Protecting your business from a ransomware attack.

Extortionists are increasingly targeting Kiwi businesses due to poor security in their ICT infrastructure. Is the security of your ICT sufficient? Jakub Kroustek offers some best practice advice.

Ransomware is an increasingly popular type of extortionist cyber attack, which encrypts data on infected computers or completely locks you out and holds your data or device hostage, with the attackers offering a decryption or return of access in exchange for a ransom.

In 2020 we saw many ransomware attacks across New Zealand businesses and it is expected that these types of attacks will continue in 2021.

In December a retirement and financial strategies provider was attacked by ransomware, with hackers using the Windows NetWalker ransomware, and threatening to publish data they had obtained unless a ransom was paid.

Other businesses targeted with ransomware in 2020 included trans-Tasman brewer Lion, with extortionists threatening to “auction” all of its financial information, clients’ personal information and other “important confidential documents” on the Internet back in June unless it paid a US$800,000 (NZ$1.25m) ransom – and Isentia, an Australian media monitoring provider, which was attacked by ransomware in late October, creating massive disruptions to its SaaS platform Mediaportal. The company reported that the attack on its cloud platform would cut annual profits by between NZD $7.3 million and $8.9 million after it severely compromised the delivery of services to customers. 

Now, although you may only ever hear about ransomware attacks on large businesses in the media, like Lion and Isentia, small and medium businesses in New Zealand should still be very aware of ransomware and the potential vulnerabilities in their business infrastructure.

With New Zealands’ new Privacy Act now in force, New Zealand businesses now have to take more responsibility for privacy breaches and report any serious breaches, such as a data breach where private information is lost or stolen, to the Office of the Privacy Commissioner. So it is even more important that New Zealand businesses relook at their cyber security to prevent a ransomware attack.

Dangerous business infrastructure

Attackers on businesses most often target out-of-date or poorly secured software, not only with malicious code on compromised websites, or through phishing emails, which is one of the most common approaches, but also through Remote Desktop Protocol (RDP), a proprietary solution created by Microsoft to allow connection to the corporate network from remote computers.

With the COVID-19 crisis, the ability to remotely connect to another machine using RDP has essentially changed the way many companies around the world run their businesses, and employees are no longer tied to their workplaces.

The very principle of running an RDP client on a home laptop and connecting with an encrypted connection to the machine on which the software counterpart – the RDP server – is running is very simple. Unfortunately, if this feature is not properly managed and configured, it can serve as a way for hacker attacks. The first example can be the vulnerability of the RDP system itself. It appears from time to time and the attacks are most effective against older and out-of-date systems.

More often, we see so-called brute force attacks on weak credentials, where malware constantly tries to figure out the character combination until it finds the correct password. Weak passwords and, of course, reused passwords from other services that may have been compromised will therefore allow for easy access to a business’ system. The attacker then logs in as an authorised user (often with administrator rights) and then manually uploads and runs ransomware in the system. Data from the Shodan.io say that there are millions of such publicly available devices with RDP open worldwide.

The damage after such an attack can be astronomical. The amount that the victim has to pay (which is not recommended) varies from case to case. In ordinary attacks it is on average about 600 US dollars, in targeted attacks on specific organisations it can be millions of dollars.

What to do for effective business cyber security

In the case of a ransomware attack, businesses should definitely not consider paying the ransom or negotiating with the criminals behind the attack as making the payment doesn’t ensure you’ll get your files back or that you’ll get the right decryption key, and your payment will likely fund the development and launch of new ransomware.

Businesses can, of course, look for decryption tools that some antivirus companies may have for the malware, and in some cases this works, but you shouldn’t rely on this. It is better to protect yourself against these attacks systemically, specifically by deploying strong security solutions to prevent ransomware attacks in the first place.

Here are some ways that New Zealand business owners can protect their business from ransomware:

1. Keep your antivirus software up to date

The best way to prevent ransomware attacks is to stop the malware from accessing your computer or device. The first thing you should do is install an effective, top-quality antivirus program with a strong ransomware protection tool and RDP protection to address the growing risks posed by Remote Desktop use – like Avast Business Antivirus which has Remote Access Shield to protect your devices from RDP vulnerabilities.

To defend yourself against the relentless creation and assault of new ransomware strains, you should also make sure you keep your antivirus software up-to-date at all times. Most programs will do this for you automatically, but for additional peace of mind, set aside a moment once a week to check for updates.

2. Think twice before clicking on links

Phishing scams are still the most popular way of distributing malware. Cyber-hijackers also distribute their ransomware through mobile devices using text messaging and social media messenger apps. 

Don’t click links you receive from unknown contacts via SMS, email, or messenger applications like Skype or WhatsApp. Even if you think you know the sender, take a closer look at both their address and the link itself before proceeding. If anything looks phishy, steer clear.

Although common sense still works very well against phishing attacks, antivirus software can help detect infected sites and block malware, with these features getting better every year.

3. Update your operating system and your software

As annoying as Windows, Apple, and Android system update notices can be, you should never ignore them. Many of these updates involve security patches that are vital to preventing ransomware and other malware from infiltrating your devices.

If you’re still using an older OS that Microsoft no longer supports, like Windows XP, you are especially vulnerable to attack. Do yourself a massive favour and upgrade to a newer operating system. You should also keep all your software up-to-date, especially your web browsers and plug-ins.

4. Fix your RDP access

It is essential to block the RDP access from the Internet and leave it accessible only within the internal network. The default ports (port 3389 for RDP) can be secured at the firewall level. If the company does not need the RDP for its daily operations, it is better to turn it off completely.

5. Back up all important files from your device

The absolute baseline prevention of company data loss due to a ransomware attack is regularly backing up. Having backups of all your valuable and vital files will help you in terms of damage control. The best way to prevent data loss is to use a combination of offline and online storage methods. Save your files to one or more physical devices (e.g. external hard drives, USB flash sticks, SD cards) and to cloud storage services (e.g. Dropbox, Box, Google Drive).
This way, if you do get hit with a ransomware attack, you’re ready to restore all your important files as soon as you remove the ransomware from your device.

6. Ensure employees act securely and trust no one

It is also crucial to manage employees’ access rights and to implement the Zero Trust principle – a security concept that requires all users, even those inside the organisation’s enterprise network, to be authenticated, authorised, and continuously validating security configurations, before being granted or keeping access to applications and data – to reduce the impact of potential security vulnerabilities.

Remove access of administrative privileges for staff that don’t require them and educate staff so  they know how to browse securely, looking for the URLs padlock symbol and ‘https’ in the browser address bar, and they’re less likely to access malicious hyperlinks, visit unknown websites, and are able to recognise slight changes in URLs.

Encourage them to have strong passwords, ideally using different passwords for different website accounts, and add two-factor authentication where possible, especially on administrator accounts.  Also, it is worth regularly getting your staff to check to make sure none of their passwords have been leaked or stolen, which you can easily do by using online tools provided by security companies (such as Avast’s free Hack Check tool).

Jakub Kroustek is malware research manager at Avast, a specialist in digital security and privacy products.