With the news last week of the ransomware attack on UHS, a large hospital network, as well as the news from two weeks before that of a woman dying due to a ransomware attack on a German hospital, I figured it was a good time to revisit our post about ransomware (which, full disclosure, was actually written in early 2017 for my personal blog and repurposed for use here). While many of the fundamentals are still valid, I wanted to write something that focuses less on the technical details of “how it happens” and “how to prevent it” and focus more on what you, as a business owner or decision maker, need to know and worry about.
You Are Not “Too Small” to Worry About
One of the biggest responses I hear from business owners when stories like the above are mentioned is “well, of course criminals are going after them, they’re huge! Nobody is going to worry about my operation. Hell, I wish I were big enough to have to worry about this kind of thing.” Ultimately, that’s the cybersecurity equivalent of hearing about Kim Kardashian’s hotel being robbed and saying, “I’m not rich enough for thieves to target.” You may not be targeted specifically, but much like how street crime is often a crime of opportunity, so is cybercrime. For every 90,000 person company you hear of being hit by ransomware, there are hundreds, if not thousands, of smaller organizations that you never hear about being victimized. Throughout my career, I have seen dozens of organizations, of all sizes, suffer ransomware attacks. Sometimes, the company got hit because there was an easily fixable vulnerability that was missed, and sometimes the point of entry is much less obvious. But the common thread among all these organizations is that it hurts.
Your Remote Access Solution May Be a Vulnerability
With the COVID-19 pandemic, organizations had to adapt to a work from home environment with little to no notice. This means that many companies ended up with solutions that were slapped together with little concern for security. It is very important to work with your IT department or provider to ensure that any remote access solution includes provisions to ensure that brute-force attacks are mitigated, and ideally implements two-factor authentication.
Having Backups Isn’t Enough
I don’t want to send the wrong message: backups are essential. Too often, though, people think “I’m told my data is backed up, so I’m good”, and that really is not the whole picture. For starters: is everything backed up that you think is backed up? The first time I ever encountered ransomware, I was a junior tech working at an MSP. We had a potential client was still running on an outdated environment their previous IT person had set up and was in general very allergic to spending money. They were infected by CryptoLocker but had working backups. I arrived onsite to restore from backups when I discovered that the owner had many documents on their personal computer that were encrypted. The owner hadn’t saved anything to their personal network drive because they thought their local workstation was backed up. Only the servers were backed up. As a result, this company had to pay the ransom because they had business critical documents stored on a laptop that was not backed up. As much as paying a ransom sucked, they got very lucky. Imagine if the owner had dropped this laptop out of a window instead!
What about your cloud services? Many businesses (and, embarrassingly enough, IT providers) seem to assume that data in cloud services, such as Microsoft 365 email/SharePoint, or GSuite/Google Docs is backed up by the provider. That is not the case. Providers like Microsoft and Google do have a level of replication, so if they have a server die, client information isn’t lost. But that doesn’t help you if ransomware detects a DropBox or OneDrive share and encrypts that, or your email is specifically targeted by ransomware. It is important to make sure your IT backup plan includes any cloud services.
Backups also don’t do you any good if the only copy of them is on the same network as the ransomware infection. Often, ransomware will look for backups and either encrypt those, or delete all the recovery points. The solution is to ensure that you have a copy of your backup data that is off-site and not accessible from your network.
The final “backup issue” that I have seen clients run into with ransomware attacks is the time to recovery. Too often providers and IT staff do not adequately explain how long recovery can take, and businesses and their IT end up having a different idea of what is or isn’t acceptable. It’s not uncommon for a full server recovery to take 6-18 hours, depending on the amount of data to be restored, and the backup software being used. And that’s if everything goes well. I have seen issues pop up and delays in communication and strategy extend restore time by days.
Questions Every Business Should Ask About Ransomware Protection
These questions will help you understand your risk at being impacted by ransomware, and the repercussions if it does happen. If your IT Provider or department cannot answer these questions, I would have some very serious concerns.
- What is your resolution plan if a client gets infected by ransomware?
- What protections are in place to minimize the risk of ransomware?
- What is our anti-spam service? Our anti-virus?
- Can our remote access solution be an attack vector for ransomware?
- What protections are in place to prevent our remote access solution from being compromised?
- How are backups protected from ransomware? Are they replicated offsite?
- How long would it take to restore a server from backups? Our entire environment?
- What is protected by backups?
Questions? Concerns? Please Reach Out!
If you have any questions about ransomware protection or want to know how your environment stacks up in terms of being protected, please reach out. We would be happy to schedule a network assessment.