The ULTIMATE Guide to Protecting Your Business Against Ransomware

Introduction

More and more, ransomware has emerged as a major threat to individuals and businesses alike. Ransomware, a type of malware that encrypts data on infected systems, has become a lucrative option for cyber extortionists. When the malware is run, it locks victim’s files and allows criminals to demand payment to release them.

black spider Unless you’ve been living under a rock, you are probably well aware that ransomware is a hot topic in the news these days. Organizations of all types and sizes have been impacted, but small businesses can be particularly vulnerable to attacks. And ransomware is on the rise. In a recent study conducted by security software vendor McAfee Labs, researchers identified more than 4 million samples of ransomware in Q2 of 2015, including 1.2 million new samples. That compares with fewer than 1.5 million total samples in Q3 of 2013 (400,000 new). Ransomware is distributed in a variety of ways and is difficult to protect against because, just like the flu virus, it is constantly evolving.

There are ways to protect your business against ransomware attacks. In this e-book you’ll learn how the malware is spread, the different types of ransomware proliferating today, and what you can do to avoid or recover from an attack. Hiding your head in the sand won’t work, because today’s ransom seekers play dirty. Make sure your organization is prepared.

new malware modifications in Q1 2016



of ransomware victims were unable to access their data for 2 days



has been paid in ransomware in the first 3 months of 2016



of SMBs fell prey to phishing emails in 2015

What is Ransomware?

Ransomware can take different forms, but it is a type of malware that denies access to a device or files until a ransom has been paid. Ransomware encrypts your employee’s or corporate files and forces you to pay a fee to the hacker in order to regain access to their files.

Ransomware encrypts the files on a workstation, and can travel across your network and encrypt files located on both mapped and unmapped network drives. It’s how one infected user can bring a department or entire organization to a halt.

Once the files are encrypted, the hackers will display a screen or webpage explaining how to pay to unlock the files. Historically, ransoms started in the $300-$500 range, but fast forward to 2016 and companies are being hit with ransoms in the thousands of dollars.

Paying the ransom invariably involves paying a form of e-currency (cryptocurrency) like Bitcoin. Once the hackers verify payment, they provide “decryptor” software, and the computer starts the arduous process of decrypting all of the files.

Ransomware Today

There are a few dominant types, or families, of ransomware in existence. Each type has its own variants. It is expected that new families will continue to surface as time goes on. Historically, Microsoft Office, Adobe PDF and image files have been targeted, but McAfee predicts that additional types of files will become targets as ransomware continues to evolve.

Most ransomware uses the AES algorithm to encrypt files, though some use alternative algorithms. To decrypt files, cyber extortionists typically request payment in the form of Bitcoins or online payment voucher services, such as Ukash or Paysafecard. The standard rate is about $500, though we’ve seen much higher. Cyber criminals behind ransomware campaigns typically focus their attacks in wealthy countries and cities where people and businesses can afford to pay the ransom. In recent months, we’ve seen repeated attacks on specific verticals, most notably healthcare.

How Ransomware is Spread

PHISHING ATTACKS Spam is the most common method for distributing ransomware. It is generally spread using some form of social engineering; victims are tricked into downloading an e-mail attachment or clicking a link. Fake email messages might appear to be a note from a friend or colleague asking a user to check out an attached file, for example. Or, email might come from a trusted institution (such as a bank) asking you to perform a routine task. Sometimes, ransomware uses scare tactics such as claiming that the computer has been used for illegal activities to coerce victims. Once the user takes action, the malware installs itself on the system and begins encrypting files. It can happen in the blink of an eye with a single click.

DRIVE-BY DOWNLOAD Another common method for spreading ransomware is a software package known as an exploit kit. These packages are designed to identify vulnerabilities and exploit them to install ransomware. In this type of attack, hackers install code on a legitimate website that redirects computer users to a malicious site. Unlike the spam method, sometimes this approach requires no additional actions from the victim. This is referred to as a “drive-by download” attack.

