Defending Against Ransomware – Cryptolocker, Cryptowall and Variants
As you may have seen in the news, many computer networks across the world are under attack by a serious threat called “ransomware.” Two of the most notorious forms of ransomware are CryptoLocker and Cryptowall. These pieces of malware, and many variants, target computers running Microsoft Windows and generally propagate themselves through infected e-mail attachments. Once the infected attachment is opened by the user, the malware installs itself onto the host computer system. The malware encrypts files stored locally on the computer system as well as on any mapped network drives, such as those files on your server, connected flash drives and other external USB drives. The malware then holds your encrypted data ransom for a payment – e.g. “pay this dollar amount (usually several hundred dollars) to decrypt your data.” “Ransomware” software has infected a number of businesses throughout the DC metro area – we saw two major law firms attacked on a single day.
There is no effective way to decrypt the files once encrypted (unless you pay the ransom – generally people have indeed been sent decryption keys, but there are no guarantees that this will happen). The only way to recover your data from this type of infection is to restore your data from the most recent backup. This process can be time consuming and expensive if you get infected with Cryptolocker, Cryptowall or one of their variants. It is very important that you engineer a secure backup solution which is impervious to ransomware.
While the standard security suites we install provide a great measure of protection, they are not infallible. New variants of ransomware are cropping up daily.
We cannot state this strongly enough: THERE IS NO SILVER BULLET THAT PROTECTS AGAINST ALL RANSOMWARE.
Sensei has continuously followed the debate about how best to protect IT clients. Even experts disagree on this issue.
There are solutions that can help mitigate some of the variants from installing on your system. One such piece of software, CryptoPrevent, offers the ability to prevent (in large measure) Windows computer systems from infection by ransomware. This software is relatively inexpensive, costing $15 or less per computer depending on the number of licenses needed. The configuration of this software will have to be customized for each client, depending on the applications that will need to be allowed to run on your systems – this will require input from you. Still, it will take some amount of time and money as each computer is manually configured. Another “no software cost” alternative is to configure Windows policies to achieve the same operational restrictions that CryptoPrevent provides. CryptoPrevent is automatically updated, whereas the “no software cost” solution is static.
Sensei has now seen enough ransomware infections in our area that we are recommending that you invest in this software which operates very differently from your currently security suites. Please note that, if you accept this recommendation, you may get “pushback” from employees who are accustomed to installing any software they want. CryptoPrevent has proven to be quite effective by disallowing the installation and execution of software unless it has been whitelisted, which would mean an employee would have to have internal authority to have it whitelisted and then get in touch with their IT provider to do the whitelisting. We now regard the risk of infection high enough that I believe this kind of precaution is warranted, even as we tell you that no solution has been 100% effective.
It would be imperative to forbid employees to whitelist on their own or to disable the software. The same would be true for any security software.
The most common way that businesses get ransomware? Employees click on an attachment or a malicious link in an e-mail. This brings us to another important point: One of the most often-overlooked aspects of an organization’s security readiness is end-user training. It is just as important that your employees know what not to click-on as it is to have security software installed, to help prevent these types of malware outbreaks. Sensei offers this training with our principals, John Simek and Sharon Nelson, who are nationally recognized speakers on this topic. We recommend that this software, along with security suites, be a part of your overall business information security protection, which also should include your firewall, IDS/IPS device, physical security, security awareness training, etc.
To arrange training, a backup solution impervious to ransomware, or the installation of CryptoPrevent, call us at 703-359-0700 or write CEO/Director of Cybersecurity and Digital Forensics Michael Maschke at or at 703.359.0700.
