Smarter SMB’sGuide toRansomwareThe

IntroductionRansomware has become a serious epidemic affecting businesses of all sizes, and protecting your company is more essential thanever before as the number of ransomware attacks continues to rise. A recent U.S. Government interagency report indicates that, onaverage, there have been 4,000 daily ransomware attacks since early 2016 — a 300-percent increase over the 1,000 dailyransomware attacks reported in 2015. 1As ransomware spreads, it continues to evolve and get more sophisticated — and more lucrative. In fact, according to Internet CrimeComplaint Center, ransomware victims paid more than 24 million to regain access to their data in 2015 alone. 2What does all this mean for small to medium-sized businesses? In order to protect your organization from cyber threats, you need tokeep ransomware and cybersecurity top-of-mind and educate your employees about this destructive type of malware and thedamage it can do to your business.To help you address the growing threat of ransomware, we’ve taken a closer look at how ransomware works and the most commonvariants that are active today. We’ve also gathered our best advice on how to protect your business both proactively by takingprecautions to avoid ransomware and reactively by being prepared to recover quickly and easily if you do fall victim to an attack.

What Is Ransomware?Ransomware is malicious software that encrypts files, locks the computer, and retains controluntil the user pays a certain amount of money. Ransomware can appear in two forms — either bylocking your screen with a full-screen image or webpage to prevent you from accessing your PC,or by encrypting your files so they can’t be opened. 3While each ransomware variant has its own twist, there are a few key components that mostransomware types follow:Email-borne infection – Although some variants have been known to attack via drive-bydownload advertising, malicious websites, or peer-to-peer network file sharing, ransomwaretypically attacks through spoofed emails, and the end user is trickedinto opening an attachment.4 It often arrives in zip files withenticingly common names, and the zip file contains an .exe, whichdownloads onto the target computer, adding a key to the WindowsRegistry, allowing it to run.Covert communication – Once downloaded, the malwareestablishes communication with a command-and-control server. Forexample, CryptoLocker, which started the modern ransomwarecraze, relies on a domain generation algorithm and hops betweennew servers routinely to avoid detection.There have been4,000 dailyransomwareattacks since early2016 — a 300%increase over the1,000 dailyransomwareattacks reported in2015. 1Advanced encryption – Once the server connection is established, CryptoLocker generates a pair of encryption keys — one public,one private — using the huge RSA-2048 bit encryption algorithm and military-grade 256-bit AES encryption. Most ransomwarevariants use a 256-AES (Advanced Encryption Standard) key or a 2048-RSA key, but some even go as far as 4096-RSA.Bitcoin ransom – After encryption is complete, the cybercriminals usually demand Bitcoin or some form of payment for the key tounencrypt infected files.5 Ransomware works quickly and quietly in the background before it unveils itself to users asking for ransom.Tight deadline – A pop-up window usually tells the victim that important files have been encrypted and sets a time limit for paymentbefore the private encryption key is destroyed and the files are lost forever.

The Most Recent Ransomware ThreatsRansomware has grown tremendously since CryptoLocker first made a name for itself in 2013. With new variants of ransomwareappearing on a daily basis, it can be tough to keep track of what the newest threat is. So we rounded up the most recent up-andcoming threats that could have a lasting impact on the ransomwarelandscape:1. Locky6Identified: February 2016What defines Locky: Locky uses macros in a Word document to insert codeinto an IT environment that encrypts all of the organization’s data. 7Most recent variant: Zepto infects computers with a “.zip” file emailattachment that contains malicious JavaScript. The JavaScript runs quietly onthe victim’s machine, slowly locking files with the “.zepto” extension. Thenewest version, which appeared in September 2016, uses an embeddedRSA key and abandons communication with C2 servers. 82. CerberIdentified: March 2016What defines Cerber: Cerber installs itself on the victim’s PC and isactivated by enabling macros. After encrypting users’ files and adding the“.CERBER” extension to them, it asks users to pay the ransom in Bitcoin, andif the ransom goes unpaid for more than a week, the ransom is doubled. 9Most recent variant: Cerber3 appeared in August 2016. The file extension added to encrypted files ends with “.Cerber3,” and itrenames the ransom note to #HELP DECRYPT #.txt. 10

