Ransomware is a type of malware that prevents or limits users from accessing their system or data. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to unlock their data.
Users may encounter this threat through a variety of ways. Ransomware can be downloaded by users by visiting malicious websites. It can also be downloaded by other malware. Some ransomware are delivered as attachments to spammed email. Once executed in the system, a ransomware can either lock the computer screen or encrypt predetermined files with a password. Once infected, the malware shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files.
Attackers may use one of several different approaches to extort money from their victims:
- After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever. These ransoms are often required to be paid in hard-to-trace Internet currency.
- The victim is tricked into believing he is the subject of a police investigation. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
- The malware encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.
Security companies first identified the CryptoLocker attacks in September 2013, believe that the virus struck 250,000 computers in its first 100 days. Other security researchers believe the latest versions of ransomware were created by hackers in Eastern Europe and Russia. The hackers conceal their identities by deploying the virus through the dark web. The dark web, an unindexed arm of the Internet, allows users to bounce their communications through multiple computer servers to make them nearly impossible to trace.
The hacker infects computers by sending tainted e-mails that appear to come from the FBI, local police agencies or package delivery services such as UPS and FedEx, or in PDF attachments. When the user opens the e-mail or file, the virus infects the PC. The hacker will also implant the viruses on websites, then try to lure people there, often with pornography or the promise of free items.
The best way to combat a CryptoLocker virus or other ransomware is to establish a line of defense by using paid-for security software from a reliable security software vendor. Keep both the application and virus definition lists up to date. Virus definitions are the lists of malware and viruses that the program knows how to address. Using a spam-blocking software or spam hardware device will limit the amount of tainted emails that reach your inbox in the first place.
Last, but certainly not least, always make multiple copies of your data. The best way to recover from a ransomware virus is not to give in and pay the ransom, but rather wipe the hard drive of the infected machines, reload, and then restore the data. Sometimes having principals and not paying the ransom is not the easiest way, but it’s the best way!
And why it could easily happen to your practice or business
Despite MedStar undoubtedly having a very large IT cybersecurity budget, they still fell victim to a ransomware virus allegedly after an employee clicked on a link in an email. The chain of events found its way to an unpatched Linux server that had a security vulnerability on it that dated all the way back to 2008. The Linux software manufacturer developed and supplied a fix for the security issue shortly after it was discovered in the same year, but MedStar’s technical support team left it unpatched.
That leads me to ask—how many machines are still left without the proper security updates applied at their locations but more importantly at your location? Any single workstation, much less a server, can have over a dozen pieces of software that need to be constantly updated. From Adobe Reader, Adobe Flash Player, Java, and Microsoft Office (only to name a few), there are always security flaws and vulnerabilities that are realized by the software vendor who subsequently issues a fix in the form of a download. Most of these downloads have to be downloaded and applied manually. So, if you have a small practice or business without a dedicated technical person looking for these types of issues, you should ask yourself who is making sure that these updates and being applied and that they are current?
Another question that needs to be answered about the MedStar event is why it took so long for MedStar to restore their data and have their systems back online. Reports have suggested that it took close to a week for that to happen. One would imagine that MedStar would have state-of-the-art data backup systems with multiple options for restoration. The best way to combat a ransomware virus is to accept that you had weaknesses in your cyber-defenses and concede that you had a “they got me” moment and do not pay the ransom but rather move on to the data restoration process as soon as possible. With the correct layer of backups, your server should be able to be restored in time measured in hours not days.
Questions to ask yourself about your small medium-sized business or medical practice IT system:
- Is my front-end security in place?
- Is my firewall current and does it have the latest firmware updates applied?
- Do all of my servers and workstations have the LATEST anti-virus version and definition updates applied?
- Are my data backup systems current and operational?
- Is my data backup an automated process or does it rely on a person to manually perform this function?
- Has my data backup actually been tested to see if it can restore the files that I need restored?
- Is there a layered approach to my backups?
- Do I have an off-site data restoration option in the event that there is a major catastrophe at my place of business?
- Have my employees / end-users been educated on what to do and not to do when using company IT systems?
- Do I have an IT manual that outlines what is expected of my employees as it relates to the IT systems?
- Is there a formal disaster recovery plan in place that details the steps to take to recover from a significant IT security event?
- If you answered “no” to any of the above questions, then it’s time to make a change regarding your IT system management.
If you have questions about this article, please contact Dave Thomas, Director of Technology Services, Kenneally Technology Services, 443.829.9897, firstname.lastname@example.org.
Credit rating agency Moody’s Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services.
Read the complete article from InfoRiskToday
J. L. Kenneally & Company (the parent company of Kenneally Technology Services) will be inducted into the Baltimore County Chamber of Commerce Hall of Fame on Thursday, November 19th and will join well-known area businesses and organizations such as:
- AAI Corp.
- Advance Business Systems
- Verizon Maryland
- McCormick and Co.
- Towson University
For more than 30 years, J. L. Kenneally & Company has provided quality tax, accounting and business consulting to closely-held businesses and their owners. Our firm’s experience and expertise are backed by an extraordinary dedication to providing a superior level of client service.
Security update for Windows: November 10, 2015
Causes Microsoft Outlook to crash, network sign-in issues and Windows desktop black screens.
The security patch (KB 3097877) which was part of the November 10th list of Windows updates is part of security bulletin MS15-115, a “critical update,” in Microsoft’s lexicon, designed to prevent remote code execution triggered by malicious fonts.
It appears to have caused multiple issues including causing MS Outlook to crash, preventing network sign-ins and black screens with no other icons or backgrounds.
If you are experiencing these issues after Tuesday, November 10th, re-run Windows update and apply all of the latest updates.
You can do this in one of two different ways:
Access CONTROL PANEL from your Windows computer and choose to view the control panel with the “small icons” view (A drop down option in the upper right-hand corner of the control panel window). Access the Windows Updates icon and once you have opened Windows updates click on “Check for Windows Updates” on the left-hand side. Choose to apply all of the available updates and reboot when they have finished being applied.
Your computer may also have a Windows update button in the system tray which is the list if icons in the bottom right-hand corner of your Windows desktop next to the system clock. If you hover your mouse pointer over this icon it will state Windows updates. Click the small icon and proceed to apply the updates that are available.
In some instances, you may be required to uninstall the security update in question (KB 3097877) prior to re-applying the new version of the update which resolves the issues.
To do this, access the CONTROL PANEL and Windows Update much in the same way as mentioned above. Choose “Update History” or “View Installed Updates”. Sort the list of security updates by date by clicking on the date column header. Search for (KB 3097877 from November 2015) and double-click to uninstall. Reboot your computer after the update has been uninstalled and the follow the directions at the top of this bulletin to re-apply the resubmitted version of this security update.
If you would like some guidance or assistance with this issue please contact us.