DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Tuesday, 11 October 2016 00:00

Enterprise Class Ransomware Requires Enterprise Class DRaaS Protection

Written by  Dean Nicolls

In the good ole days of ransomware, hackers only went after consumers and their individual files and folders. Older types of ransomware such as CryptoWall and CryptoLocker encrypt your individual files and documents when they infected a system. Much of the guidance provided by security experts has focused on removing the virus, but there are no known methods of getting your files back ... except for paying the ransomers.

These strains of ransomware are increasingly infecting small businesses' systems and extorting payment from their victim for the decryption key.

However, the game has changed and cyber bad guys have upped the ante with Locky, a new type of ransomware that is spreading at an alarming rate. Locky encrypts files on victims' computers and adds a .locky file extension to them.

Locky changes the game in many ways by targeting a worldwide audience, businesses and organizations with deeper pockets, and you entire network.

Worldwide Reach

The attackers behind Locky have pushed the malware aggressively, using massive spam campaigns and compromised websites. One of the main routes of infection has been through spam email campaigns, many of which are disguised as invoices. Word documents containing a malicious macro are attached to these emails.

Locky has spread by at least five different spam campaigns starting in February of this year. Most of the spam emails seen had a subject line that read "ATTN: Invoice J-[random numbers]". Another campaign used "tracking documents" as a subject line. The spam campaigns spreading Locky are operating on a massive scale. Just one vendor detected more than 5 million emails associated with these campaigns.

This month, computers throughout Europe and other places have been hit by a massive email spam campaign carrying malicious JavaScript attachments that install the Locky ransomware program. Many countries in Europe have been affected, including the UK, Luxembourg, Czech Republic, Austria, and the Netherlands. Japan, New Zealand and Australia are also being targeted in similar spam attacks.

Closer to home, Amazon users are advised to be on the lookout for a massive phishing campaign that targets them. It's estimated to have sent out as many as 30 million spam messages claiming to be an Amazon.com shopping order update, while other estimates suggest these spam messages were sent to as many as 100 million emails. The Amazon campaign is noteworthy in that the ransomware used botnets running on hijacked virtual and consumer machines.

Targeting Deeper Pockets

With older strains of ransomware, the ransom usually amounted to a couple of hundred dollars (depending on the Bitcoin market rate) and was often just paid. But, increasingly these cyber thieves are going after bigger targets and demanding larger ransoms. Ransomware attacks are getting more agile, varied and widespread, and are increasingly taking aim at businesses of all sizes in all sectors, rather than consumers.

The value of your personal files and pictures has a finite and limited value. However, if they encrypt the back-end of your corporate system and prevent you from processing payments, that has a tremendous value. If the hacker can recognize the value of what he has, the ransom can be more dynamically set based on the content of the data.

It's clear these hackers have been planning large-scale attacks for some time. Locky gained notoriety when it crippled the Hollywood Presbyterian Medical Center and compelled the hospital to pay $17,000. It has since infected systems, including a series of attacks on healthcare facilities in the U.S., the HQ of India's Maharashtra government, the Whanganui District Health Board Whanganui in New Zealand, and the Chinese University of Hong Kong's Faculty of Medicine. This is clearly just a consumer play.

While many of the targets have been healthcare organizations, businesses of all types are likely targets especially SMBs who are less likely to have deployed enterprise-grade malware detection and perform regular backups.

Infecting Your Entire Network

Like other types of ransomware, Locky is designed to encrypt important files for the purpose of holding them hostage, but it has added a new twist. Locky has the ability to encrypt network shares and drives that your workstation may not normally have access.

Locky and newer variants will travel through network drives to encrypt any files they can get to using the permissions from the original user account where the infection started. With Cryptowall, for example, the ransomware could only infect network drives that the PC was connected to (i.e., it could only reach the drives you had mapped on your computer). But because the Locky ransomware can encrypt any network shared drive, whether or not your workstation has access to it or not, it means the virus can spread to an entire business network.

If cyber criminals can get their hands on credentials using any remote access service, gaining the ability to execute malicious code on all the computers in the network by using the admin passwords. Consequently, a small, one-device ransomware or botnet infection leading to data leakage is not just a major privacy breach threat for companies big or small. It also becomes a gateway for company-wide infections that can cause major problems in terms of business continuity, legal issues and customer trust, to name a few aspects.

The Importance of Disaster Recovery as a Service
There are a ton of articles available on how to prevent from being a ransomware victim. Much of the guidance revolves around these five best practices:

1. Educate your users about phishing attacks and clicking on pop-up ads
2. Train your users to be careful about clicking on specific types of email attachments
3. Use enterprise-grade malware detection
4. Keep your endpoints' operating systems and software up-to-date with the latest security updates
5. Backup your files (offsite) constantly

But because Locky and newer types of ransomware can infect your entire network, there are some additional safeguards and investments your organization may need to make, including:

  • Never use the administrator account on any of the computers in your environment. Instead, use guest accounts that have access only to the need to have and need to know information. This way, you can prevent escalation of privilege and other types of infiltration into your system.
  • Do not keep the computers you use for business connected in a local network. Ransomware is capable of encrypting not only the data on the computer where the infection succeeded, but also on all the other computers that are connected to it though a local network. By keeping the computers isolated, you have a better fighting chance against this threat.
  • Invest in Disaster Recovery as a Service. Enterprise grade ransomware demands enterprise grade data protection. With cloud backup, you can restore individual files and folders, but they are not designed to restore entire networks. Modern DRaaS can backup files, folders, and VMs which enables CISO and IT administrators to quickly restore and failover applications in minutes.

If your entire network is infected, DRaaS can help you in two very important and time-consuming ways. First, it allows to keep your users productive since you can quickly spin up VMs (from historical backed up VMs) either from a local appliance or from the cloud. Secondly, DRaaS lets IT admins more quickly identify the date of infection. With cloud backup, you have to inspect individual files and folders to determine if they've been encrypted. With DRaaS, you can mount an image and more quickly determine if the image has been encrypted. This enables you to identify the date of infection so you can restore a clean copy of your data and applications from a date just prior to the infection. With traditional backup solutions, determining the date of infection and restoring clean copies of the infected files can be cumbersome and time consuming – with DRaaS, it's far easier.

Locky is a game-changing threat for businesses of all types. Thankfully, there are simple and cost-effective ways to protect your organizations. It started by teaching your employees and anyone who has access to your computer(s) about these safety regulations and make it a requirement that they learn about the basics of cyber security.

With all of the cyber security threats that exist, every business needs to invest in enterprise-grade malware detection, disaster recovery as a service, and a few network best practices in order to dramatically safeguard their data and systems.


Nicolls DeanDean Nicolls is vice president of marketing for Infrascale and has more than 20 years of B2B marketing leadership experience working with some of the largest and fastest growing companies, including Starbucks, Microsoft, TeleSign (two-factor authentication), and LiveOffice (cloud-based email archiving). Nicolls leads the company in its mission to help companies of all sizes eradicate downtime and data loss.