NHS Lanarkshire was attacked by a new variant of Bitpaymer last week. The cyber attack led to some appointments and procedures being cancelled. Staff worked over the weekend to reinstate IT systems, and are trying to establish how the malware was able to infiltrate the network without being detected.
This infection shows how disruptive Ransomware can be. It encrypts the data it finds on a host computer so that it can no longer be accessed, and then demands payment, often in Bitcoin, for its release.
This type of cyber attack can happen at anytime – to anyone. The people who carry out these disruptive acts are opportunists. We should all aim is to make their job harder – by making sure we have strong passwords in place, and by backing up all files.
Most malware looks like it has come from a trusted source. A simply click on a link is enough to cause widespread disruption. Being prepared with as many security measures in place, as well as being vigilant and alerting colleagues to any unusual e-mails etc, is the way forward.
There are many examples of individuals and organisations that have chosen to part with their cash – but there is no guarantee that by paying the ransom you will get your files/data back.
You are most welcome to give one of our consultants a call – to check that all has been done to keep a cyber attack at bay. Be prepared and be safe.
ADECS-Maple – 024 7699 5930
As you may be aware a massive ransomware attack spread across the globe over the weekend locking up thousands of hospital, telecommunications, and utilities systems. Whilst the ransomware was first detected wreaking havoc across the NHS network, the infection quickly spread worldwide with researchers observing 75,000 infections across 100 countries.
What is Ransomware?
Ransomware – a malicious program that locks a computer’s files until a ransom is paid – is not new but the size of this attack by the WannaCry malware is unprecedented. According to specialists the attack used data stolen from the NSA to exploit vulnerabilities in old versions of Microsoft Windows and deliver the WanaCrypt0r ransomware.
So what has happened and how can you protect your organisation from such an attack.
Take care when opening emails and clicking on links
- This is the most important and often neglected aspect of protection. Although the WannaCry infection spread across vulnerable machines via a worm that took advantage of old unpatched machines the infection started from someone opening an infected file in an email. Organisations should have a strong policy for educating staff on what to look out for in emails, web-links and other unsolicited correspondence on their computers, phones and tablets. The number one method for initial infection is via this method and it is easy to stop through good user guidance and practice. IF YOU DON’T RECOGNISE THE SENDER OR THERE IS ANYTHING REMOTELY SUSPICIOUS THEN DO NOT OPEN THE EMAIL – report it to your IT team or delete instead.
Update Windows software and all antivirus
- Ensure that your Microsoft Windows Software is being patched regularly, Microsoft released a patch for this vulnerability in March but many business’s haven’t updated leaving computers open to this attack.
- Ensure that your ant-virus software is up to date and licensed and that any security devices are being used appropriately.
Ensure you back up regularly
- The importance of this cannot be over emphasised as the simplest resolution to an encryption attack is to delete the affected data and restore it from a backup. Backing up to a local device or another resource on the same network is NOT an effective solution as these devices could also be encrypted in the event of an infection. Backing up your data to an external source such as our remote backup service and conducting regular recovery exercises should enable you to recover quickly and not have to pay a ransom limiting the negative effects of such an attack.
Should you require any further information or advice on how to keep safe, do not hesitate to give one of our team a call for a chat. Make sure you are taking the right precautions to keep your business safe and running. Call us on 024 7699 5930 or 024 7669 4489 for any concerns you may have or if you would like a full security review.
Maxine Bridgeman & Jonathan Howells
There are many malware products causing major problems and destruction to businesses every day. Being aware of the variety of corruptive software could save your business from harm. Here are just a few examples of the problematic programs.
Remote Access Trojan malware is usually downloaded invisibly with a user-requested program, for example, a game or as an e-mail attachment. This malware program includes a back door for administrative control over the target computer.
Botnet is where computers have been set up to forward transmissions (including spam or viruses) to other computers on the Internet.
Browsers based malware is a security attack where a Trojan horse is installed on the computer that is capable of modifying that user’s web transactions as they occur in real time.
Ransomware is a malware that restricts access to your computer or its information, while demanding you pay a ransom to access back.
POS malware is a particularly nasty piece of software designed to steal customer payment data – especially credit card data – from retail checkout.
If you are worried or concerned about protecting your business from such malware, or have been affected by any of the issues, please do give us a call on 024 7699 5930 and speak to the ADECS team who can advise you on how to stay safe from such software problems.
C&W in Business. Issue 57 (Jan/Feb 2017)
“Locky” is the nickname of a new strain of ransomware, so-called because it renames all your important files so that they have the extension .locky.
Of course, it doesn’t just rename your files, it encrypts them first, and – as you probably know about ransomware – only the crooks have the decryption key.
You can buy the decryption key from the crooks via the so-called dark web.
The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).
The most common way that Locky arrives is as follows:
- You receive an email containing an attached document (Troj/DocDl-BCF).
- The document looks like gobbledegook.
- The document advises you to enable macros “if the data encoding is incorrect.”
- If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
- The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
- The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).
Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.
Locky also removes any Volume Snapshot Service (VSS) files, also known as shadow copies, that you may have made.
Shadow copies are the Windows way of making live backup snapshots without having to stop working – you don’t need to logout or even close your applications first – so they are a quick and popular alternative to a proper backup procedure.
Once Locky is ready to hit you up for the ransom, it makes sure you see the following message by changing your desktop wallpaper:
If you visit the dark web page given in the warning message, then you receive the instructions for payment that we showed above.
Unfortunately, so far as we can tell, there are no easy shortcuts to get your data back if you don’t have a recent backup.
Remember, also, that like most ransomware, Locky doesn’t just scramble your C: drive.
It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.
If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.
Giving yourself up front all the login power you might ever need is very convenient, but please don’t do it.
Only login (or use Run As...) with admin powers when you really need them, and relinquish those powers as soon as you don’t.
WHAT TO DO?
- Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. ADECS can provide you with an encrypted Off-site backup service if you do not already have one in place. Contact Us for more information
- Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
- Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
- Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
- Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
- Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.
- Mail Filter. Make sure your mail protection solution is blocking macro-enabled documents and .js scripts