Asia's Source for Enterprise Network Knowledge

Tuesday, April 25th, 2017

Security

How smart businesses recover from ransomware nightmare

Ransomware is on track to become a billion-dollar-a-year booming business, putting the old adage “crime does not pay” to a stern test. The FBI estimated that ransomware victims paid out US$209 million to regain access to their data in the first quarter of 2016, surging from US$24 million for all of 2015. Victims range from small businesses to large corporations.

And ransomware continues to evolve with more sophisticated variants. One variant, CryptoWall, might have netted over US$325 million in one year of its existence, reckons Slawek Ligier, vice president of Product Development at Barracuda Networks.

A US Government interagency report last year indicated that, on average, there had been 4,000 daily ransomware attacks since early 2016, more than three times the 1,000 daily ransomware attacks reported in 2015.

In Hong Kong, malware incidents rose 247% last year, compared to 2015, reported the HKPC’s Hong Kong Computer Emergency Response Team Coordination Centre. Among the malware cases, ransomware accounted for 309 cases, a 506% increase from 2015. Major victims included home users, and the education and manufacturing sectors. More companies in Singapore were also affected by ransomware in 2016. The country’s Cyber Security Agency receiving 17 cases of ransomware, up eight times from two cases in 2015, with many more cases likely to have gone unreported.

Locked and lost

An SMB's worst nightmare

The growing threat of ransomware poses potentially catastrophic risks to resource-limited small and medium businesses (SMBs) in particular. The odds weigh heavily against them because their attackers are growing in scale of operations, capabilities and resources, which are further boosted by the pay-offs from their victims.

Still, Ligier offers compelling reasons for SMBs not to pay the ransom even if no tool or expertise can be found to decode files locked by ransomware infecting the network.

“Several things may happen when you capitulate to the criminals,” he says. “They might not release your data. You could be targeted in future attacks, and the ransom amounts will be higher. You contribute to the success of the criminals, and encourage them to continue spreading ransomware.”

The good news is that if SMBs don’t intend to pay the ransom, it is still possible to recover from ransomware quickly and get back to business easily after infection is discovered via several effective steps.

Firstly, disconnect the infected machine from the network to stop the ransomware from encrypting more shared files or overwriting clean backups with infected files. Then, assess the sources and extent of damage; use a decryption tool, if available, to unlock files; and scan, identify and remove all malware.

Backup plan

Once the ransomware is removed, the SMB essentially loses the option of paying ransom to get its data back. This is where a robust backup strategy ensures that no harm is done. Regular backups, shadow volume copies, current system restore images, and other data protection tools can be used to restore files to a clean image.

Barracuda Backup, for example, automatically creates updated backups as files are revised, and duplicates them to the secure Barracuda cloud or to a private off-site location. It allows SMBs to eliminate the malware, delete the encrypted files and restore them from a recent backup file in as little as one hour.

After the system is restored and running, SMBs should work on putting at least basic best practices in place immediately.

Begin by learning from the ransomware attack. Investigate how the system was infected to prevent future incidents. Ensure properly configured disaster recovery, up-to-date antivirus and anti-malware software, current backups, robust email protection, and good knowledge and documentation of network infrastructure to defend the attack surface. Develop a plan to address any other security gap or risk.

Education is still the best way to hedge against malware attacks. So, update or reinforce user training; increase awareness of popular social engineering methods and tactics; and share security best practices.

By following best practices and using the right tools to defend against ransomware, SMBs can mitigate the risk of an attack. Although some SMBs that neither have backups nor the expertise to decrypt locked files may be willing to pay the ransom, the maxim “prevention is better than cure” still holds very true.

This is a QuestexAsia feature commissioned by Barracuda Networks.