Ransomware – Protecting your users and recovering from infections
1st February 2019

There has been a considerable increase in incidents involving malware known as Ransomware – such as CryptoLocker – which infects a PC and encrypts all the files and any mapped drives that it can find and demands payment for an encryption key.

With ‘Crypto Toolkits’ available on the dark internet for $100, even someone with basic programming skills could construct a new variant of Ransomware so this is a problem that may not quickly go away.

For the user, once infected, the only options are to pay up (even paying does not guarantee a resolution) or recover their data from a backup.

An episode will be extremely disruptive to any company and potentially costly financially as well as in time and reputation.

Company Prevention and Recovery Plan

Any company plan should be separated into three areas.

  1. How to recover from an infection
  2. Protection
  3. User Awareness

1.      How to recover from an infection

It may seem the wrong way around to start with recovery but this is a plan that must be prepared prior to any infection outbreak to stand any chance of a reasonable recovery.

It shouldn’t really come to this if the other area are adhered to but in the worst case scenario this will be the best solution and should be part of the company recovery plan. It really can be summarised by Backup, Backup, Backup!

This should be subdivided into server based data and local PC data.

Local PCs and Laptops

We know that data should be never stored locally on the C drive but we also know that users still do. Also, important information can be stored locally such as favourites, web login details, cookies, fast paths etc. This is the stuff that saves time for users and would be lost if a factory build reset is required. Each local PC or laptop should have a System Recovery disk (usually a USB memory stick or DVD) and a System Backup (removable USB drive)

made. It is absolutely essential that these are removed from the PC after the backup has completed. Anything attached to the PC that gets infected will also succumb to the infection.

The System Backup is only current as the last backup so the user must decide how far back they are willing to recover from. I would suggest a weekly backup at this user level but this should be considered on a personal level.

Without a local backup a factory set rebuild will be the only option. The effort and cost of a local backup must be considered against the disruption of losing all local personal settings and data.

Servers and Centralised Data

Company data is the most essential data to the business and should receive the highest level of consideration.

Senior Management – as part of their Disaster Recovery Plan – should decide what an acceptable and practical recovery period to step back to. This will vary by the importance and volume of changed data and can be anything from 1 hour, 4 hours, 1 day or 1 week.

Any backup storage must be detached from the server as soon as the backup is complete. We strongly recommend a cloud based off-site solution such as our own LiveStor solution.

2.      Protection

Ideally, automatic protection should guard you from viruses and malware infection. This is true in most cases but it does require some management and checking.

Viruses and malware prey on security flaws in the operating systems and applications. The following guideline and advice will minimise the likelihood of infection.

  • Set up Operating System and Application updates to automatic and ensure that users allow them to apply.
  • Check that Antivirus up to date and updated automatically at least daily.
  • Use Gateway Security such as Spam Management and Web Content Filters and ensure these are current.

Unfortunately, even following these precautions may not protect against ‘zero-day’ virus releases or users over-riding security measures.

3.      User Awareness

This is the most critical area that could avoid a problem. All of the recent Ransomware outbreaks that we have seen have required an action on behalf of the user for the infection to be activated. This may be opening an email attachment, clicking on an imbedded link or browsing to an infected website.

Therefore, most, if not all, infections could have been stopped by user intervention.

User Training

Firstly, even the cleverest get drawn into a well-planned scam. The scammers prey mainly on our fears of security to lure us into the scam.

All users should be made aware of the following advice.

Any email has two main points to consider. Who they are from and what the content is about.

Any received email should be separated into two categories.

  1. Emails from known contacts or ones that are expected (with some provisos*)
  2. Unexpected and unsolicited emails

Note* – even known contacts can be spoofed so the content would need to be assessed

Category a) emails should be OK but anything from category b) should be carefully assessed.

Treat Emails like home callers

If someone comes to your home, you subconsciously assess them very quickly. Are they known? Are they expected? Are they offering something that seems dubious? Are they asking for something from you? Are they trying to get you to do something?

We make these reviews very quickly and send anyone who doesn’t seem right on their way.

Email should be treated in exactly the same manner. If it is too good to be true, it probably is. If it doesn’t feel right, hit the delete button.

Even if you think it may be valid, use caution

Emails that prey on security fears (‘your account has been accessed…’) may have links embedding into them. While they may look real, extreme caution should be applied. If you are concerned, go straight to your account etc. via an independent means such as a browser but never from the links in the email. Also, as obvious as it seems, do not use the contact telephone numbers in the email, check them independently.

If you are still in doubt, seek the view of a colleague.

And if you do get infected

Even with the best efforts, infection may still occur. In this scenario speed is essential to minimise the infection.

If you are faced with a screen saying that your files are encrypted quickly pull the network cable from the back of your PC. This could save the infection getting to the wider network. Then immediately phone the CPLUS Helpdesk on 0118 989 9109 and we will talk you through the next steps and start the recovery.



Related Articles

Windows 11 is coming

Windows 11 is coming

Microsoft announce their latest OS with a number of new features.

CPLUS gain accreditation with Avetta

CPLUS gain accreditation with Avetta

  CPLUS have gained accreditation with Avetta, the world-wide quality and pre-qualification organisation. Avetta work with businesses seeking to improve their supplier prequalification process. They review suppliers for procurement, safety and sustainability...

Two Rules of IT – why everyone hates computers

Two Rules of IT – why everyone hates computers

Why does everyone hate computers? Your computer is slow, the IT department are unhelpful, you hate the new apps. Sound familiar? Unfortunately, there are two fundamental undisputable rules to IT that infuriates everyone; 1. It will break 2. It will change It will...