Cybercrime is morbidly fascinating to me. Don't get me wrong, these guys are thugs and I have dedicated my professional life to squashing them like the cockroaches that they are. But I am fascinated by the fact that they run "real" businesses. They spend a ton of money on R&D. They fight fierce competition for market share. They have networking groups. They have strategic sales and marketing plans. They partner with affiliates who generate "sales" for them. They leverage technology. They have offices and full-time staff with health benefits. All business as usual. What's not so usual is that they have the added expense of paying off the local authorities and the added risk of spending their lives in jail. And for their troubles, they generate about 20% net profit.
Depending on who you ask, a business is generally considered healthy 10% - 15% net profit. So really, these guys only get an additional 5% in exchange for risking jail time. I was really surprised to learn that. I expected they were making a killing. But just like in our world, there is always someone willing to do the deed for less money, and it drives their profits down. Poor bastards. I'm crying inside.
Here's my point: these guys are very good at what they do. One of their more recent innovations that is landing them great success is ransomware. Oversimplified, this just means that they encrypt your important files so that you cannot use them, and then demand money if you ever want to see your files again. How serious is this problem? If you google "FBI says pay up" you'll see that our government now recommends negotiating with terrorists.
To be fair, they only recommend paying up as an absolute last resort. But there is a much better option: an ounce of prevention.
With the incredible success that these cyber-thugs are having, especially now that they have the FBI's blessing, ransomware isn't going away any time soon. In fact, it is simply evolving. It is increasingly harder to prevent, virtually impossible to repair (without paying the ransom), and rapidly proliferating.
An Ounce of Prevention is Worth a Pound of Cure
So what is this ounce of prevention? A sound data backup strategy. No matter how encrypted your files are, as long as you have a healthy backup, you can simply restore the non-encrypted files and move on.
But there is some small print. For starters, before you can restore from backup, you must remove the ransom-causing-virus from the offending computer. If you're connected to a network, and multiple people have access to shared files, it can be quite tricky to find the offending computer(s).
Your backup system needs to have the ability to restore from a specific point in time. Let's say your computer was infected on Monday, but you don't realize it. Monday night your automatic backup runs, backing up the encrypted files. Tuesday morning you try to restore your files. If you restore the files that were backed up Monday night, you will be restoring encrypted files that will do you no good. You'll need to restore the backup from Sunday night.
You did run a backup Sunday night, right?
This brings up a very critical point: backups must be monitored and verified daily. I can't tell you how many organizations I run into that tell me they have their data safely backed up. I ask them how they know and they point to an external hard drive attached to their server. I ask them when they last tested it, and they look at me like a deer in the headlights. In MOST cases, they have NEVER tested their backup. They don't even have reports to look at. So many times, when I dig a bit deeper, I find that the backup hasn't run successfully for days, weeks, or even months. It's like rolling out the red carpet for the bad guys. Me! Me! Pick me Mr. Bad Guy!
A good data backup is just about the only answer after you are hit with ransomware. But is that really prevention? I guess not. The sad story is that there is nothing that can absolutely guarantee you'll be ransomware free. But we can make the odds more in your favor. The bad guys are going to get someone. Your best bet is to make it happen to someone else. These guys are smart, but they are also lazy. They go for the low-hanging fruit. Here are some suggestions:
- Make sure you have good anti-virus software installed. And make sure it is always up to date!
- One anti-virus is good. Two is better. We require all of our clients to have a second-opinion anti-virus program on each computer.
- Secure your borders. Make sure you have a good firewall protecting your network, and that the security subscription is up to date. Just like the data backups, you need someone keeping their eyes on your firewall to know if it is doing its job. Who is watching your firewall?
- Anti-spam. Spam is not just annoying, it is the carrier of many virus attacks. Don't cheap-out on this one. The built in spam filter for Office365 is not good enough.
- Keep software up to date. Your operating system (Microsoft Windows) and all 3rd party applications (Adobe Reader, Flash, Java, etc.) need to be patched regularly. Who is responsible for this in your organization? How do you know it's actually happening? If you can't answer that, fix it fast.