What to Expect When You are Not Expecting…Ransomware Attacks

One of my favorite Monty Python bits was, “No One Expects the Spanish Inquisition!!” I still giggle thinking about it. I tell you though, although no one expects a Ransomware attack, it is no laughing matter. Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access. Almost all current ransomware criminals demand that payment be sent via untraceable instruments such as cryptocurrency.[1]

In the current business environment, we are bombarded with emails. In the past, malicious spam was used to lure unsuspecting employees into clicking onto a link or attachment that has code that will be used maliciously to deliver malware. Ransomware bandits are clever and know that most IT departments have trained employees to not open spam emails, strange emails, and for gosh sakes never to click on a link or attachment. These crafty criminals have adapted with the times. They use online advertising that can direct users to criminal servers without their knowledge or ever clicking on an ad. Cybercriminals also are very good at mimicking legitimate emails within the targeted company to get access to the victim’s computers and the business’s servers. Once in, they typically fall into three main types.

1. Scareware – pop-ups that claim your computer is infected and you need to pay to get rid of it. It is relatively harmless. You will just get nuisance pop-ups, but your files are probably safe

2. Screen Lockers – this freezes your PC, often accompanied by an FBI seal saying illegal activity has been detected on your computer and you must pay a fine.

3. Encrypting ransomware – this is vile. The criminals seize your files and encrypt them, demanding a larger payment to decrypt and redeliver your files. There is no way to remedy this. Unless your company pays the ransom, your files are gone. Remember, you are not dealing with honest people. There are no guarantees that after you pay, you will get your files back.

In August of 2019, hundreds of U.S. dental offices around the country found they could no longer access their patient’s records. The attackers used a compromised Managed Service Provider (MSP), in this case, a medical records software company, to infect over 400 dental offices across the U.S. using their software.[2]

As dire as all of this sounds, what can your company do?

• Hire a firm to help you remediate, scan, and remove the threat, but your files will probably be gone
• Pay the ransom, but will you get your files back??
• Contact the FBI

I used to work for a great man that always said, “vigilance is the price of safety.” This advice is particularly relevant in protecting your company from a ransomware attack. While there are many ways to prevent a ransomware attack, one single action is not going to completely protect your network. There is no silver bullet that will stop ransomware dead. A blended response of several actions is required.

1. Good old Cybersecurity:
   1. Don’t provide personal information when answering an email, unsolicited phone call, text message, or instant message.
   2. Phishers will try to trick you into installing malware or gather intelligence for attacks by claiming to be from your credit card, bank, or someone in your IT department
   3. Contact your IT department immediately if you or one of your coworkers receive suspicious calls, emails, or texts
   4. Employ content scanning and filtering on your mail servers -- inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
   5. Do not open any attachments from unknown emailers unless it has been scanned.
2. Anti-exploit technology:
   1. Use a reputable antivirus software and a firewall.
   2. Maintaining a strong firewall and keeping your security software up to date are critical ways to keep your files safe
   3. It’s important to use antivirus software from a reputable company because of all the fake software out there
3. Up to Date Technology:
   1. Ensure all, and I do mean ALL, of your systems and software, are up to date with relevant patches
   2. Exploit kits hosted on compromised websites are commonly used to spread malware; beware of people surfing sketchy websites on your company networks
   3. Regular patching of vulnerable software is necessary to help prevent infection.
4. Regular backups of your files
   1. Restoration of your files from a backup is the fastest way to regain access to your data.
   2. Have a disciplined backup regimen, including backing up files in separate servers and instances
   3. If you do not have a complete backup or only a partial backup, attempt to regain your data by utilizing the last known good configuration.
   4. Beware, cybercriminals may spend years gathering intelligence on your organization before ransoming your files. Your last known good configuration may be compromised. It is important to get outside help during a ransomware attack and not go it alone.
5. Utilize cloud storage with high levels of encryption

All is not lost. You are not alone if you are the victim of ransomware. Your best solution is to be proactive now by educating all your employees about malware, ransomware, and how to behave intelligently online. Invest in cybersecurity and have an expert evaluation of your networks, especially if you have sensitive financial or medical data. For Neptune’s sake, regularly back up your files and store them in a safe and separate place. Utilize firewalls and scanning software. Finally, reach out to LTA for some free advice on how to proceed. We recently helped a client with a ransomware event and will be glad to help you think through your next steps.

[1] “Ransomware,” Malwarebytes website, accessed online https://www.malwarebytes.com/ransomware/, March 24, 2020.

[2] Ibid.