Having your information held hostage by hackers is one of the scariest things to face in today's workplace. This is known as Ransomware and it is one of the most common types of data attacks. In this webinar, our cybersecurity experts talk about what to do if your computer is infected with Ransomware, and how you can avoid exposure all together.
About Free Training Friday: For over three months, we have been holding these free, 30-minute training hosted by our industry-leading experts and innovators who will teach you about AbacusLaw, Amicus Attorney, the Abacus Private Cloud, and everything in between. If you would like to request a topic, please email email@example.com.
Good morning, afternoon and good day everyone. My name is Andrew Perez. I'm an Online Content Marketing Manager here at AbacusNext. I want to thank every one of you for joining us for our Ransomware webinar. We're eager to share more about what Ransomware is, how you can avoid becoming a victim and what to do if you're hacked. So, before we begin, just a couple of housekeeping notes, feel free to type in your questions. We'll try to answer them in the order that we receive them.
This will be a 15 minute webinar with a 15 minute Q and A at the end. I'd like to introduce our speaker today, Tomas Suros. Tomas is our Chief Solutions Architect here at Abacus and so, I'll go ahead and hand it over to you, Tomas.
Fantastic. Hi everyone, thanks for joining us today. We'll jump right in. I'll cover the agenda very quickly. An introduction; Ransomware history shortly, or a short history of it, some alarming statistics; specifically, the growth and how law firms are being attacked an alarming rate, Some attack vectors; how Ransomware is introduced, how those hacks happen and then how to mitigate because an ounce of prevention is certainly worth a pound of cure - kind of a remediation strategy if you've been hacked. Then, at the end we will reserve some time for a Q and A.
So, first off, what is Ransomware? Ransomware is a type of malicious software, that's programmed to encrypt data and block access to a computer system until money is paid. So, it's similar to a virus in that its dissemination is automated. Hackers can send out Ransomware attacks to thousands and thousands of recipients, but the real difference is the virus is just designed to corrupt, damage or delete files once they're infected. It's automated, malicious programming.
The difference with Ransomware is it's extortion - on a global scale. Here's an example of infection rates of CryptoLocker, and CryptoLocker isn't even kind of, one of the predominant strains of Ransomware currently, but what is obvious on this map is, it is a global phenomenon, it is extortion and it's turned out to be the single most profitable malware exploit ever. With the idea that in a calendar year, 2017, it will be a one billion dollar industry. Maybe that's the wrong term, but that is the projected amount collected by hackers.
Alright, so let's look at some of the numbers, right? So, based on surveys of last year, nearly 50% of businesses across the board were affected in some way by Ransomware. It was either caught or they were hacked. 97% of phishing emails and those are emails intended to dupe the recipient into infecting their system with Ransomware, 97% of phishing emails use Ransomware. Currently there are 54 known versions and not only that, there are multiple variants within each version.
The trouble with that is your antivirus or anti malware software is always a few steps behind because those variants are truly designed to exploit in a new and a novel way and here's the statistic that really troubles me. Test subjects that were actually given an education, a brief kind of summary of Ransomware and then given an opportunity to kind of, click through this test, 78% of those subjects clicked anyway. So, that's the nefarious nature, it's designed to trick you, right? It's not something that just kind of, hacks your system or comes in through a channel that you don't invite instead, it's really designed to exploit your either naivety or basically, lack of education and how to protect yourself.
So, other numbers; when you click to install or infect that malware, it takes seconds for your computer to be locked down. You no longer have access. And then, it takes seconds to encrypt your data and propagate that malware across your entire environment. Here's the downside, in order to decrypt using a brute force method, would take years. I think it's a 10 to the 20th power years to decrypt it with some of the more robust encryption algorithms. So, you may have heard of LOCKY, a kind of, a current leader in Ransomware infections. CryptoLocker is a term that's also almost used in conjunction with the idea of Ransomware. TeslaCrypt is another one that's gaining some traction because it also has a complex way of delivering the malware.
As I mentioned, in Q1 of last year, 209 million dollars was paid on a global level. So, it's in a single quarter of a year and that's bound to grow exponentially this year. And the actual average paid, and this is something that's interesting, so the extortion hackers, they actually know the market rate so, it's maybe $500 or $1000 depending on your business. You know, the fair market value is exactly what you will pay to get your data file decrypted and last year, it was a $679 average payment in bitcoin which is untraceable, it's kind of a digital currency, but that was the average last year.
