The new threat to business uptime
When it comes to crypto-ransomware, it’s not the ransom that’s so damaging to your business. It’s the downtime. This report spotlights data from a survey of nearly 300 experts. And it explains what to do about it.
Luke Skibba, known on Twitter as @GigabitGeek, is one of the lucky few: his ransomware story has a happy ending.
Spending the night restoring data from a #Cryptowall breach. Stay #secure, but also #backedup my friends.#tech #backup #security #ITguy
— Gigabit Geek (@GigabitGeek) January 6, 2016
Thank you for making it one of the easiest restores. #SecureShareSync transformed a nightmare dataloss to a simple inconvenience.
— Gigabit Geek (@GigabitGeek) January 7, 2016
“Cryptowall”—the cause of Luke’s all-nighter—is one of the more well-known families of crypto-ransomware, a category of viruses that encrypts files on a victim’s computer and keeps them locked until the victim pays a set ransom. If you don’t pay the criminals who spread the virus—up to $5,000 per user, according to the FBI—you’ll lose the files forever.
In other words: imagine you arrive at your office one day to find all your computers padlocked, and a man in a mask demanding $5,000 per user to give you the key. That’s what ransomware is like.
The next great threat to business IT?
Ransomware attacks are growing more frequent thanks in part to two technology trends: the increasing processing powers of computers (which are now so powerful that they can encrypt their own files in a matter of hours) and the rise of anonymous payment systems such as Bitcoin (which make it easy for criminals to accept payment without fear of being traced).
Numerous tech publications have listed ransomware among the biggest digital threats facing businesses today. This is due to its capacity to slip through corporate security and its potential to replicate itself across a corporate network. Even Apple users aren’t immune: the first ransomware targeting Macs has recently been spotted. More is sure to come.
If your company gets infected, you face two very hard choices: either spend multiple days recovering the locked files from backups—during which time you’ll endure user downtime, lost sales and angry customers—or pay ransom to an organized crime syndicate.
(Even then, you still need to wipe and restore your computers to remove the virus. Without a business continuity plan in place, infected users will experience downtime regardless. More on that below.)
Just ask the Hollywood Presbyterian Medical Center
The employees of the Hollywood Presbyterian Medical Center can tell you what it’s like. This February, they were forced to take their PCs offline so I.T. could contain a ransomware outbreak and restore their files. They spent 10 days relying on fax machines and paper charts. They made unwanted headlines in the New York Times, the BBC and countless other publications. In the end, they ended up paying $17,000 in ransom, just to avoid even more protracted downtime.
This report helps you understand the true cost of ransomware, learn some basic prevention and containment techniques, and plan for business continuity to avoid downtime in the increasingly likely event that your business will get hit.
The scope of the threat
Our World Cloud Hosting commissioned an independent research firm to conduct a survey of nearly 300 IT experts about the crypto-ransomware threat. The survey respondent panel was carefully screened to include experts that consult with businesses of all sizes on setting up and maintaining IT infrastructures. These are the men and women who are on the front line of business IT challenges such as ransomware.
The full results of the survey are available in Our World Hosting’s 2016 Crypto-Ransomware Study. This report will focus on three key findings:
1) The biggest cost to businesses is downtime, not the ransom payment;
2) Ransomware is targeting bigger businesses and spreading within corporate networks; and
3) A widespread lack of business continuity planning is what makes ransomware so dangerous (and so lucrative for criminals).
Paying ransom is the least of your worries
When asked to name the business impact of ransomware outbreaks that these consultants have assisted with first-hand, they listed the actual cost of the ransom last. In other words, contrary to popular belief, the actual ransom payment is far from the worst damage caused by ransomware.
Downtime lasts for days
A computer that is discovered to have ransomware must immediately be isolated from the corporate network in the event the malware is programmed to spread. This leaves users without access to their computer while IT contains the virus and restores the device. But even if they can get to their files through alternate devices, the files themselves are encrypted and thus unusable.
There are business continuity solutions for ransomware (more on that below), but the survey results suggest that few businesses have any solution in place: 72% of business users lost access to data for at least two days, and 32% lost access for five days or more.
Downtime occurs even if you pay the ransom
An infected computer must be wiped and restored to clear it of the malware, even if you pay the ransom to recover your files. And that takes time. 52% of experts reported that the wipe-and-restore process took two or more days for the infected devices. (Even worse: 19% of companies that paid the ransom still didn’t get their files back.)
Bigger businesses are being targeted
The criminals behind ransomware are going after businesses of all sizes. 89% of the businesses hit by ransomware had 10 employees or more, while 60% had more than 100 employees. And ransomware tends to hit multiple users at once; 75% of outbreaks affected three or more people, and 47% of outbreaks spread to at least 20 people.
Ransomware is a growth industry
43% of IT consultants have had customers fall victim to ransomware. 48% saw an increase in ransomware-related support inquires in the past year—across customers in 22 different industries.
