A new generation of internet virus has been generating growing industry alarm over the last few years and costing business owners enormous amounts of time, angst and money.
Since late 2013, groups of internet pirates have been running a number of related scams where they hold all your business files to ransom. Just like a pirate on the High Seas, until you pay them a ransom (usually $300ish in Bitcoin) they lock you out of all your files. Some businesses have lost all their files and often the business as a result, so this article discusses how you can keep yourself from being a victim. We’ll call this virus “crypto-locker” in the rest of this article – as that’s the best known variant historically, though there are actually many similar varieties.
Even large businesses are not safe and this attack is becoming increasingly common, with informed IT providers being very familiar with protecting you. We do recommend that if you haven’t talked to your IT provider about this, that you do so – show them this simple overview article as it may help.
To understand how the process works, what crypto-locker actually does is usually this:
- A fake email containing the crypto-locker virus is sent to you (actually a small bootstrap for the virus).
- The user is tricked into clicking and running a link in the email; they often ignore warnings displayed.
- Crypto locker runs in the background, encrypting your files as quickly as it can before you notice. The virus is very smart and will also encrypt your server files and often even your backups.
- Once finished, your PC will display a (usually) big red screen warning that all your files are now encrypted and you have 24 hours to pay a ransom or lose your files forever.
- You then pay a ransom by Bitcoin of around AU$300 or more, which provides you with a restoration key which (if it works!) you can then use to un-encrypt your files and get back up and running again.
This article lists a number of useful techniques which you can use in combination to keep yourself safe.
Avoid falling for the email and clicking the link
Perhaps obviously, avoiding clicking the link in the first place is the basic place to start. The people who are most likely to click are those who are busy and not thinking, and/or those who are less computer knowledgeable – often reception, but just as likely to be the CEO. Clear reminders to staff not to click ANY links in an email unless they’re absolutely certain they know what the email is about are essential. And never, ever to run file attachments without confirming with the sender – real people rarely (if ever) send .exe attachments!
This is so critical it can’t be emphasized enough; if your team can get this one thing right you will save yourself thousands. One recent similar test in a large bank had some 70% of the staff clicking malicious links, so it’s not as obvious as it might seem. Education is the key!
It’s important to bear in mind that the pirates are constantly engineering their messages to look legitimate and very safe and it helps to explicitly warn your team of this up front. For instance, the last few batches of emails have all appeared to be from credible Australian companies and are often spelling and grammar perfect.
Current anti-virus software will sometimes detect the virus and protect you. Bear in mind that the pirates hire the best and smartest virus writers so this will only protect you some of the time, and rarely protects against the very newest varieties.
While antivirus is a simple step, it can be easy to neglect over time and is such an essential layer. Some IT providers are able to help here by providing a monitoring service where they can detect antivurs failures and warn you or help reactivate your antivirus.
Provider email virus scanning
Many webhosts will provide virus scanning for their email – that is, if someone emails you a virus you’ll never receive it as your email server will intercept it and delete it on the way.
This is a critical layer as it stops the email for both this and other future virus problems from even getting to you in the first place. However, it’s worth mentioning that the bad guys are constantly working on how to work around this – they actually test and change their stuff all the time to avoid detection!
Again, this is a useful layer that I wouldn’t leave home without. WD3 provides regularly updated email antivirus scanning as part of our standard email product.
Current backups – server shadow protect
Having some form of backup is critical; and the more important your files are to the running of your business, the more careful you should be about backup. While you’ll probably never be hit, the cost of being hit badly, whether from virus or hardware failure, is so extreme you’ll want to make sure you do cover yourself well with backups.
While we’ve heard a number of stories of IT providers being able to save people via good backups, we’ve also heard stories of crypto-locker encrypting or destroying backups so they can’t be used. This is insidious as it means backups alone are no longer enough to keep you safe. One protection for this is obviously to have offline backups that can’t be touched by the virus.
OpenDNS on router, or a security applicance
OpenDNS is a free DNS service that uses some seriously clever techniques to distinguish the crypto-locker control sites from normal sites. This means that in some situations it is able to immediately “lock out” crypto locker from communicating with it’s controller sites and thus prevent it from doing anything. This doesn’t work all the time, but is so effective and so low cost that it’s really worth it as another layer, and OpenDNS locks out some less sophisticated viruses as well.
OpenDNS needs to be installed in your router usually, and that’s generally something best left to your IT provider. Once installed it should keep you safe from crypto-locker and can even be used to help keep you away from adware and other viruses across all your onsite computer equipment.
Superior results can be obtained from onsite security appliances which can also detect dangerous sites and these should be considered in conjunction with IT providers where any incident could cause serious loss of business, or your files are critical (eg patient data, confidential information, critical Intellectual Property etc).
Software monitoring your computer looking for dangerous behaviour
A virus like crypto-locker exhibits some very characteristic behaviour, for example, opening and rewriting every file on your computer. Software exists that can catch this behaviour, backing up the files being changed to enable restoration, and locking out the virus or malware at an early stage before it has a chance to do much damage.
One example of such a tool is the award-winning “Webroot” software. Your IT provider should be able to advise on getting hold of this and getting it setup, and there are other tools out there that do similar “heuristic” protection – that is, they notice dangerous behaviour and catch it early.
Because antivirus packages often rely on “signatures” to detect viruses, unknown or new viruses often slip through and some form of heuristic protection will catch most of these new “0-day” viruses before they do damage.
While you don’t need to take every single step listed in this article, you’ll be very well covered if you do 4 or more. By the way, security professionals call this “layered security” or “security in depth” – multiple layers increase the probability you’ll be safe and this is in fact the strategy we use to keep our own servers from being hacked.
An interesting side story is that, in 2014, a group of some sophisticated good guys including federal authorities and top security consultants reverse attacked the pirates and managed, for a while, to make it possible to unencrypt your files. Unfortunately, the pirates adapted quickly and there’s information suggesting this no longer works for new infections.
References and more information for the detailed at heart
Technical details for techos: