Be Wary, Be Suspicious - Take the Time to Double Check Before Clicking

March 21, 2016

Stories of sensitive information being stolen from businesses and government institutions are becoming a regular occurrence in the news these days.  On the heels of a security breach in the summer of 2015 in which over 300,000 taxpayers' tax return data was stolen, just last month the IRS announced another breach involving over 100,000 social security numbers and e-filing pins.

One type of threat that is wreaking havoc since its initial discovery in 2013 is Ransomware.  This type of attack generates tens of millions of dollars in revenue by searching for valuable data and encrypting it with an unbreakable cipher.  The victim is left with the options of restoring a clean copy of the data from backup, or paying a ransom to obtain a key that can be used to reverse the encryption.

Hollywood Presbyterian Medical Center's own nightmare started on February 5th, when staff noticed they could not access the network.  The hospital's President and CEO, Allen Stefanek, declared an internal emergency, telling NBC LA that the hospital's emergency room systems had been sporadically impacted. Some patients were transported to other hospitals and, in other parts of the hospital, computers essential for CT scans, documentation, lab work, and pharmacy needs were offline.  The hospital's network was down for at least a week, forcing staff to rely on fax machines and telephones to get work done.  In the end, the hospital chose to pay the attackers around $17,000 for the decryption key required to unlock the data.

More unnerving is the fact that these threats grow in sophistication with each new campaign, and that they have been able to operate complex distribution technology, communications networks for the registering and exchange of encryption keys, and anonymous payment mechanisms, in spite of the international task forces that have been formed to address these threats.

One example of the increasing sophistication of these attacks is the way new viral campaigns address the techniques technicians are using to combat the attack.  Microsoft Windows can be configured to store previous versions of files via the 'Volume Shadow Copy' service.  This service allows you to right click on a file stored on a Windows workstation or server and restore a prior version of the file.  Using this technique, a technician could quickly restore encrypted data to a clean state without having to resort to a full backup restore.  This approach minimizes the response time to get clean data back online, as well as minimizes the work lost when restoring a file to a prior time.  The attackers have learned about this technique and, in the most recent campaigns, the first thing the infection does is delete the file history from the Volume Shadow Copy service.  The original file names are replaced with a random hexadecimal string making it impossible to identify what original data was encrypted.  As a result, anyone attacked by one of these viruses has no choice but to restore from backup or pay the ransom demand.

How can you protect your sensitive data against threats like these?  There are some things you can and should do immediately:

  • Run a good antivirus program.  There is no single antivirus product that has been able to stop all threats, but a current, properly configured antivirus tool is your main defense against all types of malicious attacks.  MHP both uses and recommends Vipre from ThreatTrack Security.  There are other competent products available, just make sure they are properly installed and constantly updated.  If you have more than a couple of computer systems that need protected, MHP recommends a solution that can be managed from a central console, since just one point of failure can compromise all of your data.
  • Install a properly configured firewall between your data and the internet.  If you don't have a dedicated firewall device between your ISP modem and your computer systems, you are in the least secure configuration possible.  Consumer grade firewalls can be purchased anywhere computers are sold for less than $100.  Business grade firewalls are generally sold and installed by dealers with prices starting in the $500 - $1,000 range.  Make sure default settings and passwords get changed.
  • Backup, backup, backup.  If Hollywood Presbyterian Hospital could have restored their data, they would not have been down for a week, and would not have had to give criminals $17,000 to get back online.  You can't have too many copies of your data, properly secured of course.  Redundancy is the key word, with lots of history and different ways to restore.  We recovered the encrypted data for one client from a redundant cloud backup when their primary backup was shown to contain only the unusable encrypted data.  Without the redundant cloud backup, all that data would have been lost.  The more options the better when it's time to restore.
  • Be an informed and cautious user.  There seems to be an endless variety of virus distribution mechanisms.  Phony emails, web page links, macros embedded in spreadsheets, all cleverly disguised to make you click.  Be wary, be suspicious and, when in doubt, take the time to do some research or speak to a professional before you click.

If you are unsure about your ability to withstand and recover from a malicious attack, contact Elmer Robinson, IT Consulting Manager, or any of our IT Consultants at MHP to discuss how we can help at (307) 637-2660.