We are in the midst of a pandemic where people working from home is at an all time high and in some cases the only way some companies can stay in business to hopefully see through this tough time. With this in mind, it is of no surprise that firms who have switched to a “work from home” IT setup should ensure that their IT infrastructure is secure and safe from malicious attacks to their servers and sensitive data within.
Ransomware viruses due to their lucrative return has seen an increase heavily over the past 5 years with them becoming more complex and advanced. The hackers who prey on vulnerable and weak IT security setups have put their focus on ransomware and the opportunities they exploit to plant their malicious crypto virus into computers. There have been reports of business owners reaching out to internet forum and communities explaining their grief with having just had years of vital company data encrypted – Essentially making it useless, unless they risk paying the ransom, while keeping their fingers crossed that the hacker provides a working key to decrypt the data. The real kicker here is that there has been cases where by the victim was unsuccessful with receiving the decryption key after having spent, in some cases, thousands of dollars via Bitcoin – which is a payment method that is untraceable and provides no option with getting their money back.
Most small to medium sized businesses will outsource their IT support requirements to a managed service provider whose job it is not only to provide on demand IT support when an issue occurs but also proactive maintenance to ensure that their customers servers, devices, and appliances are patched, secure, up to date and protected with a reputable anti-virus solution.
It has happened all too often; the outsourced IT support provider has failed to implement ample security measures to ensure their customers are not susceptible to such ransomware attacks. If your business does not currently have outsourced IT support, you should seek to appoint a competent IT firm such as Sphere IT – an IT company based in London, who can assist to ensure your IT systems are secure and safe of crypto attacks.
If however you have an IT provider supporting your firm currently or if you are tech savvy – Below are essential steps to lock down and prevent your company’s IT infrastructure as well as taking measures to ensure there is a failsafe to turn to should this awful situation arise.
Backups, backups and more backups
You can never have to many backups – first step is to ensure shadow copies and versioning of the shared data store is enabled to facilitate quick restoration of file(s) to a previous date. Next make certain that your server(s) are imaged each night to local media – preferably a dedicated USB backup or NAS (network attached storage) device. Finally you should ensure you have a reliable online backup solution in place to synchronise your vital data out of your office to a secure offsite data centre – there are hundreds of companies to explore who provide this service if you don’t have one already.
Ensure Anti-Virus is installed and up to date on all devices
Whether it’s a Windows PC, Mac or server – it is vital that every device working from behind your firms firewall or connecting from home has an up to date and trustworthy anti-virus solution installed.
Enforce secure complex passwords
Hackers have become increasingly smart with finding new ways to plant their cryto virus. A common “work from home” method is using the remote desktop protocol (RDP) or a Citrix solution – if one or more users in your business has a weak password, these accounts can be brute forced allowing the attacker to authenticate with the vulnerable credentials and thus allow them access to a remote terminal – Essentially giving them the “keys to the kingdom”. They will install their crypto software
while logged in as the user and start the encryption process of the company shared data while leaving behind instructions on how you can make payment via Bitcoin to then contact them to obtain the decryption key.
Disable non-essential remote access
As described in the previous point remote desktop protocol is a large player in terms of methods used to exploit and gain access to company data. In some cases, to assist with day to day remote IT support to your business, your outsourced IT company may enable RDP access to PCs and servers. You should discuss with them to ensure that no such service is enabled and accessible from the internet. In doing so will prevent all possibilities for your company to fall target of such method. If there is a situation whereby RDP access is required and therefore cannot simply be disabled, then you should seek to utilise a VPN solution to enable secure connectivity into your local LAN – From here you can then access via RDP internally without having to have the device in question vulnerable to the internet.
Ensure tight anti-spam measures are implemented on company E-Mail servers
Another method is by way of E-mail whereby E-mails with a corrupt attachment would trigger the encryption to occur in the background unbeknown to the user. It is vital that an suitable anti-spam solution is utilised as well as manual mail flow rules to further block such malicious E-mails making it through to users mailboxes.
Ensure that no users have administrative access to use their machine
Users like to have the ability to install software on their devices without having to speak with their outsourced IT support company however allowing this enables viruses to successfully install and therefore infect their PC as it permits the virus to access locations of the PC which if they were a standard user would not be possible. It is important to ensure that no users have administrative access to their device and any such privilege should be revoked from the user if so.
Use group policy objects (GPO’s) to block files running within appdata
On a windows-based server you can roll out group policy to stop any executable files running within the appdata folder location on the PC. With this configured it will make it difficult for a cryptolocker virus to spawn as in nearly all cases they are programmed to execute from these file paths on the local hard drive. A competent IT support provider should always ensure these measures are implemented on their customers Windows servers as it’s a free and effective method to block such attacks.
Provide your staff with training to identify and prevent a possible threat
Most cases where businesses have been infected with crypto virus could have usually been avoided if the user who’s device was infected was provided with the appropriate training so to be more vigilant should they receive a questionable email or be presented with an unfamiliar popup. There are common signs to look out for that if seen and understood in the first instance would have prevented the infection to take place. Of course, with a properly setup environment with all the of the above measure strictly in place will reduce the likeliness however the last step is to ensure users are familiar with the signs to watch out for.
If you do however become unlucky enough to fall victim of a crypto locker virus, as soon as you identify the infected device, disconnect it from the network (be it via ethernet cable or WiFi). In doing so will stop further spread and more business data being encrypted. Assuming you have a
rigorous backup scenario in place you would need to restore the encrypted data from the latest backup and ensure that the infected PC is clean before re-introducing it to the corporate network.
If you have been victim of cryptolocker or a similar exploit in the past it is imperative that you talk with your IT support provider to ensure that all measures above at the very least are implemented along with a well-planned backup strategy to revert to in such event.