The most common exploit kit in use today is known as Angler. A May 2015 study conducted by security software vendor Sophos showed that thousands of new web pages running Angler are created every day. The Angler exploit kit uses HTML and JavaScript to identify the victim’s browser and installed plugins, which allows the hacker to select an attack that is the most likely to be successful. Using a variety of obfuscation techniques, Angler is constantly evolving to evade detection by security software products. Angler is just one exploit kit, there are a variety of others in use today as well.

FREE SOFTWARE Another common way to infect a user’s machine is to offer a free version of a piece of software. This can come in many flavors such as “cracked” versions of expensive games or software, free games, game “mods”, adult content, screensavers or bogus software advertised as a way to cheat in online games or get around a website’s paywall. By preying on the user in this way, the hackers can bypass any firewall or email filter. For example, one ransomware attack exploited the popularity of the game Minecraft by offering a “mod” to players of Minecraft. When users installed it, the software also installed a sleeper version of ransomware that activated weeks later.

RANDOMWARE-AS-A-SERVICE Spam botnets and exploit kits are relatively easy to use, but require some level of technical proficiency. However, there are also options available for the aspiring hackers with minimal computer skills. According to McAfee, there are ransomware-as-a-service offerings hosted on the Tor network, allowing just about anyone to conduct these types of attacks.

“It’s not a matter of if, but when you’re going to get hit.”

– Lance James, Chief Scientist at Flashpoint

Common Types of Ransomware

As noted above, ransomware is constantly evolving and new variants are appearing all the time. So, it would be difficult, if not impossible, to compile a list of every type of ransomware proliferating today. While the following is not a complete list of today’s ransomware, it gives a sense of the major players and the variety in existence.

CryptoLocker

Ransomware has been around in some form or another for the past two decades, but it really came to prominence in 2013 with CryptoLocker. The original CryptoLocker botnet was shut down in May 2014, but not before the hackers behind it extorted nearly $3 million from victims. Since then, the CryptoLocker approach has been widely copied, although the variants in operation today are not directly linked to the original. The word CryptoLocker, much like Xerox and Kleenex in their respective worlds, has become almost synonymous with ransomware.

CryptoLocker is distributed via exploit kits and spam. When the malware is run, it installs itself in the Windows User Profiles folder and encrypts files across local hard drives and mapped network drives. It only encrypts files with specific extensions, including Microsoft Office, OpenDocument, images and AutoCAD files. Once the dirty work is done, a message informing the user that files have been encrypted is displayed on said user’s screen demanding a Bitcoin payment.

CryptoWall

CryptoWall gained notoriety after the downfall of the original CryptoLocker. It first appeared in early 2014, and variants have appeared with a variety of names, including: Cryptorbit, CryptoDefense, CryptoWall 2.0 and CryptoWall 3.0, among others. Like CryptoLocker, CryptoWall is distributed via spam or exploit kits.

The initial version of CryptoWall used an RSA public encryption key but later versions (including the latest CryptoWall 3.0) use a private AES key, which is further masked using a public AES key. When the malware attachment is opened, the CryptoWall binary copies itself into the Microsoft temp folder and begins to encode files. CryptoWall encrypts a wider variety of file types than CryptoLocker but, when encryption is complete, also displays a ransom message on a user’s screen demanding payment.

CTB-Locker

The criminals behind CTB-Locker take a different approach to virus distribution. Taking a page from the playbooks of Girl Scout Cookies and Mary Kay Cosmetics, these hackers outsource the infection process to partners in exchange for a cut of the profits. This is a proven strategy for achieving large volumes of malware infections at a faster rate.

When CTB-Locker runs, it copies itself to the Microsoft temp directory. Unlike most forms of ransomware today, CTB-Locker uses Elliptic Curve Cryptography (ECC) to encrypt files. CTB-Locker impacts more file types than CryptoLocker. Once files are encrypted, CTB-Locker displays a ransom message demanding payment in, you guessed it, Bitcoins.

Locky

Locky is a relatively new type of ransomware, but its approach is familiar. The malware is spread using spam, typically in the form of an email message disguised as an invoice. When opened, the invoice is scrambled, and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. Bitcoin ransom is demanded when encryption is complete. Are you sensing a pattern here?

The spam campaigns spreading Locky are operating on a massive scale. One company reported blocking five million emails associated with Locky campaigns over the course
of two days.

