Crypto Locker style malware are pieces of software which generally trick you into encrypting all your files. When they hit a business they not only infect the PC of the user who clicked the link but they follow any mapped drives and encrypt those files too. Once encrypted the key to decrypt is sent over to the attacker and generally they’ll give you a chance to decrypt the files for a cost. The only way to recover from this attack is to restore from a backup.
Antivirus, Firewalls, Antispam and Web filtering will go 90% of the way to stop these which leaves the last 10% down to user training and knowledge. So it’s then down to companies to educate users not to open emails and attachments with invoices or documents they are not expecting as there is no real business need.
Cyber Criminals are making good money out of these attacks and they are virtually untraceable so they are rapidly growing in numbers of attacks. Very recently we have seen these style of attacks changing in the way they are deployed. Traditionally attackers would plant the virus through spear phishing via email, however now people are wising up to this they are trying a more old school method.
So much emphasis is put onto filtering web browsing and emails that people are forgetting the core security fundamentals, blocking unrequited services and having secure passwords. This is allowing attackers to scan your network, see if you have an ports open for example remote access ports. If they find none, chances are they will move onto another company, however if they find a port open they will proceed to brute force attack your accounts and passwords.
Attackers are now connect onto old services using accounts and passwords that people forgot about, uninstalling antivirus off those computers and then transferring over their chosen encryption virus. Once this is done they can run the virus for you and encrypt whatever they can see. This back door approach is a real danger because it’s taking the element of accident and training out of the equation.
New crypto/ encryption malware is able to even search for machines on the network with file shares and encrypt data in those shares too. So not only will folders which a user has mapped be destroyed but it can crawl around all folders that aren’t locked down.
If your backup is missing anything or isn’t frequently monitored and tested, should your business data become compromised you have the potential to lose all your business critical data and it could have severe repercussions for your trading.
The following practises can go a long way to help protect yourself:
- Lock down un-required ports on your firewall
- Use a VPN to connect to Remote Access Protocols (such as remote desktop or VNC)
- Disable unused accounts on PCs and Domains
- Create a Password policy to enforce secure, frequently changing passwords
- Have a water tight, frequently tested Backup in place for if the worse happens
A full analysis of the 6 threat vectors and how to effectively cover these has become an essential practise in securing your company data.
If this blog post has been of interest and you recognise the potential threats to your business then Custard can help you by performing an audit of your security then report on weaknesses and advise on how to address these.