MSPNetworks Blog

Did you know that the United States is the leader in ransomware payments? According to a survey from Mimecast titled “The State of Ransomware Readiness,” the U.S. has the highest average payment for ransomware out of the entire world at more than $6 million per victim. These shocking numbers likely stem from high-profile ransomware attacks, but they are also indicative of a larger problem, that being people who still pay the ransom.

This study examined 742 cybersecurity professionals and found that 80 percent of them had become victims of ransomware attacks over the past two years. Of that 80 percent, 39 percent paid the ransom, with the average United States victim paying $6,312,190. To put that into context, let’s take a look at other parts of the world.

• Canada: $5,347,508
• United Kingdom: $850,000
• South Africa, Australia, Germany: $250,000

That’s for those who actually paid up, though. Close to 40 percent of victims did not pay the ransomware at all, and some were even able to negotiate a lower ransom. That said, the survey also cites that the primary instigation of these ransomware attacks were phishing attacks and web-based threats, and many victims believed that they needed to improve the security of their data centers.

Perhaps the best tool against ransomware attacks is to have a data backup system in place, but again, the survey claims that less than half of respondents had data backup systems in place. Even with this fact, 83 percent of respondents claim they can get their data back without paying the ransom, and 77 percent believe that they can get their operations back to normal within two days.

If your company were to suffer a ransomware attack, we urge you to think before taking any action to resolve it. First of all, what if you’re not actually infected and just making things worse for yourself by paying up? Second of all, what guarantees do you have that your data will be safe and unencrypted should you decide to pay the ransom? And third, how many other businesses or individuals are going to suffer because you just funded the activities of a cybercriminal? All of these factors influence how successful a ransomware attack is.

One thing you absolutely should do is contact your trusted IT resource to determine the extent of the attack. After this has been determined, you should have an easier time figuring out how to address your predicament. Still, we never recommend you pay the ransom. There are often other options to pursue; you just have to have the gumption to look past the immediate panic and focus on the big picture. Plus, you can also implement security solutions and measures that can deter ransomware later on, like multi-factor authentication, user permissions, and unified threat management.

Don’t let ransomware hold your business back from achieving its full potential. To learn more about how you can secure your company’s future, reach out to us at (516) 403-9001.

We know, we know; you’re probably sick of seeing ransomware in headlines, and so are we, but we cannot stress enough how important having an awareness of it is for any business owner. A new study has found that businesses infected by ransomware who choose to pay up experience a different type of fallout--one that is a major cause for concern and a stark reminder that there are no guarantees with ransomware. Ever.

A Cybereason survey, conducted by Censuswide, polled 1,263 security professionals from all over the world and discovered some concerning results. Here are some of the major takeaways, specifically related to companies that paid their ransomware attackers:

• 80% of organizations that paid their ransomware attackers the ransom experienced a second attack.
• Of these organizations, 46% believe that the same hackers were responsible.
• 46% of organizations that paid the ransom found that at least some of their data was corrupted.
• 51% of organizations did not experience data loss or corruption.
• 3% were not able to retrieve their data at all.

This study confirms something that we have been preaching for years. Why should you ever trust a hacker who has encrypted and stolen your data to return it to you? It just doesn’t make sense. Furthermore, when you pay hackers to decrypt your data, you are doing two things. For one, you are inadvertently funding future ransomware attacks by providing the funding hackers need to execute such attacks. You are also showing hackers, and everyone else watching the situation, that ransomware works, which is a far more dangerous idea to foster. If cybercriminals see that these attacks work, they continue to propagate them.

Granted, we understand that it’s not always so simple; the recent rise in “double-extortion” ransomware puts a lot of pressure on organizations to pay the ransom. Hackers threaten to release the encrypted data when the ransom is not paid, potentially subjecting the company to further data privacy fines. It’s just adding insult to injury and kicking organizations when they’re down. This particular approach is devastating because even the usual method of beating ransomware--restoring a data backup--won’t stop the hackers from releasing said data. It’s a tough spot to be in.

Our recommended course of action is simple: take proactive measures against ransomware before you get infected by it, as no matter what circumstances you find yourself in post-infection, it is sure to get messy and complicated.

MSPNetworks can equip your business with the proper security measures and tools to minimize the chance of ransomware infection. Furthermore, we can help you take appropriate action in the event that you do get infected. Don’t let hackers dictate the future of your business; give us a call at (516) 403-9001.