TeslaCrypt

TeslaCrypt is another new type of ransomware on the scene. Like most of the other examples here,
it uses an AES algorithm to encrypt files. It is typically distributed via the Angler exploit kit specifically attacking Adobe vulnerabilities. Once a vulnerability is exploited, TeslaCrypt installs itself in the Microsoft temp folder. When the time comes for victims to pay up, TeslaCrypt gives a few choices for payment: Bitcoin, PaySafeCard and Ukash are accepted here. And who doesn’t love options?

TorrentLocker

TorrentLocker is typically distributed through spam email campaigns and is geographically targeted, with email messages delivered to specific regions. TorrentLocker is often referred to as CryptoLocker, and it uses an AES algorithm to encrypt file types. In addition to encoding files, it also collects email addresses from the victim’s address book to spread malware beyond the initially infected computer/network—this is unique to TorrentLocker.

TorrentLocker uses a technique called process hollowing, in which a Windows system process is launched in a suspended state, malicious code is installed, and the process is resumed. It uses explorer.exe for process hollowing. This malware also deletes Microsoft Volume Shadow Copies to prevent restores using Windows file recovery tools. Like the others outlined above, Bitcoin is the preferred currency for ransom payment.

KeRanger

According to ArsTechnica, KeRanger ransomware was recently discovered on a popular BitTorrent client. KeRanger is not widely distributed at this point, but it is worth noting because it is known as the first fully functioning ransomware designed to lock Mac OS X applications.

Ransom32

Ransom32 is a variety of “ransomware-as- a-service” that effectively puts the power to create ransomware into the hands of just about anyone – regardless of their technical know-how. What makes Ransom32 really dangerous is that it is coded entirely using JavaScript, which means it can be used to target computers running Windows, Mac OS X and Linux.

Protect Against Ransomware

Cyber criminals armed with ransomware are a formidable adversary. While small-to-mid-sized businesses aren’t specifically targeted in ransomware campaigns, they may be more likely to suffer an attack. Frequently, small business IT teams are stretched thin and, in some cases, rely on outdated technology due to budgetary constraints. This is the perfect storm for ransomware vulnerability. Thankfully, there are tried and true ways to protect your business against ransomware attacks. Security software is essential, however, you can’t rely on it alone. A proper ransomware protection strategy requires a three-pronged approach, comprising of education, security and backup.

Security software is essential, however, you can’t rely on it alone. A proper ransomware protection strategy requires a three-pronged approach, comprising of education, security, and backup/recovery.

Dale Shulmistra

Business Continuity Specialist, Invenio IT

Education

First and foremost, education is essential to protect your business against ransomware. It is critical that your staff understands what ransomware is and the threats that it poses. Provide your team with specific examples of suspicious emails with clear instructions on what to do if they encounter a potential ransomware lure (i.e. don’t open attachments, if you see something, say something, etc).

Conduct bi-annual formal training to inform staff about the risk of ransomware and other cyber threats. When new employees join the team, make sure you send them an email to bring them up to date about cyber best practices. It is important to ensure that the message is communicated clearly to everyone in the organization, not passed around on a word of mouth basis. Lastly, keep staff updated as new ransomware enters the market or changes over time.

Security

Antivirus software should be considered essential for any business to protect against ransomware and other risks. Ensure your security software is up to date, as well, in order to protect against newly identified threats. Keep all business applications patched and updated in order to minimize vulnerabilities.

Some antivirus software products offer ransomware-specific functionality. Sophos, for example, offers technology that monitors systems to detect malicious activities such as file extension or registry changes. If ransomware is detected, the software has the ability to block it and alert users.

However, because ransomware is constantly evolving, even the best security software can be breached. This is why a secondary layer of defense is critical for businesses to ensure recovery in case malware strikes: backup.

Backup

Modern total data protection solutions, like Datto, take snapshot-based, incremental backups as frequently as every five minutes to create a series of recovery points. If your business suffers a ransomware attack, this technology allows you to roll-back your data to a point-in-time before the corruption occurred. When it comes to ransomware, the benefit of this is two-fold. First, you don’t need to pay the ransom to get your data back. Second, since you are restoring to a point-in-time before the ransomware infected your systems, you can be certain everything is clean and the malware can not be triggered again.

