CrossRealms is taking measures to help clients prevent Cryptolocker and other ransomware attacks at the enterprise level, but many IT managers are asking us whether there’s more that end users can do to help keep their organizations safe. The answer is “yes.
“What is Ransomware?
Ransomware is a particularly aggressive form of malware that poses a serious threat to individuals, businesses and other organizations. It blocks access to a computer system by locking the screen or locking the files with a password until the victim pays a fee. Cryptolocker is a sophisticated form of ransomware that encrypts the victim’s files and data. A ransomware infection can quickly spread throughout a network. It typically announces itself via a popup window informing the victim that their files have been encrypted and the private encryption key will be destroyed unless they pay a ransom by a set time.
— Alex Perez
A Word About Backups in Today’s Data-Heavy Workplaces
Before I get to end-user education, however, I would be remiss if I failed to mention that the first line of defense is to employ newer backup technology that backs up data more frequently without interfering with your employees’ work. Nightly backups no longer are enough. Think about it. With nightly backups, your organization can lose an entire day of work, multiplied by however many people were working that day.
Organizations today use far more data than they did in the past. Daily data usage for many of our clients measures in the terabytes. A one terabyte drive will take a day to restore, and it can take up to three days to restore all of a client’s data.
End User Education
Another effective way to prevent ransomware and other malware attacks is by educating end users. To educate end users, IT managers must first educate themselves. It’s human nature to think, “It won’t happen to me,” but I know from experience that ransomware attacks can happen to anyone and any organization.
Take news reports of new security threats seriously and take advantage of online resources to keep abreast of security developments. Some good ones include:
Beware of the Malicious Website
Businesses commonly fall victim to ransomware when employees visit malicious websites. Though many companies have policies prohibiting employees from visiting sites that are unrelated to business, these policies can be too restrictive or difficult to enforce. So what can your organization do?
Make sure that your employees understand that they threaten the security of your business when they visit adult and general entertainment sites (including gambling and gaming). Obscure social network sites and sites that spring up in connection with major news stories or tragedies of the day also are risky. Employees today commonly read news online, check up on friends and family on social media, and even shop online, but if they stray from the beaten path they risk exposing your business and all of their colleagues to ransomware and other threats.
An attack can be triggered by clicking on or even just attempting to close a popup. Share this tip with employees:
If you suspect that a popup may be malicious, don’t even try to close it by clicking on the “x.” Instead:
- Go to your Task Manager by pressing Ctrl then Alt then Delete (in rapid succession) or right clicking the task bar at the bottom of your screen. Click Start Task Manager > click Applications Tab > select the popup in question > click End Task.
Beware of the Malicious Website II
Employees sometimes wind up on malicious websites by accident. They mistype the URL in the address line of their web browser or in Google Search. Hackers commonly create malicious websites related to popular keyword searches. Google does a good job of blocking malicious sites from appearing in search results, but doesn’t catch all of them all of the time. Instruct employees to:
- Pay attention when typing URLs and check for typos before clicking “Enter” or “Search.”
- Pay attention when clicking on a website that appears in Google Search results and check for misspellings in URLs.
Downloading Free Software can be Hazardous
Employees also can inadvertently install malware, including ransomware, when they attempt to install free software that may or may not be related to work. Instruct employees to:
- Check in with the IT department or IT services firm before installing free software.
- Check out what trusted online communities/sources are saying about the software. Competitors sometimes engage in online bad-mouthing and sometimes good products have weaknesses, but if a search turns up more than a few negative comments or reviews, consider it a red flag.
Email Stranger Danger (Like in the X-Files: Trust No One)
Another common avenue hackers use to launch ransomware, including Cryptolocker, is through spam emails. Hackers increasingly are targeting businesses in addition to individuals. Emails may contain links to malicious websites or infected attachments.
The victim’s computer becomes infected when they click on one of these links or open one of these attachments.
The Lowdown on Links and Attachments
Though just opening an email no longer is risky, clicking on a link or opening an attachment still is dangerous. Train employees to:
- Be wary of email messages, known as spoofed emails, which appear to be sent from well-known companies and contain subject lines suggesting that there’s a matter requiring your attention, such as a package delivery or financial alert. All links can be dangerous including social media and Dropbox links. To be completely safe, never click on a link embedded in an email, even from a well-known company.
- It’s easy for hackers to alter the “From” line of an email so that it appears to be from a friend or coworker. If you receive an email from someone you know, but weren’t expecting an attachment or link, contact the sender by phone or compose a new email to inquire about the content.
If you’re at the office and are concerned about clicking on a link or attachment, forward the suspicious email with a note about your concerns to the IT department or IT services firm.
- If it’s after work hours or IT support is unavailable, you can check the properties of any link to see if the actual source is consistent with what the link indicates. If there’s a discrepancy, don’t open it. The true source of a link can be found by hovering your mouse over the link. If you’re using Explorer as your Web browser, you should also be able to right click on the link, select “Properties,” and find its true source. But, again, to be totally safe, don’t click on it.
In Case of Emergency: Disconnect
A ransomware victim typically is unaware that their computer has been infected until the dreaded ransom demand appears onscreen and it’s too late. If, however, a user suspects that they may be under attack, either because they realize that they’ve visited a malicious website and/or their computer is running increasingly slowly and they’re unable to access files, they can take steps to mitigate the damage to the network. Instruct employees to:
- Immediately take your computer off the network to prevent the virus from infecting every computer on the network. If your network connection is wired, immediately unplug the ethernet cable and also disable the wireless connection. Most PCs have wireless buttons at the front or side or an F-12 function key that turns wireless on and off. Most Macs have a four-line wireless icon on the menu bar that users click to turn Wi-Fi on and off. If your connection is wireless, you only have to disable the wireless connection.
