This is an important security advisory. We highly suggest you read this and distribute relevant sections to your employees to protect your organization from potential loss of data and revenue.
A recent study from the Australian Cyber Security Centre noted the number of reported ransomware attacks increased by nearly 60 percent between 2013 and 2015 and added that it is the most prevalent type of attack facing businesses in Australia at the moment. With Kaspersky Lab reporting a 30% increase in just the last quarter, it’s more important than ever to take steps to prevent possible irreparable damage to your business.
Ransomware works in the following way:
- Infect a PC by tricking the user into running the malicious software
- Encrypt crucial files (such as documents, emails and your Readysell database) – blocking access to them
- Demand payment from the user in exchange for access to your files
Given the prevalence and impact of such malware, we’re sending out this notice to remind you of five important practices you should use to keep yourself safe.
1 – Be Prepared
Sometimes no matter how hard you try, things are out of your control. If you get infected, you need a way to get back on your feet quickly. This means ensuring you have recent and complete backups of your data.
Readysell recommends you always have at least three copies of your data (the 3-2-1 rule). This means that you have a redundant backup (in case one backup fails).
- Your original, working copy (e.g. your Documents folder or Readysell production database)
- An on-site backup
- Having one backup on-site means that in most cases you are able to get up and running quicker
- We recommend that you have at least one on-site backup that is not readily accessible from your server, ensuring if you are infected, your backup files cannot also be encrypted
- An off-site backup
- We recommend using a reputable cloud backup provider (such as Readysell Cloud Backup)
- Alternatively, you can backup to a portable storage device and take it home with you each day
Also, if you have the option to do so, activate Volume Shadow Copy on your PCs. This feature maintains previous versions of files in a location that is not accessible by current samples of CryptoLocker. Once the malware has been removed from an infected PC, files mirrored by the Volume Shadow Copy service can be recovered by the user.
You should also have a broader business continuity plan to deal with the situation if the worst should happen. Some things to consider are:
- Who are you going to contact if you’re affected? Will you be able to get assistance in a timely manner?
- Do you have a spare PC on standby (or do you have a PC earmarked) to take the place of your infected server as an interim replacement?
- How long will it take you to restore all your data from a local backup and from the cloud?
- How will your business continue to operate in the mean time?
2 – Be protected
Firstly, you should regularly update and run your anti-malware software. Software such at Microsoft Security Essentials, Windows Defender and Malwarebytes should be set to always download automatic definition updates and full scans should be run on a regular basis. This should be performed on both your server and client PCs. Readysell has a PC maintenance guide available that goes into detail about what you should be doing to ensure you are protected.
We also recommend installing a dedicated third-party malware prevention tool such as CryptoPrevent. CryptoPrevent is a free tool that modifies the existing security settings in Windows to block ransomware from running even if it’s already made it onto your system. We recommend running CryptoPrevent in either “Default” or “Maximum Protection” modes. If you choose “Maximum Protection” though, please read and understand the caveats. Also, please note Readysell will not operate correctly if “Program Filtering” is enabled.
3 – Be suspicious
If you’re receiving an email from an unknown source, or someone you don’t usually communicate with by email (especially if it has an attachment), chances are high that you’re being sent malicious software. Even with up to date anti-malware software, it’s possible to be infected. Don’t download or open email attachments you weren’t expecting. If you want more information about how to spot the signs of a dodgy email, please see this article.
If you’re looking for specific software, it’s best to start from a trusted source such as the software vendor’s web site or a reputable software repository (we recommend FileHippo). Don’t download from untrusted sources. If you Google (or Bing) what you’re looking for and end up on Joe Blogs’ software emporium, you could be getting more than you bargained for.
4 – Be disciplined
Your server hosts your most critical business data. Not only is it where your Readysell database lives, but often it is a central repository for your company files and emails. As such, you should try to minimize the chance your server gets infected. Only connect to your server when you have to perform specific server-related tasks. Don’t use it as a workstation, and certainly don’t use it to browse the Internet or check your email. Doing so increases the chances your server gets infected.
5 – Be educated
There’s lots of resources online to learn more, some we suggest include:
- Ransomware and you! | Readysell
- New ransomware campaign advisory | CERT Australia
- Ransomware | Microsoft Malware Protection Centre
- Ransomware | Malwarebytes Unpacked
- Alerts | Stay Smart Online
Once you understand the recommendations and have put them into practice yourself, spread the knowledge to your team to ensure everyone’s files are safe.