Additionally, some data protection products today allow users to run applications from image-based backups of virtual machines. This capability is commonly referred to as “recovery-in-place” or “instant recovery.” This technology can be useful for recovering from a ransomware attack as well, because it allows you to continue operations while your primary systems are being restored and with little to no downtime. Datto’s version of this business-saving technology is called Instant Virtualization, which virtualizes systems either locally or remotely in a secure cloud within seconds. This solution ensures businesses stay up-and-running when disaster strikes.

5 Steps to Contain Ransomware Infections

Remove Infected Machine From Network

Always assume that the malware could make use of an internet connection (i.e. sending information back to the criminals, or spreading itself to other users). In the worst-case scenario, you should turn off network access for the entire office until you can get the outbreak under control.

Reset Your Bios Time

According to David Balaban with Privacy PC, IT admins don’t need to be afraid of the ransomware’s countdown timer that imposes a deadline at which point the ransom doubles. Just set your BIOS time back. This will reduce your stress and give you more time to recover your key files and eliminate the malware.

Roll Back From Prior Backup

Having a recent backup will make it easy for you to restore your operations as quickly and painlessly as possible, saving time and money for both you and your customer. As the downtime stakes have increased with each ransomware attack, having a backup solution in place and regularly testing backups to make sure they’re running properly is a critical part of protecting your company from ransomware.

Determining which backup to restore after a ransomware infection is imperative, but you must first ensure that your most current backup does not also contain the infection.

PRO TIP: A better way to identify your recovery point – the point at which your files were uninfected – is to leverage a disaster recovery as a service (DRaaS) solution. The ability to quickly ‘spin up’ a DR image on your local appliance gives you the ability to confirm that the image you’re restoring does not contain the infection. Plus, by spinning up the image in a self-contained VM, you can inspect the DR image without exposing it to the local network.

Stay Current with the Latest Threats

IT admins can stay up to date on the latest ransomware threats by following sites such as Data Breach Today or the
Microsoft Malware Protection Center. These technical support sites provide powerful self-education tools to learn about the latest security threats.

Alert Authorities

Ransomware is a serious form of extortion. Notify the FBI and don’t be tempted to pay the ransom. Paying them would be a mistake because they might continue to extort you and may not release your information.

Conclusion

Cyber extortionists using ransomware are a definite threat to today’s businesses from the local pizza shop to the Fortune 500. However, a little bit of education and the right solutions go a long way. Make sure your employees understand what to watch out for and you can avoid a lot of headaches. Never underestimate the dedication or expertise of today’s hackers. They are constantly adapting and improving their weapon of choice. That’s why you need top-notch security software and backup. Keep your business safe and give your nerves a break.

To sum it all up, knowledge spreading and security software can help you avoid cyber attacks. Patch management is essential. Be certain that your software is up-to-date and secure. In the end, it is backup that will help you pick up the pieces when all else fails. Consider using a modern backup product that offers features that can permanently eliminate downtime.

I have been working with Invenio for the past 6 years and on a consistent basis I found there support to be outstanding. The primary support representative, Dale S., goes out of his way to ensure his services are beyond my expectation.

Curtis Hill

13:52 04 Oct 22

Great Support staff all around. The system works as described. I've successfully restored a server that was blue screened by updated onboard application incompatibility.

Jeffrey Mondi

15:55 07 Jun 22

We have been working with Invenio IT for about 7 years now. They support of Datto backup system and their support is nothing but the best. They have been great helping set everything up and since then, we just monitor the backups and really have nothing to do as it has been running flawlessly. We an rare issue do occur, I can contact Dale at anytime (I mean anytime, he had answer the phone like 2 am) and he will help in anything I need, whether to spin up a virtual server when one of our production server goes down or we get an error on one of the backups and he looks into it and either resolve it or give us the solution to resolve it. Also, when we needed to upgrade our Datto system, they really go out of their way to give you the best deal which should have cost us a lot but Dale came through and we have been backing up flawlessly. Overall, Invenio IT has great support and always there when you need them. I will recommend them to anyone and I will take them anywhere I go. Thank you Invenio IT, especially to Dale Shulmistra!

