Introduction

NETsolutions Asia, a system integrator and support company, is very alert to network risks which may impact clients and companies both regionally and in Thailand.

Whilst ransomware has received quite a lot of foreign press, there has been little evidence of companies being affected in Thailand.  Unfortunately things have now changed and only recently we have helped two companies with whom we work after being compromised and locked out from their data by ransomware.

Because of this I thought it may be useful to communicate a few steps which companies can take to better prepare themselves against the risks of ransomware.  I suggest that management review these steps with your IT staff / contractors and by this review satisfy yourselves as to how well protected you are.

If you would like an independent audit of your current strategies and backup procedures, give me a call on +66 2401 9250 or send me a mail robert@nullnsasia.co.th

* What is Ransomware?

“Ransomware attacks cause downtime, data loss, possible intellectual property theft, and in certain industries a ransomware attack is considered a data breach.  Since September 2013, several ransomware strains are attacking end-users and it’s rapidly getting worse.  Ransomware is malware that gets installed on a PC user’s workstation, often by using a social engineering attack where the user gets tricked to clicking on a link or opening an attachment. (Facebook, Youtube etc.)  Once the malware is on the machine, it starts to encrypt all data files it can find on the PC itself and on any network shares the PC has access to.  Next, when a user wants to access one of these files they are blocked, the system admin who gets alerted by the user finds two files in the directory that indicate the files have been taken ransom, and how to pay the ransom to decrypt the files.  Current strains of ransomware are CryptoLocker, CryptoWall and CryptoBit.

Once these files are encrypted, the only way to get them back is to restore a recent backup or pay the ransom.  The main problem is, backups often fail.  Storage Magazine reports that over 34% of companies do not test their backups and of those tested 77% found that tape backups failed to restore.  According to Microsoft, 42% of attempted recoveries from tape backups in the past year have failed.

Criminals usually demand an amount of about $500 within the first deadline, and when the first deadline expires, the ransom doubles.  They require to be paid in untraceable Crypto-currencies like Bitcoin. Bitcoin is a new kind of money — call it a digital currency.

Many more Ransomware strains are expected. What we see now is only the first wave of many more to come, as it is a very successful criminal business model.”       ©2015 KnowBe4 www.knowb4.com

Suggestions for your IT department

  1. Make sure there are no PC to PC shares within the organisation
  2. Ensure that a policy exists to change the default “Hide extensions for known file types” to not hide
  3. Ensure all data is stored on servers, no local storage
  4. Ensure backups are regular, successful and are capable of being restored
    Ensure that there are multiple copies of backups which are rotated from the office to a remote site. Two copies as a minimum, three are better …
  5. Use a separate backup account to log into remote storage, don’t use administrator accounts
  6. Where possible, backup using services instead of file shares
    Use FTP or RSync where possible
  7. Use hidden shares where possible. Utilise the $ on Microsoft shares so as they are not visible
  8. Restrict admin access to a minimum
    Administrators should login as administrators only when performing administrative functions. They should not have general administrative access on their normal accounts. Use RDP where practicable to connect to servers.
  9. Ensure reporting from Anti Virus / Anti Malware software is turned on
    Ensure total blanket installations to all PCs and servers, no exceptions. Consider multi tiered security
  10. If a problem is identified, preserve the culprit – don’t format.  If caught, isolate the machine and allow forensics, you may need to know who to contact!
  11. Alert users to urgently report appearance of any encrypted files. Compromised files are generally marked with “encrypted” as their extension

Suggestions for your document administrators

  1. Review management of shared data on servers
    Aim for more granular shares, less general shares

Suggestions for Management to consider

  1. Take steps to educate users on the specific risks of Ransomware and Malware in general.
  2. Consider implementing a training plan for staff which should include a regular testing process.

Request an independent ransomware audit

Email robert@nullnsasia.co.th
Or call Robert at 0 2401 9250