3. Smrss32Identified: August 2016What defines Smrss32: Smrss32 is a CryptoWall copycat, but it isn’tas sophisticated. It adds “.encrypted” to the targeted files and drops aransom note into every folder and desktop containing encrypted files,before it deletes the folder where it installed itself. 114. CryptXXXIdentified: April 2016What defines CryptXXX: CryptXXX scans the entire drive and thenencrypts files using the “.crypt” extension. The user’s desktop imagechanges to a picture of the ransom note, and browsers display an HTMLversion of the note as well. 12Most recent variant: CryptXXX 3.1 scans for shared Windows drivesand quickly encrypts each one — but that’s not all. It also utilizesStillerX, a credential-stealing DLL tool that can steal emails, browserdata, and even VPN credentials, leaving users vulnerable even after theransom is paid and files are unencrypted. 13SMBs are theprimary target forransomware,but only 34% testbackups regularly

3 Steps to Recover from Ransomware*Verizon 2013 Data Breach Investigations ReportWhat do you need to do as an SMB if ransomware strikes your business? You should take the following three steps immediatelyafter an infection is discovered. If you work with a managed service provider, you should contact them right away so they can helpyou execute these steps effectively.Step 1: Disconnect from the network and stop backing data up immediatelyDisconnect the infected machine from the network immediately after the infection is discovered. Not only do some ransomwarevariants encrypt shared files on the network, but you’re also stopping the malicious software from overwriting clean backups withinfected files. You should check and see if any other machines have been affected as well.Step 2: Remove ransomware and clean computers of malicious softwareIf you have a good restore, remove all traces of the ransomware using antivirus software or an appropriate malware remover beforeproceeding. Don’t test or try to recover data until the ransomware is completely gone. It’s important to note that by removing theransomware you are effectively forfeiting your ability to unlock files by paying the ransom. This shouldn’t be a problem if you havebacked up your data to a separate offsite location and don’t intend to pay the ransom. As an added precaution before you restorefiles, conduct a test run in Safe Mode on the network to see if there are any additional infected files.Step 3: Restore from the most recent clean backupProvided that you maintain consistent backups, locate a clean version of the files, and restore to your most recent backup set.Unfortunately, if you haven’t followed best practices for backup, you won’t have an alternative. You’ll either need to pay the ransomor accept that all of your data is gone.

Best Practices to Protect Your SMB from RansomwareTip #1: Educate users on security best practicesEducation is still the best way to help your business avoid infection by ransomware — or any other form ofmalware. Make your employees aware of popular social engineering methods and tactics so they don’t fallvictim to phishing emails or spoofed messages. It’s particularly helpful to share examples of these kinds ofemails and the types of attachments that are often associated with social engineering attempts so that endusers know to avoid them. An MSP is well equipped to help deliver this sort of training.A few security best practices to share with your employees: Do not open emails from strange or unfamiliar email addresses Do not disable or deactivate antivirus or anti-malware software Do not download software from torrent sites — official or direct downloads are preferable If you receive an email from a familiar contact that includes an attachment or link, verify separately thatthe person or organization actually sent you this messageTip #2: Consistently update operating systems, antivirus and anti-malwaresoftwareMost security vendors are constantly working on updates to catch and stop ransomware before itinfects your files. If you use antivirus or anti-malware services, be sure you are running the most recentversions of these products and do regular updates. Contact your vendors or your managed serviceprovider to learn more about how they’re defending against ransomware to see if there is any additionalprotection available.Ransomwareis a 1Billiona yearcrime.

It’s also important to be sure your operating systems are up to date with the latest security patches to avoid leaving any backdoorsopen. Often, backdoors are fixed in the latest patch or update, and hackers can prey on companies running out-of-date software,which gives them an easy “in” to the system.Tip #3: Disable macros in Office documentsMany new ransomware strains trick users into running macros on Microsoft Office programs. Macros automate frequently used tasksand hold a potentially serious security risk. If malicious macros are introduced, it starts with one file and quickly spreads. MicrosoftOffice 2016 automatically disables macros, but if your business is using an older version, an MSP can help you disable it on a GPO(Group Policy Object). 14Tip #4: Prevent .exe from running in AppData or LocalAppData foldersRansomware usually operates within the AppData or LocalAppData folders, so you may be able to prevent the initial malwaredownload from executing by blocking .exe files from running in these folders.Tip #5 Set up a next-generation firewallCybercriminals are releasing new malware variants into the wild at an increasingly fast pace. A next-generation firewall can combatnumerous threats, and some can even detect zero-day threats before they infiltrate the system. There was a 79-percent increase inzero-day threats from 2014 to 2015, and that number is expected to continue to climb. 15Firewalls help your SMB be proactive about defending against ransomware instead of just reacting to an attack. “Network security isakin to a home alarm system, whereas BDR is like a home owner’s insurance policy that comes into play if something is stolen ordamaged,” says Brian Babineau, senior VP and general manager of Intronis MSP Solutions by Barracuda. 16 Thinking of it that waywill help you understand the importance of both approaches. Network security, like a next-generation firewall, goes hand-in-hand witha comprehensive BDR plan when protecting your business from the most recent ransomware threats.

