Today’s businesses operate in an increasingly dangerous world of internet malware of all kinds. Every internet user today is aware of the threat of viruses and “trojans” – software designed to compromise your computer for external access, or to steal data that the attacker might be able to sell. Most internet users now are aware of the importance of maintaining effective antivirus tools. Adams Consulting Group implements and supports antivirus and anti-spam software for all our clients as a matter of fundamental priority.
Unfortunately, antivirus and antispam are not impregnable. Protection software can recognise malicious files when they’re downloaded and can filter out most likely attacks that hide amongst the hundreds of spam emails you receive every day. But it only takes one new virus to arise before the antivirus software is able to recognise it, one email to slip through the net, or one link in an internet browser to be clicked, and a compromise can happen. Usually, with good virus cleaning tools, a competent IT consultancy can recover or clean your systems following such a breach.
Recent years have seen the rise of a much scarier form of malware from which recovery can be a much more involved process. As this form of attack can be more directly profitable for the attacker, its prevalence is increasing. Known as “Ransomware”, this form of attack locks your computers or your data and then demands a ransom be paid before you can be given back your own files.
How do Ransomware attacks occur?
A typical ransomware attack begins like any other virus attack. A user clicks on a link in an email that leads to an infected program, or somebody clicks on a link on a site that is compromised. If the user’s antivirus is out of date or the virus is too new, it can run on the user’s computer and the virus is inside the network.
Once active inside the network, the virus can go to work. The least damaging form is known as “Scareware” and it does little more than give the user pop-ups indicating that the machine is compromised, and recovery will require the payment of a ransom. This kind of attack can generally be cleaned with standard tools. Other attackers are more serious and will actually lock the system, making it impossible to boot or operate normally until the virus is cleaned out or the ransom is paid.
The most damaging – and, unfortunately, increasingly common – variant actually locks the files on both the local computer and any files accessible on the network. Typically this includes all document files (from Microsoft Office, text files, Acrobat files, AutoCAD drawings, ZIP file archives and more). Because there will typically be hundreds or thousands such files on local workstations and available via the network, the process of locking the files can take some time – up to several hours. The virus may go undetected for this time until users attempt to open a locked file, or the locking process is complete and the ransom demand is delivered.
Files are locked. Now what?
Ransomware attackers may be built to encrypt the target files, making them completely unusable. Suddenly, the contents of the victim’s computer – and, more seriously, their work folders on the network – are unable to be opened. The business cannot survive without regaining access to those files. The encryption used in these attacks is, in practical terms, not possible to crack. In most cases, there are only two options available to the affected business.
- Pay the ransom and hope that the attackers will be faithful in providing the required unlock key; or
- Assume the locked files are lost, and restore from a recent backup.
Paying the attacker off is never a recommended approach. Payment is generally demanded in untraceable currencies such as Bitcoin, so there is little chance of recovery of the money. Moreover there is nothing to stop them taking the ransom and simply disappearing with the files still locked. The unlocking process can be time-consuming and difficult as well. Nevertheless, various companies who have been compromised in this way have elected to pay off the ransom in order to avoid the negative publicity of having been successfully attacked. Some analysts at the FBI have indicated that “just paying up” might be the best approach if there is data that must be recovered and is not backed up.
Some previous malware attacks have been known to hide out of sight until all backups are also compromised; however, this kind of sophistication is a dedicated attack against the target company, rather than the largely automated attacks that form the predominant majority of ransomware attacks. For many companies the best solution will be to restore all content from a backup, assuming backups have been effectively kept.
How to defend against ransomware attacks
Recent successful ransomware attacks have included the ABC in Australia, and a number of Police Departments in the United States. Unfortunately, it’s not possible to be completely safe from compromise, despite the best antivirus and antispam protection. Nevertheless, investing in and maintaining internet security software is a very effective method of preventing the vast majority of possible attacks. Adams Consulting Group also has access to preventative tools that work in conjunction with standard antivirus software to prevent encryption attacks.
In the unlikely event of a successful ransomware attack against your business, the most effective response is to ensure that you have in place a thorough backup procedure that includes backups being kept offsite and disconnected from your network. If you should happen to become affected by such a malware attack, sometimes restoring from a backup can be the only effective remedy.
Contact Adams Consulting Group for a free consultation if you are concerned about your antivirus and backup systems.