What are the key takeaways?
Like most forms of malware, ransomware infections may arrive through malicious web pages, infected thumb drives, or other common attack vectors. But the most common infection vectors are email-based—often using the same techniques found in phishing emails.
“Phishing” is when criminals send a seemingly legitimate email that disguises a malware-laden attachment or link to an infected website. Criminals often use phishing to trick users into submitting sensitive information such as passwords or credit cards; but these days, they’re also using it to spread ransomware.
In a recent study1, 94% of people couldn’t tell the difference between a real email and a phishing email 100% of the time. When study participants received an email that was spoofed to appear as if it was sent by UPS, 62% trusted it enough to click the link.
Protection against ransomware goes hand-in-hand with phishing prevention. Here are your top three activities:
Your email defense should go beyond spam and virus scanning. It should also be sophisticated enough to recognize and block phishing attempts.
Technology can only go so far to stop phishing. Employees and executives have to be trained to spot phishing emails before they click.
While you need to block every single attack, the criminals only need to succeed once. Plan in advance for how you’ll contain the damage before they do finally break through.
1 McAfee: Phishing Deceives the Masses: Lessons Learned from a Global Assessment
Containing a ransomware outbreak
After shutting down the computer of the affected user and taking her off the network, we determined she had been hit with the CryptoWall ransomware. We had 90 percent of our files be encrypted. This impacted every user in our whole company.
Luke Skibba, @Gigabitgeek
Ransomware is hard to spot while it’s encrypting user files. The user may notice his or her machine acting strange during the encryption process: file extensions will change, files won’t open, or the computer’s fan may whir loudly as the processor copes with the computing demands of encryption. But the average user may not recognize the danger until the ransom demand finally appears.
This means that IT typically doesn’t learn about the infection until after the damage has begun and the malware is already inside the network.
At this point, IT’s priority has to be to contain the virus and prevent if from spreading within the network. More sophisticated ransomware variants may attempt to propagate. Malware of all forms has been observed to send malicious messages using the user’s email or chat clients, or even to deposit infected files in open shared folders on other users’ computers.
“The first thing we would do is get the machine off the network,” says Dave Hobley, Our World Cloud Hosting’s Director of IT, describing our response to a hypothetical ransomware attack. “We always have to assume that the malware could make use of an internet connection – that it’s sending information back to the criminals, or spreading itself to other users. In the worst-case scenario, we may even temporarily turn off network access for the entire office until we get the outbreak under control.”
Top three ransomware containment tips:
Business continuity during a crypto-ransomware outbreak
“Business continuity” is the ability for the business to continue operations even while a disaster is ongoing.
Many businesses have plans in place for natural disasters, power outages or other disruptions. Fewer have “e-crisis” response plans for cyber threats such as ransomware. That’s one of the reasons ransomware has been so disruptive to businesses and so profitable for criminals: business continuity solutions have not previously existed.
In order for users to continue working during a ransomware outbreak, two capabilities are required.
Some of these capabilities exist in file sync and share products. Other capabilities exist in backup products. Ransomware has been so lucrative for criminals because these two capabilities have never before been present in a single product.
File Sync & Share’s Weakness: You can’t easily roll back to clean files.
When ransomware encrypts the files in your online storage folder (Dropbox®, Box®, Google Drive®, etc.), the encrypted files sync up to the cloud. So online versions are also locked. While you can perform rollback on a file-by-file basis, you can’t instantly perform a ‘mass rollback’ to revert your entire file archive to uninfected versions. Some providers offer this service through a support request, but the process takes hours or days.
Backup’s Weakness: You can’t instantly access clean files.
Restoring from on-premises backup takes hours. Restoring from cloud backup takes even longer. For example, Carbonite’s® restore rate is 10 Mbps, which means a 50 GB file archive will take around 12 hours to restore.1 In all cases, the user is completely idled while the backup is restoring.
1 Carbonite.com: Average Restore time. http://support.carbonite.com/articles/Personal-Pro-Mac-Windows-Average-Restore-Time
What’s needed to establish business continuity during an outbreak is for these two capabilities—instant rollback and instant access—to be present in a single product.
Secure ShareSync by Our World Cloud Hosting
2-in-1 file sharing & backup offers instant rollback and instant access, enabling users to keep working during a ransomware outbreak
One of the biggest pain points for any company is downtime. Being able to go from weeks or days to minutes will change the game of fighting ransomware for Our World Cloud Hosting’s Secure ShareSync customers.
Luke Skibba, @Gigabitgeek
Secure ShareSync is a universal file management tool: it combines real-time backup and file sharing into a single product.
This 2-in-1 feature set enables file collaboration similar to Box and Dropbox alongside a complete file backup and recovery across any failure scenario, like Carbonite and Mozy.