The threat landscape is filled with more types of malware than ever. To keep your business’ network running effectively, it’s important to have a strategy to keep malware out. Today, we’ll talk about a few basics you should know to keep your cybersecurity strategy working properly.

Under A Thumb

Are you aware that there are readily available websites that are strictly devoted to providing the default factory passwords for devices of all types? With these passwords, and a little bit of knowledge about what hardware you have, people could access your network easily?

To combat this, you need to think about every single access point your business has and lock them down. Once they are locked down, you will also need to secure your online accounts and your physical location’s access points. To do this you should take time to document all of your network’s possible entry ways and do what you need to do to secure them. You can do this by ensuring that every access point is secured with different passwords (and two-factor authentication where possible).

Keep Your Antivirus Updated

The antivirus solution you use keeps out unwanted entities. But what happens when malicious entities aren’t recognized by the antivirus solution? That’s right, it passes right by, infiltrating your network. To avoid this scenario, you will want to ensure that your antiviruses, antimalware, and firewalls are all updated with the latest threat definitions. 

Keep a Backup

Most importantly, you may think you are in control, but it only takes one thing to slip by your defenses to complicate things. That’s why you will want to keep routine and periodic backups to ensure that if something does happen that you can restore from backup quickly and get back in business fast. 

Remember all it takes is one. MSPNetworks staff's professional technicians versed in the best practices and protocols of comprehensive data and network security. To talk to one of our knowledgeable IT experts about securing your business, call us today at (516) 403-9001.

Let me ask you a question… let’s say that you’re about one year from your projected retirement, when a ransomware attack encrypts all of your files. What do you do? Pack it in and retire early? This is precisely the situation that the practitioners of Brookside ENT & Hearing Services of Battle Creek, Michigan, have found themselves in - and it may not be over yet.

What Happened to Brookside ENT?

Typical of a ransomware attack, the malware began by deleting and overwriting all of the practice’s data - every medical record, bill, and upcoming appointment. A duplicate of each file was left behind, locked behind a password that the person or persons responsible promised to provide in exchange for a $6,500 wire transfer.

Under the advisement of an “IT guy,” Dr. William Scalf and Michigan state senator Dr. John Bizon didn’t pay the ransom, as they couldn’t be sure that the password would even work, or that the ransomware wouldn’t return in the near future. As their IT resource determined that the attacker hadn’t actually viewed any of the records, this event technically didn’t need to be reported as a breach under the Health Insurance Portability and Accountability Act (HIPAA). Nevertheless, without access to this data, the physicians saw little choice than to retire early.

Well, kind of. As they had no means of knowing who had an appointment scheduled, the physicians had little choice than to wait around the office for a few weeks and see whomever showed up.

Why Throwing in the Towel May Not Be Enough

From a purely academic point of view, it only makes sense that the medical industry would be one targeted by ransomware. Not only do its establishments rely greatly on the data they have stored, there is an urgency to this reliance that cannot be denied. Think about the possible ramifications if a medical practitioner was unable to properly diagnose a patient and recommend treatment because of some unavailable data.

Of course, the strategy that Brookside ENT has adopted to close up shop doesn’t leave its owners off the hook, either. They could still find themselves in plenty of regulatory hot water.

For instance, a ransomware attack (paid or not) could be considered a reportable incident under HIPAA, or even an instigation of a negligence-based legal action. Any patient could invoke HIPAA rules if their data was in digital form and have an investigation started by the Department of Health and Human Services’ Office of Civil Rights, simply by leaving a complaint.

How You Can Protect Your Business from Ransomware

While the best way to keep your business safe is to be able to spot ransomware infection attempts before they successfully fool you into allowing them on your system, statistically, you aren’t going to be able to spot all of them… so what can you do?

One great resource you have available to you is your team. Each uneducated user offers ransomware another way in, but each educated user is another shield to help protect your business.

You should also develop and maintain a comprehensive backup plan to help protect your data from ransomware attacks and other attempts against it. While it would be ideal to not need to use this backup, it would be far less ideal to need one and not have it. Make sure that you keep your backup isolated from the rest of your network as well, so that your backup isn’t also encrypted by a ransomware attack.

At MSPNetworks, we have plenty of experience in mitigating the damage that ransomware can cause, as well as in solving various other IT issues. For assistance with any of your business’ IT needs, reach out to us at (516) 403-9001.

Windows 10 isn’t just a great operating system for getting things done--it’s also jam-packed with features that you might not even have known about. This week’s tip is all about some of the handy features that Windows 10 can provide for your office.

