Small Business - Guide to Ransomware

What is it?

Ransomware is the ability of the attacker to launch an application usually on your Windows Desktop to Encrypt all your Company Shared files and hold the unlock key to ransom. The ransom is usually asked for by payment of a Bitcoin key which is totally untraceable.

Such strains of this attack has usually been nicknamed Cryptolocker

There are even companies selling this Virus as a service offering 10% of all the Ransom paid!

 

How do I stop it? 

Spam Filters

Make sure you have one of these before email hits your Office 365 or Email Server. They can scan Macro's and files and also block emails which have been bulk sent and this protects you before the email even gets to your server!

User training

Make sure users are wary of what emails they open with attachments. For Example why is my gas company sending my home gas bill to my work email? Why is TNT sending me a receive note when I have not received anything?

Keep Up-To-Date

Alot of Ransomware comes from out of date programs such as Flash and Java, sometimes through Averts! Make sure you keep these up-to-date or speak to your IT Provider about a tool to deploy these weekly and Advert Blockers.

Disable Macro Scripts

Cyptolocker variants like to use Zipped up PDF , Word and Powerpoint presentations harmless looking invoices to download programs to the computer. Make sure you read the warnings before enabling these.

Group Policies

Enable Group Policy's to Disable Executables running in AppData and Local App Data

Antivirus

Make sure it's turned on - Remember when you turned off the Anti Virus to stop it annoying you about updates or a false positive. Make sure you have a management center for all your Anti Virus Clients to check what users have what enabled!

File Resource Manager

Get alerts when specific files hit your server so straight away you can action the removal of the machine from the network. The process can even be automated!

 

What if I get infected?

Call your IT Provider Straight Away

You will start seeing your files changes extension from .doc ( Work document ) to .zzz and you will be unable to open these anymore. This means they are encyrpted and the virus is encrypting or has encrypted all the company data. There will also be Readme.html files are placed in each directory with the Unlock Key and instructions of how to pay as well as a deadline.

Call your IT provider so they can determine which computer is infected which will need to be unplugged and wiped. They can also get on with the restoring of Data

Try and Find an Unlock Key

Our friends at Kaspersky have put together a load of tools to be able to unlock for files for you for free here

Backups 

Backup is the only last method of defense. If there is no unlock key from above from your strain. Depending on your backup software ( Veam / Backup Exec ) you should be able to restore from the previous' Nights backup meaning only a loss of a days data compared to everything. This might be a good time to thing about your current backup plan, maybe a midday backup would be good to mitigate a 24 hours loss instead of a 12 hour lost.

Pay up

This is the last scenario, it never helps to pay Ransom's as it encourages it , however if this is your last option, maybe a 500$ Payment is cheaper then wiping all your Data. Payments do actually work if you leave all the documents on the system intact, it will actually decrypt it per case study.