Also, law firms, being data rich targets who have a very high standard of care to protect sensitive information for their clients are the single most growing target for Ransomware. And the last number I want to touch on because I think this will come up later in our discussion is; 4 out of 5 individuals who were surveyed as part of a security survey thought that because they had multiple geographically redundant backups of their data, that they were protected from Ransomware. That is a fallacy and I'll touch on that later, but I think that really shows 80% of people simply, do not understand that they are not protected and in essence what they're really doing is setting themselves up for a situation where they have to then react to having been attacked via Ransomware rather than having some sort of proactive protocols and protections in place.
Okay, some of the attack vectors. How is malware, how is Ransomware delivered? So, Phishing emails are the number one way that it happens. These are emails that are designed specifically, to fool the recipient into initiating the infection. Often times or most often, it's a link to a site that delivers the file and infects their system. Another you know, a more nefarious and maybe more complex way of delivering the malware is through a file attachment. The LOCKY virus was recently announced to have a pdf attached that embedded within the pdf was a Word document, and embedded within the Word document was a macro that initiated the infection.
That scenario is almost like Inception with the different layers that it goes down to the actual infection point. But, the problem is, that file was scanned by antivirus programs and appeared legitimate. So, it actually was not blocked and appeared in the recipient's email inbox. So, there's always this kind of, false sense of security where we do have antivirus. And it's gone through that process and, "I normally don't click on file attachments, but this one duped me." And in essence that's how the malware can be delivered.
And finally, I did want to touch on another attack vector and that's the TeslaCrypt Ransomware and what it does is infects your computer through web ads. So, you could click on a link and the link and the page and everything that you're reviewing is not the actual kind of, attack vector. Instead, the ads that are displayed on that page, through a java script exploit and some other ways are able to deliver malware to you. So, it's not to make you panic or not click on anything however, it's getting to that point, right? Where antivirus is not catching things, malware protocols and signature files that you update regularly, are always one step behind
So, these are the types of attack vectors that number one are those phishing emails and it does require human action to click on a link or open a file attachment. Okay so, the attack; I wanted to take you through common scenarios so that you can have a visual as to what often happens when a person receives a phishing email and clicks on it, okay?
So, here's an example, this is an email form FedEx. It's addressed to you, it went through your antivirus system, the colors are right, the logo is right and literally, the syntax and the language used inside this email is identical to a message that you receive from FedEx. The only way you could potentially notice that this is incorrect is to hover over a link or is to manually run your pdf through your antivirus, but even then, it's not a sure fire way to protect yourself. So, here's an example of an incoming email with a file attachment that was approved tacitly at least, by your antivirus program.
Clicking on that pdf would trigger the Word document, would trigger the macro and would infect your system. Here's another example, this is a very straight forward, simple request from your help desk that you need to update your password, it's going to expire in two days. "Click here to help us validate, thank you, your nice IT service help desk." This is not from your IT service help desk, but in many ways, the simplicity of it helps it not raise any alarms. Like, you certainly want to make sure that your password is strong and updated. In fact, you've been told that, that's a good way to protect yourself instead, this is a way of exploiting your efforts. Your basically, reasonable and bonafide efforts to protect yourself.
Another example is from Apple. So, these are ways of basically leveraging your trust let's say, in a third party. Whether it's FedEx, whether it's Amazon, whether it's Apple, this is a message. And like I said earlier, this mimics Apple's language, their format and you know, the content of many of their support messages except clicking, "My Apple ID" there, infects your system with malware.
Finally, here's another one. It's from Dropbox, it has their logo, you know, "View File", it's, "Happy Dropboxing" there's a lot of positivity and consistency in this message, the same thing. This is the type of phishing messages where they sneak through. You know in one, they deliver a content message that is no different than you would expect or that you may have even handled or received multiple times in the past except this is a phishing spoofed email that's designed to you know, exploit your trust in this organization as a way of clicking on that, "View File" and not only getting the file, but downloading malware and infecting your system.
