Ransomware Bites Small Business Twice

 

Ransomware has been lingering around since the 90’s but its proliferation in recent years means that more and more small businesses, charities and schools are being hit. It’s no coincidence that the explosion of ransomware began with the Bitcoin boom in 2009; a decentralised currency with minimum fees and steeped in apparent anonymity was always going to be a big hit for online baddies.

 

The Problem With Ransomware

Small business, charities and schools seem to get hit twice when it comes to ransomware attacks and are the ones that suffer the most too. Let me explain. A typical victim company will have somewhere between one and ten computers operating on a network, sharing folders and having quite open access policies between users. They may have paid for a simple network, printer and mobile device setup a couple of years back but never considered taking out any sort of ongoing security and maintenance service. Or maybe that service wasn’t offered. We all see high street IT companies advertising services for local business but how many of them revisit their customers following the initial installation? Maybe their customers don’t feel they need to pay or maybe they are only interested in the one job and moving on. I don’t know but what is apparent is there seems to be a raft of vulnerable businesses out there that could really benefit from a knock on the door by an IT guy.
What about staff training? Every single ransomware attack that I have known to hit a small business, charity or school (I could abbreviate that to SBCS like they do for SMB’s but I think that’s already taken for Single Byte Character Set!) started with a member of staff double-clicking an e-mail attachment they shouldn’t have. Most of the cases involve mass mail campaigns and no specific information is offered up to the victim about the sender or the content of the attachment yet they go on to click and infect anyway. Why? Because they don’t know what they don’t know. I’m pretty sure a quick chat about the risks of this behaviour would soon make staff think twice but until they have that chat how are they to know any different?
Then there are the targeted emails that make specific reference to the recipient, purport to be the supplier or the infection is wholly brought about through unauthorised access to the system without even thinking about emails. How can you defend against these types of ransomware infections? I would say again that training is key. Do your staff know to check the domain of the email sender against the genuine one or know how to check email headers and file extensions when receiving emails purporting to be known customers or suppliers but carrying unexpected attachments? Probably not would be my guess. A business runs on people and people tend to be the weakest link in the chain when it comes to cyber security.

Expect to see a message like this when a system gets infected by ransomware
Ransomware pop up message
Too Late For Prevention

So, the system’s infected and all files to do with recent quotes, emails and payroll are encrypted and you’re being asked to shell out 4 BTC to someone with a snazzy cyber name and a dodgy looking email address. Well firstly, avoid paying a penny if you can because all that happens is the job of being a ransomware distributor becomes more lucrative and similar businesses will be increasingly targeted. This is due to ransomware more recently being offered up as “as a service”. There are also cases of ransomware victims being let off the hook if they agree to continue to spread the malware for a cut of the profits.
So, a decision is made not to pay but what do you do then? This is the point at which I believe a lot of these businesses get hit twice. A ransomware attack has encrypted critical files and prevented sales reps from bringing in new business, prevented staff getting paid and caused suppliers to chase up emails about unpaid invoices.
First of all check out www.nomoreransom.org – a great resource offering up decryption keys for quite a few popular variants of ransomware and since it’s well funded by Europol and industry partners it does provide sound advice and gets updated often enough to provide the odd success story.
No decryption key available for your ransomware infection? Well this is when backups play a part. Let’s hope you’ve been backing up your data regularly and storing that data off the network to prevent encryption of cloud and attached storage backups. Let’s hope you’ve clocked the ransomware before you’re next backup schedule actually overwrites your data with fresh encrypted data (it has happened).
Whatever the situation with backup, it’s usually the case for small business that services of an IT tech have to be called upon. Companies of the size I’m talking about can’t afford and often don’t need a permanent IT guy working for them. So when something like ransomware breaks it doesn’t just cost that company lost business and time but also money in the form of a hefty invoice from their local IT firm. The saddest cases are those where no viable backups exist and the business essential pays an IT tech to attend, assess the situation as dire and then simply wipe all drives and do fresh installs of software. That leaves the company out of pocket in a big way and suffering the burden of losing all information to do with the day to day running of that company.

 

Moving Forward

You only have to do a quick internet search to find a plethora of good advice about prevention out there. However, there are plenty of small businesses that feel they cannot justify the expenditure of having fancy backup systems in place, which come with ongoing IT support. They’re happy to have a quick chat with staff about the dangers of clicking spurious looking email attachments but feel they can’t afford to send staff on full away days or training events. With this in mind maybe it’s worth considering changing the message. I suggest the key prevention messages change from, “Here are your 5 star bullet proof tips to evade ransomware” (which are all great but clearly not being followed by all) to “Here are some simple, free things you can do to help avoid becoming a victim.”
I’m thinking about things like encouraging carpet cleaning companies to simply save their regular customer details spreadsheet to a USB stick once in a while or asking the local hardware store to tell their staff to avoid opening unexpected attachment in email. If the local social club just updated their antivirus once a week then that would help too. For all those small businesses, charities and schools out there we should encourage prevention through baby steps rather than scare them with the 5 star gold standard.

 

The full house of backup, updated antivirus, training and a promotion of culture change would of course always be the preferred option but I’d rather something got done than nothing.