Cloud Benefits for SMBs: Spotlight on Ransomware

Since our last chat about cloud benefits and the threat of ransomware, we have seen increased incidents with our on-premise customers and the industry in general. The level of sophistication of the attacks is increasing and smaller businesses are being targeted more than ever before.

What is ransomware?
Ransomware, in general, is software that spreads virally through vulnerabilities and security holes in systems. Attackers often use a “phishing” email, a faked email used to get a user to click on a link and unknowingly install malware, to infect the employee’s local machine and grant access to your network.

Once the ransomware infects a host, it looks for critical data and uses encryption to lock that data and render it unusable. The key to unlocking the data is held on the cyber-criminal’s server and victims must pay a fee to unlock their data. The fee must usually be paid using Bitcoin, a form of internet digital currency that can be difficult to locate and purchase and can be quite expensive. A message displayed to the user on their computer system informs them of the ransom and includes a dashboard showing how the price of the ransom goes up as time passes towards an ultimatum time limit. If the time limit is reached the key to unlock will be erased. Understandably, this causes stress and urgency to pay as soon as possible.

Who does this and why?
The world has seen some significant security events in the past several years, most notably the WannaCry ransomware outbreak starting on May 12, 2017. The attack held healthcare organizations in Britain hostage and inhibited admissions and critical surgeries from being performed. Many other organizations, large and small, around the globe were affected as well.

Hackers often choose holidays to attack, knowing that many businesses employ a skeleton crew or are closed. On Christmas Eve 2018, the world experienced a massive ransomware attack that was not a gift from Santa. Hackers previously infected systems with a malware trojan called TrikBot and used it to deploy a ransomware virus called Ryuk. Ryuk is more advanced than others, it has the capability to encrypt network shares, delete backups, and disable system recovery options in windows automatically. Without an external backup, the only option for recovery is to pay the ransom.

Why do hackers do this? Quite simply, ransomware is a billion dollar business run by cyber-criminals around the world who hold companies and their business data hostage. Hackers residing in countries that do not cooperate with foreign governments and InterPol have a safe haven to treat hacking as a business model.

From Wikipedia with respect to WannaCry: “Three hardcoded bitcoin addresses, or 'wallets', are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the wallet owners remain unknown. As of 23 May 2017, at 5:00 UTC, a total of 297 payments totaling $106,180.44 had been transferred.”

WannaCry was fortunately cut short of its full potential by a security researcher who stumbled upon the “kill switch” by accident and stopped the global outbreak. However, we all expected a new attempt soon after and have seen several devastating attacks since.

How do I protect my business?
Ransomware spreads using known vulnerabilities and security holes. Unsuspecting users opening emails or attachments that appear to be legitimate, clicking on links and going to fake websites are some of the ways the ransomware gets launched in networks. The ransomware then exploits unpatched or improperly secured systems, encrypting data and spreading to the next host it can find.

WannaCry exploited a security vulnerability that was patched in mid-March of that year by Microsoft. Businesses that properly applied the security patch to all systems were largely unaffected by the outbreak. Defending your business from these attacks requires a layered security model that includes:

• A properly configured firewall that restricts traffic to only what is necessary for the business. This includes updating the firewall setting and firmware by a seasoned security professional every 6 months.
• Up-to-date antivirus software installed on all client and server machines, preferably with centralized management of deployment of signature updates on at least a monthly basis.
• Regular patching of all machines with centralized management, deployment, and reporting at least every 3 months if not more often.
• Documented security policies setting out best practices for employees.
• Education of employees around preventing phishing email attacks, clicking on spoofed external sites, and downloading software to the enterprise environment.
• Regular offsite backups of your business-critical data that allow for a minimal time period of loss.
• Testing of the restore operations so that the business is certain that the right data is being backed up correctly.
• Using cloud-based file storage and business software to segregate mission critical data from the local network.

How can the cloud help?
Properly setting up the layered security model above takes skill, time, and expense both initially and on an ongoing basis. In most cases, both the hard and soft costs can be more than SMBs can afford on their own. Using cloud-based file storage and business applications keeps your data and critical operations locked down outside of your local network where it is harder for infections of malware to spread.

ECI maintains a robust cloud environment deploying some of the best security technology; it already hosts over 2,000 customers around the world. It has been in operation for more than seven years. Security operations, backups and failover are performed at secure data centers that house many large servers, networking equipment, and storage arrays. We employ a layered security model that protects data and operations from attacks. The data centers are managed by professional IT personnel with experience in the cloud environment who dedicate themselves to our software. We have relationships with our hardware vendors, security consultants, and software providers (Microsoft, for example) who we can reach out to on a moment’s notice and receive an immediate response, even on holidays and weekends. These things are not only expensive they require scale of operations to be successful.

Through scale of operations, ECI can help you reduce the operational risks to your business at a more affordable cost than a stand-alone operation. Ignoring the risks to your business operations in light of today’s challenging security environment is a choice. However, we value your business and want to help you proactively avoid a disaster.

Sources:
WannaCry ransomware attack.
Ransom: Win32/WannaCrypt, May 23, 2017
Ryuk ransomware attack