So, phishing, those are the types of emails you may receive and so, you know, with best intentions, you click. So, what happens? Immediately, your computer is locked down and you receive a message. There's a lot of consistencies in these messages. One, it warns you there's a threat involved, you know, "You have been encrypted." And this one says, "You have been safely encrypted." Which is kind of hilarious in a cynical way. But, it also tells you when your files will be destroyed and there's the threat, the extortion is, "Pay now, to receive a decryption key." The thing is, as you're viewing this on your screen and processing exactly not understanding what it is, that behind the scenes it's encrypting your computer, it's propagating itself to linked drives, any data on those drives, it's getting to your server and it's encrypting the server.
All of those encryption algorithms are extremely powerful and you're ability to decrypt those files requires either a decryption key, and that's something that you would actually have to pay to receive from the hackers themselves, or some of the other remediation strategies that we'll touch on in a few minutes. Now, this is one example of CryptoLocker, but there are consistencies across all the different types of malware. In essence, there's the ticking time clock, there's the threat and there's the offer. I'm sorry, the offer for payment from the hackers as to how to get your files decrypted, right?
I wanted to show you there are many, many variations, but the consistent aspect is just that. You know, "Your system is no longer acceptable and until and unless you pay, you will not have that decryption key." Okay? Now, this was something that was actually sent to me yesterday, in preparation for this webinar today and this is from IVP infrastructure here. This is something that we received and it was caught in our Sandbox environment, but this is an example of something that is timely. We received this yesterday or actually it was this week, but in essence it's the same thing, it's explanation, it's an offer and basically, a threat. And sometimes, the amount you need to pay escalates as time goes forward, but usually there's a drop dead date in the future at which point, the ability to decrypt your data will no longer be available.
Then also timely, this was in the news this morning, where there was a wide spread attack in the UK on their National Health Service and what happened is somebody clicked, right? Was duped into clicking a phishing message and their facility, their system was infected with this malware and it started to propagate itself across the entire UK which means, no access to medical charts, no access to appointment schedules, no access to prescriptions, even surgeries, right? These clinics where you know, procedures were scheduled and then these are individuals who are sick and in need of attention and treatment. The entire computer system was locked down. So, this is something literally, that's happened today and is an ongoing process where the infection continues to propagate across an entire network that involves hospitals, clinics and outpatient facilities throughout the UK. So, clearly this is something that's happening on a daily basis and it's in no way going way. And now we're going to move to some of the ways that we can help you understand what to do should you be in a similar situation.
Okay, so you've been targeted. What are some of the things like the common sense, basic, immediate things you can do? First of all, if your machine is infected, immediately disconnect it, all right? So, the encryption takes seconds, it's a quick process, but the sooner that you can stop, mitigate that damage, the better. So, either turn off or disconnect from any networks, your infected machine.
Second of course, contact your IT or your support or your IT vendor immediately because the determination of which drives that have been affected, is something that needs to be done as soon as possible and because oftentimes, MAP drives within a network, are not accessible by every single user, so that's some that you can mitigate the propagation of the infection by understanding who has access to what drive and being able to either take the drives off line or understand the computers that were infected and making that they're propagation of the infection can be mitigated.
Also, identifying the variant is also important because what it's doing, how it's doing, what it's doing is important. One, just for kind of, record keeping purposes to be best informed on what has happened, but also there are different strategies specific to types of Ransomware. Now, if the propagation or the infection becomes wide spread throughout the organization and truth be told, that happens so quickly that oftentimes it's impossible to stop, but it's not in every situation so, understanding the variant also helps you strategize and understand what your options are going forward, okay?
Finally, so you've been targeted. What's maybe a best case scenario? It's to restore a verified backup. But, I touched on that four out of five people think a data backup is sufficient to protect you, so the issue at large here and the reason Ransomware is effective is it doesn't just encrypt your data it literally, encrypts each work station. Which means, your permissions, your passwords, the applications you have stored, your file structure, all of that. Even license keys to be able to install you operating system and the programs that are installed within there, that needs to be backed up as well.
So, I'm really trying to draw the distinction between a back up of data, which is absolutely necessary and clearly something that I recommend strongly, but it's more than just a back up. What it really is, something that protects you against this type of attack is the virtualization and the back up is more than just data. What it is, is a system image of each work station and your server and your permissions and any other ways that your database has managed information within your network. So, it's a different type of back up. It truly is a system back up rather than a data back up and of course, when you back up, what's crucial is, that you verify.