Tip #6: Back up your data frequently and consistentlyOffsite backup is a critical component to a ransomware recovery strategy and should be anintegral part of your disaster recovery plan.Why offsite? Because ransomware infections have been known to infect local drives and networkshares that are mapped as a drive letter on the infected computer.17 That means if you’re usingonly a local backup solution, there’s little chance of recovery without paying the ransom becauseyour backups will most likely get encrypted as well.1. Keep multiple versions of your protected filesCertain cloud backup offerings provide the advantage of sophisticated version histories, which is acritical component to successful restores after a ransomware infection. If you only back up a singleversion of your files, it’s possible that your software has backed up an infected file. By saving asmany revisions as possible, you have a better chance of restoring to a clean version of the data.2. Keep multiple days’ worth of filesDepending on how frequently you perform backups, it’s possible to store multiple versions of asingle file, all of which were backed up the same day. But it’s important to also back up severaldays’ — or even weeks’ — worth of files to ensure maximum protection. By retaining clean backupsover days, weeks, or months, you give yourself additional safe restore points, raising the likelihoodof a successful restore.3. Frequently test your restoresYour backups are only as good as the restore. Test your restores on a frequent basis to make sureyour data is being backed up properly.More than70% ofransomwareattackstarget smallbusinesses.

ConclusionThe FBI wants businesses to take ransomware seriously. “Because of the globalreach of cybercrime, no single organization, agency, or country can defendagainst it,” the organization explained in a recent statement about the growing threat ofransomware.18As an SMB, it is impossible to stop the ransomware epidemic. However, taking the rightproactive and reactive measures can help you mitigate the likelihood of an attack foryour business. No business vertical, large or small, is immune to ransomwareattacks, but you can set your business up for success by following best practices andusing the right tools to defend against it.Contact Carrier Access, Inc. to learn more about ransomware andmake sure your business is properly [email protected] 800-373-7548 ow to Protect Your Networks from Ransomware,, Retrieved September 2016.ICIT, The ICIT Ransomware Report, March 2016.What is ransomware?, Microsoft, retrieved September 2016.Cryptolocker 2.0 – new version, or copycat?, We Live Security, December 2013.CryptoLocker Ransomware Information Guide and FAQ, Bleeping Computer, October 2013.Malware Protection Center, Microsoft, Image retrieved September 2016.Here Comes Locky, A Brand New Ransomware Threat, Dark Reading, February 2016.Locky now using Embedded RSA Key instead of contacting Command & Control Servers, BleepingComputer, September 6, 2016.Combatting the ransomware Blitzkrieg, ICIT, April 2016. Ransomware Has a New Family Member – Cerber3 Has Been Spotted, Virus Guide, August 31,2016.Smrss32 Ransomware Encrypts an Astounding 6,674 File Types, Virus Guide, August 15, 2016.CryptXXX Ransomware Help, Information Guide, and FAQ, Bleeping Computer, May 2016.CryptXXX Adapts Again to Outwit Decryptors, Info security, June, 2016.Enable or disable macros in Office documents, Microsoft, Retrieved September, 2016.3 Ways to Supercharge Your BDR Offering, Business Solutions Magazine, September 2016.CryptoLocker Ransomware Infections, US-CERT, November 2013.2016 Vulnerability Review, Flexera Software, March 16, 2016.Cyber Crime, FBI, Retrieved September 2016.

3. Smrss32. Identified: August 2016 . What defines Smrss32: Smrss32 is a CryptoWall copycat, but it isn’t as sophisticate