Andre Glenn

15:24 03 Jun 22

Invenio IT has been very supportive and a long time vendor. They have supported our backup and recovery needs as well as provide top tier technical service whenever needed. Highly recommend!

Kevin Schnupp

16:24 02 Jun 22

Always goes above and beyond to ensure a great result. Quick responses and work completed on time and accurately. We have used Invenio IT and their Datto service numerous times to bail out customers. They always make us looking amazing and save the customer a lot of heartache. Can't ask for more!

Rajev S

19:32 01 Jun 22

I purchased my Datto backup appliance from Invenio IT (Dale Shulmistra) the best customer service rep. I've had in a while. He will go out of his way to help you in any way he can. Truly a five star!!

George Rodriguez

15:18 01 Jun 22

We've had Datto service with Invenio IT since 2015. While it's rare that we have issues, every time I need Dale's help he get's things done. It's really nice to have reliable service and one less thing to worry about these days. I would highly recommend Dale and Invenio IT.

Jimmy Rabitsch

14:20 01 Jun 22

We have been working with Invenio IT for over 3 years now. They have provided superior customer service and are very responsive. We work directly with Dale who is a pleasure to work with.

Anosh Zaveri

14:09 01 Jun 22

Invenio IT has been an exceptional business & technology partner for our company for many years. They have the best-in-class service (sales & support) and a knowledgeable teams on-staff when we need them the most. Good service; great people.

Larry Lou

14:01 01 Jun 22

Always responsive and helpful with a great team and awesome support, glad to do business with them.

Damien Russell

13:57 01 Jun 22

I worked with 3 techs previous before Darnell Johnson, the three previous were not on the same level as Darnell. His customer service and dedication to make sure all bases are covered are unmatched. 10/10

Jacob B

23:29 13 May 22

Invenio IT is the backbone for my disaster recovery solution. If I have anything wrong with my backups I am getting a call from Dale. This type of support is awesome especially when backing up 100+ servers.

Paul Gugel

02:18 24 Jan 19

Invenio IT has provided us with an excellent BDR solution in the Datto SIRIS. An enterprise-level solution at a reasonable cost, along with simplicity and ease-of-use, were a few items that helped us move to a Datto SIRIS. The only surprise was the extremely detailed level of service and support we received from Invenio IT. After 20 years of IT experience as a support professional myself, I did not expect to be surprised by the sustained, over-the-top level of support and professionalism that we received from Dale and the Invenio IT team. But I was surprised, and very happily so. Actually, I couldn't be happier!

Clyde Cornelius

15:08 07 Jun 18

The Datto Siris product works well and the web portal for management is excellent. My Invenio Rep is attentive, gets in front of issues and monitors the backup service.

Edward Caco

15:31 05 Jun 18

Great product! Great Service. I was up and running in no time.

Theodore Herrmann

21:35 04 Jun 18

I highly recommend Invenio IT to everyone. They provide amazing customer service. They are very responsive, and quick to resolve any issues or concerns. They have been a tremendous resource for several IT projects. One product / service in particular that is an absolute must is their backup services using the Datto SIRIS. This is just one example of many that has simplified my life while giving me much improved data security. I have full confidence and peace of mind knowing my data is secure and always available. By far the absolute best IT company I have ever dealt with.

Robert Bearry

19:41 04 Jun 18

I am very pleased with the Datto project and support offered at Invenio IT. The professionalism and speedy response to all of my issues have been handled impeccably. I would highly recommend their services. -Billy

William Porche

19:33 04 Jun 18

We were looking for a product which will verify the backup everyday without our intervention. For our size, Datto Alto 4 by far is the best product available on the market for the up-front and recurring price. Everyday it shows that the image backup is boot-able. We did the test by visualizing the server in the cloud and connecting seven work stations to it, and it worked flawlessly. Dale from Invenio IT was there every step of the way from purchase to install to testing. He provided exceptional service. He oriented us to Datto environment very well and is always available to answer questions. Further, every day he is monitoring the backups and ensuring the success. We are very pleased with the results. Thank you Dale!