Defending Against Ransomware
Even if the best approach to ransomware is proactively backing up data and staying informed about new developments, Windows 10 offers an additional approach that is built right into the operating system. One example of this is how you can use the Controlled Folder Access function. This feature can make it easier to keep “unfriendly applications” from making “unauthorized changes.”

By default, this protects the Documents, Desktop, Pictures, and Movies folders, and you can assign it to do the same for others, as well as whitelist specific apps. To do so, navigate through the following selections: Windows Security App > Virus & threat protection > Manage ransomware protection.

Dynamic Lock
If your organization has a Bring Your Own Device policy, or you have a company-issued device, you can have your desktop lock automatically if the phone (which is on your person) physically moves too far from the unlocked workstation. You can set up Dynamic Lock by first letting your devices communicate with each other. This connection can be done by following Control Panel > Hardware and Sound > Devices and Printers. Next, you’ll have to go through Settings > Account > Sign-in Options.

Creating Start Menu Folders
If there are too many Live Tiles on your screen whenever you click on the Start menu, Windows 10 gives you the option to drag them over each other to place them in folders. These folders will expand when you click on them. Once you have the folders open, you can assign them names.

Scheduled Restarts
Installing updates comes with a major annoyance to some users: restarting the computer. Windows 10 allows users to schedule the restarts for these updates so that they take place automatically. To do this, you can set your computer to wait until you’re all set with your device. To do so, navigate to Settings > Updates and Recovery > Windows Update > Restart options.

This is only a bite-sized glance at what Windows 10 can do for your business. To learn more, reach out to us at (516) 403-9001.

The funny thing about ransomware is that they give them very strange names: Bad Rabbit sounds like the name of a villainous bunny who gets his comeuppance in some type of modern nursery rhyme, not malware that would ravage hundreds of European businesses. Locky seems like the son of Candado de seguridad, a character Medeco would come up with to educate kids on proper physical security. The latest in a long line of funny-named ransomware, SamSam, isn’t a pet name for your pet ferret you perplexingly named Sam, it is one of the worst ransomware strains ever, and it has caught the attention of U.S. Federal law enforcement.

Both the Federal Bureau of Investigation and the Department of Homeland Security have issued alerts for the ransomware, also known as MSIL/Samas.A. The alert was issued on December 3, 2018, and outlines an attack on multiple industries, some with crucial infrastructure. The ransomware has been in the news as of late, as two Iranian nationals, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted by a U.S. grand jury in New Jersey for ransomware attacks on the Colorado Department of Transportation.

The pair is alleged to have victimized over 200 hospitals, businesses, government agencies, and schools in the U.S. and Canada beginning in 2015; extorting over $6 million over that time. In addition to these charges, the two hackers have now been indicted by the state of Georgia on charges that they were the ones that perpetrated the ransomware systems that crippled Atlanta’s government in March of 2018. By taking almost 3,800 of the City of Atlanta’s computers hostage, prosecutors state that Mansouri and Savandi have cost the city millions of dollars in consultant fees, downtime, and other costs.

What is SamSam?
SamSam is a privately developed ransomware that is being used to target specific companies selected by the developers. This means that it isn’t just a commodity ransomware, it can’t be found on some type of criminal forum on the dark web, and it isn’t sold as a service like many other forms of ransomware. This is a major problem for any organization that is targeted, as none of the typical endpoint defensive strategies work to stop it.

What’s worse, is that that once a SamSam strain is used, and security vendors publish a report, another SamSam strain is developed. It is thought that this development team includes the two hackers implicated in the Colorado DoT crimes, the Atlanta crimes, and hundreds of other attacks over the past three years.

What Can You Do?
Thus far the SamSam ransomware has entered victims’ networks using exploits in web-facing servers. It has been deployed as millions of other pieces of malware as an executable file that is mistakenly unleashed, or via brute force via the Remote Desktop Protocol. So, while you can lock down your RDP, your best bet is to have a dedicated strategy that:

• Doesn’t allow unauthorized users to have administrative privileges
• Limits use of Domain Access accounts to administration tasks
• Doesn’t provide service accounts for important services
• Restricts access to critical systems

If you are diligent in your organizational cybersecurity practices, you should be able to conduct business as usual without having to worry about ransomware, SamSam or otherwise. If you are interested in knowing more about SamSam and how to stop it, contact the IT professionals at MSPNetworks for more information at (516) 403-9001.