- Do a trial run. Make sure you know before an emergency how to quickly disconnect from the network.
- Once you’ve disconnected from the network, power your computer off and immediately contact your organization’s IT department or IT services firm. The antivirus servers will automatically detect and report the origin of the attack to administrators, but there can be a delay in this process. The sooner you report the problem to the appropriate party, the better chance they’ll have to minimize the damage. Your IT professional will want to examine your computer to determine the extent of the infection and damage to the network.
Defense at Home Helps
Since employees can easily transfer infected files (via email attachment, external drive, or thumb drive) from a home computer to a business computer, it behooves employers to educate employees about securing their home computers, especially if they connect them to a VPN for work. Pass along these tips for home computer protection to your employees:
Change passwords for your computer, personal email, and important personal and financial accounts at least once every three months.
Turn your computer off when you’re not using it to reduce the availability of your system in our increasingly connected world. Sleep mode does not protect your computer from unauthorized remote access.
Update, Update, Update
Keep operating systems, browsers, and browser plug-ins updated to help keep your home computer secure. Some users hesitate to run updates because they fear accidentally downloading malware disguised as a legitimate software update, but this mindset puts you at risk because malware authors routinely exploit vulnerabilities in outdated software.
Distinguish between legitimate and illegitimate updates:
- Most legitimate software service providers don’t send email alerts. If you receive an update via email, it probably is illegitimate.
- Legitimate software vendors regularly update their products (e.g., Windows, Java, Adobe Reader, Adobe Flash, and Silverlight), often with security patches. Most, but not all of these vendors, give users the option of setting up automatic updates. Be sure automatic updates are enabled on your computer. When legitimate software providers send notifications of updates, they come from the currently installed copy of the software and typically appear in the system tray at the bottom of the screen or on your desktop.
- If a notification appears while you’re in your Web browser/online, it most likely is illegitimate. Be aware that illegitimate ones often include familiar logos. Legitimate notifications may appear in your browser indicating that you need a more recent version of Adobe Flash, for instance, to view a video file. Don’t click on anything. Just open a new window and go to the vendor’s website to download the latest version of the product.
Fake Antivirus vs. Real Antivirus
Distinguish between real and fake antivirus software:
Antivirus popup notifications can come from malicious websites. They claim that the user’s computer is infected or that their antivirus protection needs to be updated, and direct them to a website to download the antivirus software.
Most legitimate anti-virus programs run updates automatically without annoying users unless there’s an urgent matter. Make sure you know which antivirus software is protecting your computer and that it’s enabled. Don’t open popups from other antivirus vendors. If a popup notification appears from your vendor, you can play it safe by launching the antivirus software from your start menu or desktop shortcut and updating it from inside the program.
Antivirus vs. Anti-Malware
Viruses are a type of malware that were prevalent years ago and often made headline news. Security companies responded by marketing their products as “antivirus.” Other types of malware (e.g., spyware, adware, keyloggers, and ransomware) subsequently became more common than viruses, so most antivirus programs protect users against both kinds of threats. Basic antivirus packages, however, may only protect against viruses and a limited range of other malware.
Good anti-malware programs are less focused on classic infectious threats, concentrating, instead, on new web-based malware threats that traditional antivirus products miss. Today, computer users need to make sure that they are protected against both kinds of threats. Malwarebytes is among the more popular and effective free anti-malware tools. Beware, as usual, of fake anti-malware programs. The web address for Malwarebytes is https://www.malwarebytes.org. You also may want to consider purchasing a premium anti-malware package.
Keep it Clean and Uncluttered
Practice basic computer hygiene:
Infected Internet files can make their way onto your computer without your knowing it. They may sit unopened without causing a problem and also can be a time bomb (remember the Love-Bug virus of 2000). Reduce the likelihood of inadvertently opening or sending them or of them otherwise being activated, by setting up your computer to delete them automatically or by manually cleaning out temporary Internet files at least once weekly.
How to delete temporary internet files:
If you use Internet Explorer, click on the gear icon in the upper right corner of your screen > click on Internet Options > click on Delete Browsing History > check Temporary Internet Files and Website Files > click Delete > click OK or just close window. If you use Google Chrome, click on the Controls icon (three short horizontal lines) > click on More Tools > click on Clear Browsing Data. A new menu appears. From the Obliterate the Following Items From menu, select (at least) The Past Week > check Cached Images and Files > click on Clear Browsing Data. You can find instructions for other browsers on their websites.
If you’re recovering from a computer virus that your antivirus program cleared, also check and clear Cookies and Other Site and Plugin Data as part of this process. You will lose saved passwords, so be prepared to manually enter passwords onto your favorite websites.
Thumb Drive Safety
You also can reduce the risk of transferring infected files from home computers to office computers by using a flash drive that’s dedicated for work use. Use this flash drive only on your office computer and home computer. Never share it with anyone else; never use it on a shared computer at, for instance, a library or airport; and never use it on the computer of a friend or family member.
Regularly scan your thumb drive for viruses. Here’s how: Plug your thumb drive into your computer, click the Start Menu, and click Computer. Select Removable Disk Drive or whichever drive letter corresponds to your thumb drive and right click on it. Click on Scan With or click on your antivirus program and then click Scan Now. These latter steps may vary, depending on what antivirus software is protecting your computer.
Continuing End-User Education
End-user education is an ongoing effort. Employees need regular reminders of best security practices. Moreover, best practices change as the threats and defenses evolve, so organizations must continually keep employees up-to-date. By taking preventive measures, including end-user education, your organization can greatly reduce the likelihood of becoming a victim of a ransomware attack.
For more information about CrossRealms’ Network Security Services, please visit: http://www.crossrealms.com/network-security/