Yogesh Mantri

21:09 24 May 18

Datto/Invenio was installmental in saving my business. The SIRS had a snapshot of beginning of the day. So I was good to go in minutes with the last backup thank you invenioIT.

Kim Zayac

16:41 03 Nov 17

We have the Datto SIRIS through Invenio IT and we couldn't be happier. Great team with exceptional customer service. Keep up the good work!

Rachel Leventhal

21:34 17 Aug 17

Invenio IT is simply awesome! I have been working with Dale for a couple of years now and the service and after sales support is great. I have submitted support requests and literally have had them resolved in under 20 minutes. That is great service!

gramfer

12:36 03 Aug 17

I have a SIRIS2 backup hardware which is an outstanding product and Invenio IT is one of the best support companies out there. They keep me informed of anything that is going on with my backups.

01:23 26 Jul 17

Quick response and good customer relationship. We been working with Invenio for over a year and it has been good results all around. Keep up the good work.

Date Kouy

20:06 20 Jul 17

Incredible professionalism from the Invenio staff. Hard working, a joy to do business with, and true innovators. This is a company that values its partnerships and will always do what's best for the customer.

Grant Brown

20:34 18 Jul 17

So... how complicated would your life be if you lost precious data files and there was no chance of recovery. Sounds scary. Yes it does. Life can be easier. You can take an associates human error of erasing or losing work or even an equipment failure that would have you work through the weekend in stride. Deploying a DATTO Sirus will protect your data locallly and in the cloud with so many easy ways to recover when the need arises. Support is excellent and reliable. Get a DATTO Sirus and rest... assured!

Ron Rizzi

20:09 17 Jul 17

Solid Datto support for our server systems. In the rare event there's been an issue, Invenio often knows before we do and has a fix ready. They are highly responsive to questions and keep our backup system.

Jason Blair

16:51 17 Jul 17

The fantastic Datto SIRIS coupled with the helpful folks at Invenio IT have let me stop worrying about my backups and disaster recovery plans to focus on more important things such as my morning coffee and keeping users from destroying the network before lunch.

Matthew Fex

16:35 17 Jul 17

Great partner to have. I recently joined the company I work for and found that they have a Datto backup system. I have never used the system and with the assistance of Dale at Invenio IT the learning curve has been an easy one. They typically let me know if something has gone wrong before I even knew it happened. Bottom line, outstanding support. I would highly recommend them for your IT services needs.

Gary Collier

16:11 17 Jul 17

Purchasing my SIRIS3 through Invenio IT has been one of the best decisions I’ve made. They always reach out to help whenever a problem arises, often before I even know there’s an issue with my backups. When my business got hit with Ransomware, I was able to restore my entire environment within a matter of hours thanks to my SIRIS3 and Invenio IT!

Gregory Carwile

16:08 17 Jul 17

The Invenio IT staff is friendly and knowledgeable! They really know everything about the Datto SIRIS

annmarie kotsianas

03:20 02 Jul 17

Can't say enough about the folks at Invenio. They are experts in business continuity and a pleasure to work with!

Michael Marlin Jr.

16:50 28 Jun 17

Invenio IT is a great organization to work with. Their consulting and managed services are exceptional are always at the leading edge of I.T. Strategy and execution, anticipating what you need before you experience an expensive order of magnitude "issue". They lead with integrity and clear down to earth communications. Highly recommended.

Leander Gillard

16:19 19 May 15

Great company medium sized organizations, handles all the management of data integrity, data redundancy/backup and all of your data management needs. I was truly lucky to have a excellent company supporting my orgazation when we did actually encounter data issues. Invenio IT was able to quickly assess and analyze the problem and then fix our issues with no down-time and little to no effect on our user base. Thank you Invenio IT.

Employment Employment

15:04 06 May 15

Invenio IT has supported my business for the past few years and I have had a great experience. The staff is knowledgeable and go out of their way to make technology simple to understand. If you are in need of a strategic (and friendly) IT partner, I would consider this company.

T. Rock

14:22 06 May 15

‹

›