For the past year or two, a new type of malware, commonly known as CryptoLocker, has been in the wild. Rather than make it appear like you have a dozen viruses and demand money to remove them, the mischief-makers have escalated to permanently damaging/corrupting your files unless you pay to decrypt them. If this occurs, there are only two ways to get your files back: restore from an isolated back-up or pay them, and paying them generally doesn’t work.
In most cases, if you’re a Bennett/Porter IT client, you have a backup system in place. However, please note that it is typically only the servers being backed up. In the event that a user is storing critical files locally, they may be lost if that person's workstation is infected. So, beyond standard anti-virus protection, how can you defend your network from this threat and minimize the damage if it gets through?
- Spam Filtering
Most incidents of this type of malware come from email attachments; usually under the guise of a shipping or credit/invoice attachment. Many clients with an Exchange server will have a layer of protection before the email gets inside. However, if you’re using a POP3 email service or a hosted email service other than Bennett/Porter's, you may not have that layer of spam filtering in place. These days, most malicious emails are so carefully crafted that it’s difficult to tell a fake email from a real one. A spam filtering service is a crucial way to stop the majority of threats before they reach your users’ inboxes.
Most encryption malware will affect all mapped drives and removable storage devices attached to the infected workstation. For Sage clients, this most likely means that your ERP system will be critically damaged. For all clients, though, this means it's important to have separate, isolated backups. Backing up local user files to an external drive isn’t enough, because if it’s attached to the computer when its infected, those copies will be corrupted as well. Our StorageCraft backup server is separate from any other machine and password protects the backup from unauthorized access. Still, in most cases, this only pertains to the server, leaving users’ local workstation files vulnerable unless one or more additional options are in place:
- Users should be trained to save all mission-critical documents, spreadsheets, pictures, and templates to a server being backed up. While this will still be effected by the corruption, we will be able to restore it from backups.
- An even easier and more reliable solution is to have folder redirection set-up, thereby relocating users’ desktop, documents, and download folders to the server automatically and causing them to be backed up without user interaction.
- A local workstation cloud backup service, such as Dropbox, Box, Google Drive, or CrashPlan will likely be able to restore old versions of the files, although these may require contacting the vendor if specific, older versions need to be restored.
- Software Restriction Policies
A group policy can be put into place preventing machines from running any executable in the AppData folders. While this won’t be 100% effective, most malware locates itself or originates from these hidden folders. Please note that this option can cause legitimate programs to be blocked until whitelisted, as some applications store their executables in these folders (e.g. Spotify, some version of Chrome, and other vendor-specific applications).
- Outlook Precautions
A majority of the malicious email attachments come in the form of compressed files (i.e. .zip files), that appear to have a PDF or other document inside, but are actually themselves executable files. If you receive an email with a compressed archive or .zip file, do not open it unless it is from a sender you trust and can verify. If a document or spreadsheet you receive in an email asks to enable macros or other content when you open it, do not enable it, as there may be malicious code buried within.
If you have questions about how to defend your data against ransomware or improve your network security generally, please contact us. We're here and happy to help.