So many people make back up strategies and miss maybe the most important point which is, let's go though the process of restoring from a back up. Too often, individuals have a back up that they've never actually touched, so it's not verified and if there's any corruption or even the file type or the file version can actually prevent back ups from being restored affectively. So, that's something to really be aware and to take a close look at your current strategy of back up to make sure that it's more than just data. Make sure that it is actually, work station specific and server specific.
So, and here's the other, this is kind of, the medicine that sometimes you know, is bitter going down, but it's really whether to pay or not to pay. So, if you are encrypted, there's a cost benefit analysis to be done. If it's $500 and you don't have a system backup, up until April, so last year, the FBI at least casually, offered or suggested that payment be considered as a viable option to protect yourself or to remove encryption on your network. So, they changed their tune just because it's become so wide spread and I think you know, the idea is don't negotiate with terrorists or certainly don't pay a ransom as a starting point, but sometimes you know, paying- And there are many stories out there, I know of a hospital in Los Angeles that paid $17,000 in bitcoin because they did the analysis and they didn't have an effective way to restore their network and they simply could not have lost or not have access to all their patient information.
There's is a university in the North East in the United States that paid $16,000, there are police stations or offices in 17 states that did pay and conversely, there are a couple of organization, one was in Alabama and one was in New Hampshire, that didn't pay and lost all of their information. So, imagine, that's really that cost benefit analysis, it's terrifying, but it is something to be thought of and something else said, because this is something that is so profitable I mean, honor amongst thieves is probably overstating it, but in order to actually make money, you do have to deliver the encryption key because if not, no one would pay.
So, you know, whether to pay or not is part of that analysis, the cost involved, not only to pay the ransom itself but, how much would it cost you in disruption and lost business and all the data that you may never have access to again? But, with that said, there is a caveat, which is statistics show that under 50% of individuals who are infected and look to mitigate and recover their data, actually recover their data, right?
And then, the final things are a lot of attorneys are able negotiators. Even if you decide to pay or at least explore that option, be able to negotiate a settlement. Understanding what has happened, what variant it is, kind of informing yourself, there are ways to negotiate. It seems a bitter pill to swallow, but it is at least, a potential way to remove the threat of never having access to all the information that you need on a daily basis. So, that's kind of, the negative so, here's the positive.
These are things that you can do proactively to avoid being infected, right? So, we talk about an ounce of prevention, but here's what it really comes down to. The true weakest link in the security chain, is the human element and so, training and prevention protocols. Just showing individuals examples of phishing emails, just so you know, "Hey, wait a minute. This doesn't feel right." Don't click. Certainly, don't click on links in emails ever. If you get something from FedEx, go to FedEx.com, log in and check your account. Same with Amazon, same with Apple. Very quickly, the actual vendors will start doing that, you know, they'll simply say, "Go to the website." Just because this has become so prevalent.
Also, consistent internal security practices. Don't let your staff install unauthorized software. Any time there is inconsistent either security protocols or even environments, computer environments. What programs are running? What type of information is stored? How you access is here or there? Don't allow internally the installation of unauthorized software. You could turn off macros in MS Word or only authorize certain macros to be run. That's one way you can kind of prevent or at least give yourself a chance at preventing that type of delivery of a malware exploit. And also, deploy end point antivirus solutions. Antivirus and malware, I kind of, combined the two in that. Specifically, end point because computers on your network, when it's an end point environment, cannot access the network unless they satisfy and comply with very specific antivirus and compliance criteria.
So, those are the kind of things that you can lock down very quickly and easily. These are things that I absolutely recommend that every individual who is registered and attended this, I suggest strongly that you do this right away. And then finally, a couple of things I think are crucial; one, make sure that you have multiple geographically redundant and verified back ups and more than back ups, I highly suggest that you virtualize each work station and your network. And network, I mean your server or servers and all the databases and all the things the file servers, the application servers, the things that you rely on in order to make sure that you are able to stay in business and continue to have access to all the information that you need.
And of course, I will recommend that you utilize a legal, private cloud because the cloud aspect is proactive 24/7, monitored and managed security in a cloud infrastructure. The cloud infrastructure, and I'll touch on this in a second, towards the end of this presentation, but moving your business to the cloud, actually increases your ability to apply a lot of what I described above. End point security, consistent security practices and even training and prevention protocols, those become part of the private cloud, which also features virtualization and multiple redundant and verified back ups.
