At the risk of appearing to hammer the topic to death it is time to take another crack at warnings about Ransomware Malware attacks.
This time of year is potentially even more challenging to IT managers and users alike as everyone is rushing to get things done before the holiday season really locks in. It means that normal caution can easily be thrown away as people try to clear their email, deal with online activities and perhaps not take that extra two seconds that avoidance can take.
Why now? Simply because the predators can. A recent IT World Canada article outlines how late last month Carlton University had over 3000 of their computers affected, some in research labs by an attempted ransom ware attack. It appears that the IT people got it under control pretty quickly and it was isolated to only a portion of the university network.
It did mean however that thousands of students, faculty and administrators were unable to use the network for a period of time while the details of the attack were sorted through. Eventually, users were advised they could login to their network but many hours of productive time was lost due to the issues.
Another attack in Calgary saw that university paying out $20,000 to the ransomers. Again much time and effort was expended to deal with the circumstances. These are just two of the known instances where Canadian organizations have been impacted by such attacks.
The are for certain many others where users and organizations have not publicized their problems with malware.
For some reason Canada is reported as being more prepared to send compensation for removing the attack when compared to other jurisdictions. Why this would be the case is subject to speculation but unfortunately if it gets known in the perpetrators world it could lead to Canadian targets becoming even more frequent.
The first line of defense is the users on the network. Encouraging everyone to take a little time to investigate whether an email from an unfamiliar source is legit. If a user is not CERTAIN of the sender then the default response should be to NO OPEN IT. Either delete it and take the chance someone legit has to try again, or contact IT support to have it checked out.
Don't be embarrassed of it turns out legit. Be happy it is ok and that you took the right precautions. For managers and IT professionals it is necessary to remind all users regularly of what to do, what to watch for and why to be careful.
Of course there are steps which can be taken to help deal with an attack if one comes. Most important is to have readily available real time backups which can be easily accessed and deployed to get the network or workstations back to a safe prior state.
For many networks data on servers and stored in common network drives can be backed up and more easily protected. Of course if the issue gets into this storage, shared drives can be vulnerable, then the problem gets bigger not lessened.
Workstation backup is not as readily apparent in most networks and this is where a lot of challenges can come forward if a drive has to be wiped and reloaded causing the user to loose a large amount of what I would call convenience data. Deploying a real time replication tool which can provide solid protection to the workstations on the network could be invaluable if attacked as long as it is securely configured and aggressively protected from malware itself.
Plan for it
Even if you have not seen ransomware around. Not known anyone who has been hit. Not figured you are visible enough for some one to target you. This kind of malware attack is real and happens to any kind of organization.
The reason this can be the case is the way the perpetrators choose their victims. They really don't choose. What they do is acquire email addresses which have been captured, bundled and then sold or rented to malware crooks. They send out a message to all of those emails, hoping that one or more of them will get opened. Sometimes the ransomware is carried with the message but sometimes it also carries another bot which captures the emails from the workstation where it was opened and then distributes the infected message to all of these email addresses.
Of course this system means that the distribution is pretty random, but if the ransomware is able to lock in on a user or network of one of these random email recipients the attack has begun.
Because of this type of distribution model you didn't get specifically targeted because of some unique characteristic of your organization. It was simply because an email address from your organization was resident in some other company, group or individual.
It is because of this randomness that every organization needs to address and plan for what might happen if a ransomware attack occurs. Don't be surprised. Don't let your users be surprised. Tell them specifically what to do, who to contact, how to take the first steps to clearing the problem, in advance. Of course tell them also that they are not to hide it, hope it goes away, but to report it and get it dealt with quickly and properly.
Ransomware is out there. vigilance is critical. Never more so than at times like these next few weeks when people's attention is often on other pressures.