, when properly motivated, can be wildly effective.
To ensure long-term business continuity in the face of increasingly sophisticated Internet criminals, SMBs need to make effective, inclusive Internet safety training a top priority, training that includes all C-suite members, as well. To quote Intel's Matthew Rosenquist, "I would rather have a well-informed, motivated and security-savvy workforce instead of a stack of firewalls."
Education has to include bring-your-own-device (BYOD) scenarios, as well. Best practice dictates that when employees ask to put their phones and other personal devices on the company network, the answer is "no." That may be an impossible rule in large enterprise environments, but in SMB situations, it should be the norm. This is not because the business owners are mean, unreasonable people; rather, it's that they do not possess the proper resources to safely handle such situations.
Most SMBs are ill-equipped to add that new concern when they are just trying to get a handle on the basics. If a wireless network is needed for phone use, it should be a separate, well-insulated network that does not touch the corporate network, and all employees (including the boss and their spouse/kids) should be required to use it. If properly taught, employees will understand and agree with this policy.
Read part 2 of this article: Can SMBs Do Something to Prevent Ransomware? (Yes!) - Part 2
About Dave Moore
Dave Moore has been providing IT services in Oklahoma since 1984. As founder of the Internet Safety Group, he has been teaching Internet safety workshops for public and private organizations since 2008, and has written his weekly newspaper column, “Computer Sense,” for The Norman Transcript since 2005.