One of the more frustrating aspects of technology is cybercrime. Hackers can steal valuable information, hold you up for ransom, vandalize your equipment or compromise systems and productivity. It is an ongoing challenge to protect your clients and firm from their attacks.
Recently, I have spoken with several advisors that have been impacted by a ransomware virus, and in speaking with a couple of IT firms, I learned they have received multiple support calls that involve this type of virus, too. I don't view this as a coincidence, and therefore it is important for all advisors to understand ransomware viruses.
Ransomware viruses have been around since the mid- to late-2000s, and are activated similarly to other viruses. Often this happens by clicking a link in an email or website, or by opening an attachment that includes the virus.
There are two primary types of the virus. One completely takes over the computer and locks the machine. The second type encrypts files with a password or renders them unreadable. In both cases the virus instructs you to pay a “ransom,” often in bitcoin, in order to gain access to your computer and files again.
The ransomware virus that encrypts your files can be especially challenging. Any file that the infected user has access to can be compromised. This may a big, rich target when the infected user has access to files not only on their hard drive, but also on the server.
If your firm ever becomes a victim of a ransomware virus, it is very important to identify as quickly as possible the entry point of the virus. With the “lock machine” version of the ransomware virus it is of course easy to identify the initial entry point of the attack — it likely started with that specific computer.
The “encrypt file” version might be more of a challenge, especially if the files on your server are impacted. One way to discover the entry point is to start by highlighting one of the encrypted files and selecting “Properties” via the right click menu. Then select the “Details” sub-tab and look under the “Origin” section. This is where you will be able to view the last user who saved the file, which is a good indication of the potential entry point. Once you identify the last user, immediately go to their computer and remove it from your network by unplugging the network cable or disabling the wireless or LAN connection. If you are quick, removing the connection will isolate this computer. Interesting to note, it does take time for the virus to encrypt each file, and generally speaking it follows an alphabetical process.
Once you identify the entry point, the task is to remove the program from the computer. Depending on your level of expertise, you might want to consider working with an IT provider. At a minimum, make sure that your anti-virus program has identified and removed the virus. In some cases, re-imaging the computer could be necessary. Be very methodical in your process, particularly when it is time to re-introduce the impacted computer to your network.
The day your firm is hit by a ransomware virus is when your investment in your backup process truly pays off. If you have an up-to-date and complete backup of your data and files, then you simply overwrite the encrypted files with your backup copy. The overall process of removing the virus and restoring your files from a backup copy could be very time consuming, but you should be able to get back to business. It is critical that your backup process does not occur when your files are encrypted by the ransomware virus. The last thing you want is for your good backup files to be overwritten by the encrypted files.
There is no perfect solution, no single step that you can take to protect your firm from a virus. Keeping your anti-virus software up to date, being careful with email attachments and certain websites, avoiding links in phishing emails — these are all important preventative measures. Most important, though, is that you adjust your thinking to not “if” but “when” a virus will impact your firm, and make sure that you are ready to respond. The most damaging attacks occur when firms are unprepared.
Could You Simply Pay the Ransom?
Yes, you could pay the ransom to regain access to your files. Unfortunately, some impacted firms have to do just that because they didn't have a good backup available for restoring their files. It was their last resort. Of course, there are no guarantees that you will get the right encryption key to unlock your files after paying the ransom. The cybercriminal may have abandoned the effort, but the virus may still be lurking. Furthermore, paying the ransom also rewards the cybercriminal's behavior, which nobody wants to do.