And the last thing is part of the private cloud infrastructures, it's the understanding that minimizing local data storage, means that proactivity and multiple redundant back ups and all of that are actually built in to your environment, okay? So, let's just take a quick look at the legal, private cloud infrastructure. Here's an example of the Abacus Private Cloud and the reason this specific environment can help protect you against a type of attack like this.
And I'll tell you an exact scenario that happened where earlier, actually it was last year, one of our clients, an admin who had logged into her virtual desktop clicked on a phishing email and brought in a CryptoLocker malware to her desktop and everyone else's desktop and that organization's database server, file server and document server. They called us in a panic and this is about two hours into their business day. We were able to reset their entire environment. Literally, every work station, every desktop, every virtual desktop, their servers, their data, back to the last good back up. It was two hours old, but within 24 minutes, a firm of 15 users, can be restored to exactly where they were before that infection had taken place.
So, that is really what I'm talking about. An advantage of a private cloud environment where the virtualization means that you're not worried about your hardware server and work stations and well, what we do if we needed to reset our entire environment? Instead, going to the private cloud means your data's preserved, your work stations are preserved, your permissions and everything that you would need to access and be back up in business. In this specific scenario that I am describing, it took us 24 minutes to have that organization back up and running.
So, think about what your strategy would be. I certainly recommend that everybody institute some of the controls and consistent security protocols that I touched on earlier but also, moving to a private cloud is an efficient way to bring those types of protection online as part of a private cloud. And of course, there are a number of different other advantages, but at the core, this is something where should a malware infection happen, this is an example of a virtual environment that can help you reset, prevent and protect yourself against these types of attacks going forward, okay?
So, and I wanted to kind of, a quick glance at an example of one of our data centers. It's monitored 24/7 by you know, by our security staff as well as programs that not only do the antivirus and the checking of information as it comes in, but the environment itself is monitored and backed up, right? So, in real time you have multiple copies of all of your documents and your data, but even at the core level, the ability to literally, reset your entire environment. Removing, in essence, the encryption is something that is part of the cloud data center and specifically, the Abacus Private Cloud.
Q & A
If using all cloud services: QuickBooks, Word, Excel, how safe am I?
You are as safe as your last good back up because really, an infection can happen even in that environment. And all of the kind of programs that your discussing specifically, and those types of files and how you store them, the real key is, your as safe as your ability to restore that entire environment.
That is the single best way to protect yourself. Is understanding that whether it's tax information, whether it's QuickBooks financials or a database or Excel. Those are files that can be backed up and restored and be part of either your work station and your environment or the organization's server. But, in both of those scenarios, moving to a cloud environment means that the cloud as a virtual environment, can be reset. So, that's really your best bet is you do your very best to be proactive in preventing infection, but should it happen, what is your remediation strategy? And I think the very best on is to be able to basically, wipe everything that is encrypted and restore it to the last good version of all of your files, all of your programs and all of your server architecture as of hours ago when we created the last good back up for you.
What if our data is backed up to a back up service and our email is hosted by a cloud email service. Will the Ransomware be able to access this third party cloud?
So, the way Ransomware works is, it encrypts your computer so, really what would happen is, any information that is on your computer, and the programs and the emails that are stored locally, you would no longer have access to it. Now, the cloud back up? The data would be protected in most situations however, the way that your local data syncs to cloud data can actually propagate the virus from a local infection to a cloud infection.
So, that's something to absolutely talk to your cloud back up service. Their antivirus, their malware protection give yet, another layer of analysis, but there are stories of local syncing of malware also infecting cloud back ups and also cloud email. So, your local copies of the email, that maybe you've access or you've downloaded into an inbox on your machine, that would be encrypted, but the cloud email would likely still be preserved for you. And really what would be missing there, Karen from a complete kind of, protection scenario would be, the programs that you use locally and even the operating system.
In other words, literally just getting your hardware device back up and running exactly where it was before the infection, that would be the missing link in the chain you described. But, in most situations your cloud back up, the data itself, would still be available and the cloud email would still be available. You would just need to basically, create a new machine in essence. A new local way of accessing that information.
What do you mean by virtualize our system?
