This is an important security advisory. We highly suggest you read this and distribute relevant sections to your employees to protect your organization from potential loss of data and revenue.
Over the last year we have observed a sharp increase in both the infection rate and damage resulting from malicious software (malware) classed as “ransomware”. Since September of last year, when CryptoLocker was first observed, a number of variants have sprung up, but all follow a similar modus operandi:
- Infect a PC by tricking the user into running the malicious software
- Encrypt crucial files (such as documents, emails and your Readysell database) -blocking access to them
- Demand payment from the user in exchange for access to your files
Infection rates over the last couple of weeks have accelerated and we have now had a number of customers who have lost large chunks of data which they have not been able to fully recover. As such, we’re sending out this notice to remind you of some important practices you can use to keep yourself safe and to answer some common questions.
Preventing infection in the first place
Update and run your anti-malware software
Your anti-malware software (such at Microsoft Security Essentials, Windows Defender and Malwarebytes) should be set to always download automatic definition updates and full scans should be run on a regular basis. This should be performed on both your server and client PCs. Readysell has a PC maintenance guide available that goes into detail about what you should be doing to ensure you are protected.
Be suspicious of unsolicited email
If you’re receiving an email from an unknown source, or someone you don’t usually communicate with by email (especially if it has an attachment), chances are high that you’re being sent malicious software. Even with up to date anti-malware software, it’s possible to be infected.
Some common scams used to distribute malware or steal personal information involve fake emails from banks, freight or postage services, and recently, the Australian Tax Office. Do not open attachments on or click on links in such emails. If you think the email is legitimate, visit the organization’s website directly (by typing the address into your web browser) and login to your account from there.
Here are some examples of recent scam emails that have been targeting Australians.
If you want more information about how to spot the signs of a dodgy email, please see this article.
Don’t download from untrusted sources
If you’re looking for software, it’s best to start from a trusted source such as the software vendor’s web site or a reputable software repository (we recommend FileHippo). If you Google (or Bing) what you’re looking for and end up on Joe Blogs’ software emporium, you could be getting more than you bargained for.
Servers gonna serve
Your server hosts your most critical business data. Not only is it where your Readysell database lives, but often it is a central repository for your company files and emails. As such, you should try to minimize the chance your server gets infected.
Only connect to your server when you have to perform specific server-related tasks. Don’t use it as a workstation, and certainly don’t use it to browse the Internet or check your email. Doing so increases the chances your server gets infected.
Limiting damage in case you are infected
Maintain good backup practices
Sometimes no matter how hard you try, things are out of your control. If you do get infected, you need a way to get back on your feet quickly. This means ensuring you have recent and complete backups of your data.
Readysell recommends you always have at least three copies of your data (the 3-2-1 rule). This means that you have a redundant backup (in case one backup fails).
- Your original, working copy (e.g. your Documents folder or Readysell production database)
- An on-site backup
- Having one backup on-site means that in most cases you are able to get up and running quicker
- We recommend that you have at least one on-site backup that is not readily accessible from your server, ensuring if you are infected, your backup files cannot also be encrypted
- An off-site backup
- We recommend using a reputable cloud backup provider (such as Readysell Cloud Backup)
- Alternatively, you can backup to a portable storage device and take it home with you each day
Have a business continuity plan
It might sound like something only Fortune 500 companies have to think about, but even a small businesses should have some plan about how they’re going to deal with the situation if the worst should happen. Some things to consider are:
- Who are you going to contact if you’re affected? Will you be able to get assistance in a timely manner?
- Do you have a spare PC on standby (or do you have a PC earmarked) to take the place of your infected server as an interim replacement?
- How long will it take you to restore all your data from a local backup and from the cloud?
- How will your business continue to operate in the mean time?
Dealing with an infection
Should I pay the ransom?
In most cases, there is no way to unlock files encrypted by ransomware without forking over a ransom (with the notable exception of the original CryptoLocker). This leaves many organizations and individuals faced with an ethical dilemma – pay the money, legitimizing and perpetuating the practice, or forever lose access to your files. Unfortunately, this isn’t the only problem. To make things worse, in many cases the ransomware continues to propagate long after payment channels are cut off (either by the authorities or by the malware creators themselves) and you may be left out of pocket and none the better off.
As such, it is our advice (and the advise of prominent companies such as Microsoft) not to pay the ransom and instead attempt recovery from your most recent backup.
Removing the malware
Each different malware infection works differently, so there’s no single method. The first thing we recommend is to make sure your anti-virus and anti-malware software is up to date, then running a full scan – record the name of the malware you’ve been infected with, then quarantine or remove anything that was detected.
As soon as is practical, we highly recommend contacting Readysell Support (or your IT Support provider) and notifying them of the issue. Should you wish to try going it alone, BleepingComputer.com has many comprehensive removal guides that we recommend you use to ensure all traces of the infection are removed.
Recovering your files
Once you are sure the infection has been eradicated, you can start restoring your files. Before you plug anything into your previously infected machine, we suggest you make a backup of your backups (just in case the malware is still active). This means should the ransomware ecrypt your backup and you have to start a restore again, you’ll have something to go back to.
There’s lots of resources online to learn more, some we suggest include: