Ransomware – Dangers for SME’s

Ransomware – Dangers for SME’s

beware of ransomware

Ransomware is a form of malware that causes business disruption, that can be reversed if the victim pays a fee to the criminals.  It is increasingly prevalent, and according to one recent report over 10% of businesses that suffer an attack go out of business.  I will expound a few examples of why there is a risk, especially for small businesses, and say something about over-reliance on cloud service providers.

What sort of attacks and risks are we talking about?  For a good insight into what a ransomware virus is, look at the excellent short article by Panda Security (May 2015)[1]  CryptoLocker: What Is and How to Avoid it.  Here I am going to concentrate on the small-medium enterprise (SME) perspective on the receiving end of an attack.

What sort of business might be seriously affected?  A couple of simple examples are a real-estate business, which relies on up to date images, property details, client details etc.  And a professional photographer, such as a wedding photographer, with a few thousand images on an SD card.  Although simple examples, it is very common in any business to rely on work-in-progress (WIP) practices using local storage for work all day, with occasional backup and/or transfer to a cloud repository.  Another example of risk is the facility of cloud-storage solutions to offer users a briefcase feature, whereby all of your essential files for today, or work at home tonight, are downloaded onto a local C: drive and then uploaded when next you reconnect to the cloud.  These local files are most at risk to virus attack.

Of course any form of attack might be avoidable, but prior knowledge and a commitment to strict information governance are key to prevention or, we hope, rapid recovery from an attack.

How does ransomware strike?  It generally arrives by accident in a spam email, in an apparently trusted attachment.  Some malware may be pre-loaded onto a free USB you were given or stumbled upon in the car-park.  Malicious intent may be far from your mind but ransomware is not fussy about where it attacks, and how it gets into your system.

What does ransomware do?  CryptoLocker is a prime example of an ingenious viral attack, that identifies swathes of file types and then attempts to quickly encrypt parts of the files to make them unusable.  Files such as documents, jpegs, .pst (email) and many more file types rapidly become inaccessible, whether on your local hard-drive, attached backup drive, or the SD card you just happened to have loaded.  Any attached drive is a target.

A virus may run concurrent processes to (a) encrypt any target file, which take a bit of time, and (b) to rename other files prior to encryption, and renaming files can be very rapid.  So within minutes one drive can become a mixture of trusted original files, renamed and not-so-trusted files, and encrypted inaccessible files.  In the case of CryptoLocker the encryption method is basically beyond recovery to the victim.  The great annoyance factor is that an attack tends to affect your primary work-in-progress that has yet to be backed up, those wedding photos, your recent draft documents, operational spreadsheets etc.

The good news is that you keep backups or duplicate copies, in case of a disaster.  Hmm.  This is where information governance really kicks in.  Yes you may have backups, but how many copies and how up-to-date, especially with regard to your WIP?  Remember I am thinking about smaller businesses here, not the bigger organisations with in-house systems and constant logging and roll-back facilities.  The average SME is hard pressed to stay on top of IT issues as it is, without losing time to a vicious attack on their current information content.  After one PC is infected, the modern networked and cloud-supported infrastructures upload damaged file images to any connected repository, maintaining synchronisation across all repositories and connected devices.  An SME network of say fifty devices has a good chance of at least one user suffering finger trouble, or trusting an email attachment, or perhaps falling victim to malicious intent.  It only has to occur once in the next year or two to be very annoying and costly to resolve for your business.

What are the consequences of an attack that does not totally disrupt your work?  Assuming your organisation can survive, the main cause of irritation is the time it takes to recover the situation.  There are many questions to tackle:  Which device(s) and files are affected?  Where are the trusted files?  Are some damaged files simply recoverable by renaming them back to their original state?  And if so how long does it take to manually rename 5-10,000 files and test them?  All of this, by the way, is after ensuring the virus has been eradicated.

One option, to be avoided, is to pay the ransom.  An attack that is quickly detected and stifled can take a couple of days to resolve, whereas paying the ransom can take three days or more to resolve if you trust the criminals.  There have been many documented cases of organisations paying up simply to stay in business, such as a major US Health organisation in the days when ransomware was still a relatively new threat.

What should you do about all this?  I recall a security expert advising that the best way to avoid mobile phone hacking is to keep the phone in the original box and bury it 6-feet deep. To quote a commentator from the UK, talking about the recent Zepto ransomware:

Can Anti-malware software stop it?  Not reliably, even updated versions. It’s pot luck.[2]

(John E Dunn, ComputerWorldUK, Aug 2016)

Well, there has to be a compromise between usability and risk, so here are some suggestions.

  • Employ the best anti-malware software that you can, covering email and system events, including Trojans and unknown executables;
  • Raise awareness among all employees or connected users. Do not take risks with email, application plug-ins, USB sticks, even cheap add-on hardware, so train everyone to consider the risk factors in what they are doing;
  • Use a backup strategy that has multiple fail-over layers. You maybe cannot cover every current activity, but you must have a policy for what degree of backup you deploy, and how frequently;
  • Train everyone in the steps to take if you suspect an attack. For example Power-off or disconnect the device from any network, and call for assistance.  If one device is compromised it is annoying, but if you can prevent cascade effects on other devices or repositories you must do it;
  • Check the recovery and roll-back terms you may have with a cloud service provider. In many instances, for small businesses, the file recovery terms and conditions are unclear, or can take the best part of a week to be resolved.  Is three or four days of chaos and disruption OK for your business?  If not, identify alternative strategies and look at alternative cloud service providers.

One thing to say about ransomware threats is they tend to focus the minds of senior managers on the need for good information governance.  And preferably before a disruptive event occurs.

[1] http://www.pandasecurity.com/mediacenter/malware/cryptolocker/ (What Is and How to Avoid it)

[2] http://www.computerworlduk.com/security/zepto-ransomware-how-protect-yourself-against-latest-extortion-menace-3644538/

Recent Posts

Leave a Comment

Subscribe To iKM Solutions News

Join our mailing list to receive news and updates for Information Management specialists

You have Successfully Subscribed!

ECM Banner