By: Mark Richmond, President/CEO of Micro Doctor IT
Ransomware is a virus that encrypts the files on a computer and any network shared drives attached to that PC. Businesses are being hit with ransomware at an alarming pace. Once those files are encrypted there are 2 options: pay the ransom (averaging $1500.00 in Bitcoins) or restore from an unaffected backup. When I say unaffected backups, I mean a true backup system, because a lot of people are only backing up to a USB hard drive, which can easily be encrypted as well, leaving them with no choice but to pay the ransom.
Here are some statistics. There has been a 20% increase in ransomware victims in the last year. This is a multi-million-dollar business with $24 million in ransoms paid in 2015. That number grew to $209 million in the first quarter of 2016 according to IDG. The top targeted businesses are Small and Medium Size Businesses (SMB), which by industry are Professional Services (43%), Healthcare (38%), and Construction and Manufacturing (33%). Also, some of the top cloud based apps are being attacked now, including Dropbox, Google apps and Office 365.
How are these attacks getting into your business networks?
Poorly configured networks – If you don’t apply special ransomware settings to your firewall, you are being left wide open for attack. Deploy a Business Class firewall like Sonicwall and follow the ransomware best practices document to provide a first layer of protection.
Drive-by Websites – Innocent office workers can accidentally click on a tainted link or a misspelled website and end up on a page that pops up saying you are ALREADY infected (A LIE!). Then, as you try to recover, you click on the message to try and close it, and you have just let the ransomware into your PC. Encryption sometimes starts encrypting right away or it could lay dormant for a period of time and attack at later date and time. Then, it not only encrypts files on the local PC but it quickly spreads to any mapped drives on the organization’s servers. That can be catastrophic.
Terminal Servers and Remote Desktop Brute Force attacks – Many businesses have terminal servers (prior to Server 2012) and remote desktop on servers (Servers on 2012 or newer) in their building. Unfortunately, a poorly designed and poorly protected terminal server, is the latest way attackers are encrypting your files. Most SMB’s do not lock down the terminal server, so basically you set-up terminal server, open a port (usually 3389) to the world by creating a firewall rule and do nothing to protect it from brute force password attacks. Brute force password attacks are defined as when a hacker is allowed to create a program or BOT (robot with a specific function) to continuously try username after username, and password after password until the user gains access. Once the user gets logged in, guess what, they then have the login script to the server and all mapped drives containing your important folders, in which they use to start encrypting the contents.
We have a few recommendations for this threat.
Terminal Server Best Practices
1: Only allow local users to access the terminal server. So no foreign entity can hack away at your public IP address 24/7 365 days a year.
2: If you do have a remote user, then create a secure VPN connection (Virtual Private Network which adds security and privacy to private and public networks), which still allows you to turn off outside world attacks.
3: Use your firewall’s GEO IP filter (restricts other countries from reaching your network) to block foreign countries from reaching past your firewall to your public IP.
4: This one is simple but often ignored. Use complex passwords that do not contain dictionary words. LetMeIn is not a good password! L3tm3!N@ would be a better option.
5: Get rid of any users that are gone or that have simple passwords. One recent attack on a terminal server was using the user name “printer”. The local copier company had set-up access for a printer, and had a fairly simple password, and they were hacked through the access the hacker gained from the printer.
6: Create a Remote Desktop group of just those users that need to Remote Desktop into that server and remove remote desktop rights in the server for those who never use it.
7: Lastly, have great server antivirus and web filtering installed to help mitigate the damage if you get hacked.
Now how to protect your business, your data, your cash.
1: Install a Business Class firewall like Sonicwall and set-up it up with all the protection recommended by Sonicwall to prevent Crypto and other ransomware attacks.
2: Install a local professional antivirus program on all servers and workstations in the office, and make sure they are being monitored and updated.
3: Install a local professional anti spyware program to sweep the network and look for adware, cookies and potentially unwanted programs (like ASK Toolbar).
4: Install a Cloud Level antivirus. We offer one called MDICloudcare. It prevents accidental drive-by infections from hacked or malicious websites. No more accidental clicks on bad websites or links.
5: Secure access to the terminal and windows servers as described above and turn on GEO IP filtering by country to block brute force password attempts.
6: Have an IT Policy for your employees informing them about what they are allowed to do on a company supplied computer and internet connection, and what is not allowed.
7: Hold an employee training class on Ransomware, Phishing, Vishing, Smishing, Fake Emails, and Wire Transfer Email Fraud.
If you don’t know how to protect yourself, align yourself with a IT firm that has the experience and best practices to protect you from ransomware. Micro Doctor IT is running a special offer for any company in Northeast Ohio or Western Pennsylvania to have one of our IT specialists come in and present an employee training class on how to protect your company from these threats. The class is completely free if scheduled before the end of the year and can be a 30 or 60-minute presentation with Q&A for all your employees.
Contact info@microdoctor.com for more info or call 330-984-0154 for urgent requests.
Sources: Smishing Link
Vishing Link
IDG Link