Good question, David. In essence, that term means that instead of your computer, your work station and all of it's programs and operating system and permissions and things like that and your server being two or single instances of that environment, what you can do is you can take your computer and create in essence, a system image. That system image can then be copied off elsewhere. So, if your hardware device became encrypted, in essence, you could wipe that device and all data on it and restore that virtual kind of copy of your work station.
So, it's more than just data. By virtualize, I really mean, take a snapshot of every single setting and bit of information on your computer and store it as a secondary instance of that. Now, the thing is, you need to refresh that every night, let's say. Sometimes, that can be onerous on site because one, it's a lot of data that you're storing, but by virtualizing it, I mean that you can then restore that last good back up of your entire system and all the settings on it in the same way that you can virtualize a server.
Now, that's one way that you can do it on site where the machines themselves, you create those system image of the machine and store them so that you can restore the machine as a whole but, if you do move to a cloud environment, your machine, the actual device your using to access it, is really just that. It's a client. You're connecting to and viewing a virtual environment, by the very nature. I hope that answered your question.
If you unplug your machine right away, how would you get all that information that you had listed that you need to go forward?
I think you described it well, there. So, what we're really trying to do is understand that, the machine that you're unplugging, is a loss. It's encrypted, right? That machine and it's data are no longer accessible. But, the real goal of unplugging it, is to prevent that type of infection from propagating to other machines and your server and network drives and things like that. I probably wasn't perfectly clear on that, but really what you're doing is your avoiding or it's almost like quarantining somebody who's sick, it's not that far different. What you're doing is your taking that machine away from any other devices or servers or bits of data that would be part of the ongoing infection of your network. I hope that explains that.
Any comments on the Google problem of last week? I never click on anything. My husband opens every Pandoras box he gets.
We recommend you have a frank discussion with your husband and tell him to stop clicking on those because Pandora is a perfect example of his either reliance or trust in that third party becomes an avenue for that phishing to be that much more effective. Because in essence, he thinks that Pandora is helping him and giving information, so I urge caution and not to click on any links in emails. Literally, go to your Pandora, either the app or online and see what their messages are to you because at least you've used your user name and password to connect and authenticate yourself. Don't click on links in emails.
Google had caught it and shut it down very quickly, that's true but, I think there were hundreds of thousands of people that were affected, right? So in essence, these are the types of attacks and the fact that you bring Google, the name of Google as an industry leader. They serve right on the cutting edge. They offer two factor authentication and even they were able to be hacked. And there some kind of contesting descriptions of how that Google exploit, what the intent behind it was, but the effect was, in essence the same, as if it were a Ransomware attack.
In essence, hundreds of thousands of people were inadvertently compromised and Google did an effective way of one, communicating and two, mitigating it but, it just shows you that the large organizations that have truly state of the art, proactive monitoring, even they can be attacked. And their way of dealing with it would be the same way that we would deal with any organization that's in the Abacus Private Cloud, is we would mitigate the damage, we would shut down the attack from moving forward and then we would reset to the last good back up. The same thing they did.
Is anything in particular for Macs?
Macs are kind of, historically known to be strong against exploits for viruses. But, as I mentioned earlier, a virus is just that. It's really kind of, intent is malicious, destruction of files. They become infected, you no longer access them, they're deleted or they send out the same virus to other computers via your contact list or something like that. Macs are historically, good against viruses, but Ransomware is an entirely different type of attack. So, the way it comes in, in a Mac ideally, it would be caught ahead of time, but it also can encrypt your Mac and the data on it.
So, the virtualization, the time machine aspect, creating a boot media, so that if you do use time machine or something like that to create that system image that I've been talking about, make sure that you're able to access your computer, so that the restore process of a system, the last good one, is something that you can do. So, I strongly encourage virtualization of Macs, of Windows pc's, Linux machines, whatever you may need or use. I happen to use a Chromebook, it's a laptop, but it's stripped down and has basically, no local storage.
And I use that to access my Abacus Private Cloud account because the actual device itself, the Chromebook, can be wiped in minutes. It really doesn't store much. It has no true operating system. In essence, it's kind of, a glorified browser, but I use it to connect to a virtual environment and the virtual environment has those protections behind the scenes with redundant back ups and that virtualization that really gives you the ability to wipe clean, in other words, eliminate the encryption of all your data and restore data and programs and your work station as a whole.
Want more Free Training Friday? Register for upcoming webinars here!