Boost IT

Managed IT Services, Cybersecurity, & Cloud

Ransomware

Atlanta Real Estate Firm Gets Ransomware

by

A Story about Ransomware Detection and Prevention for an Atlanta Real Estate Firm

This is the story of how cyber criminals in China attempted to take down and extort for ransom an Atlanta Real Estate Firm, how the Boost IT team reacted, and what we can learn from it — ransomware prevention in 2020.

How the ransomware hit

It was Monday, January 7th; the first full week after the holidays. The day began like any other Monday — we gathered over coffee, discussed the the fun things we did over our weekends, and had our weekly team meeting to review our client environments. A ticket had come in over the weekend that there was some unusual activity on a client’s servers, and that there was a jump in hard drive activity.

Next was a series of frantic incoming phone calls followed by shock as the gravity of the situation sank in. The day I had been dreading since I founded the company in 2000 was finally here — a client that had repeatedly refused our security recommendations had a full-fledged ransomware attack underway.

Can ransomware be prevented?

In the best cases, our managed security services, when used together, will drastically reduce chances of infection. In fact, our clients that use our full suite of security services have never gotten ransomware. In the worst cases, the the bad guys succeed, data is lost, and ransoms are paid out. Fortunately for us, we were well prepared because our client used our rock-solid, cloud-based disaster recovery system so data loss was minimized.

How we reacted

Shut it down

The first thing we did once we confirmed the attack was have everyone power off their workstations. Once ransomware compromises one machine it immediately spreads to the rest of the network. And even with backups in place, recovery takes time. Restoring a single machine can take 1-2 hours and when handling dozens of machines that can easily turn from hours into days.

Search & Analyze

With everything powered off we started slowly checking each server one by one, and taking samples of the encrypted files so we could send them out for analysis. After submitting the samples to IT Security Researchers we quickly discovered we were dealing with something incredibly nasty: The Dharma -Adobe variant of Ransomware (.cezar family of attacks). This strain is extremely problematic.

Only 1 in 67 anti-virus engines could detect the ransomware

In fact it successfully made its way through their Cisco Meraki Firewall with Advanced Security License, the email security filtering, Microsoft Office 365 mail scans, and past their anti-virus protection.

Put in the time

Even with recent backups available, checking each system individually, completing the restores and testing to determine which backups weren’t compromised, we watched in real-time as Chinese cyber criminals attempted to login to their servers (we blocked some 7,000 attempts per hour at the height of it). It took people on our team in excess of 100 hours of work that week. It was 14+ hour days and extremely stressful. Brent Tibbetts went above and beyond showing up early and staying late.

Summary of the ransomware attack

  • We shut down all workstations before any systems were encrypted and before we got the ransom demands.
  • Our client lost 1-2 days of data (Chinese hackers infected the systems but waited a few days to detonate the payload, so we chose to restore from a backup image taken when we knew 100% of the data was unaffected.)
  • Our client had only a single day of complete downtime, followed by another couple days of interrupted workflow as we got them up and running on temporary systems while we rebuilt the infrastructure.
  • Our team put in 12-14 hour days all week working round the clock to recover from backups and prevent further attacks.
  • We learned that Cybersecurity user training is more critical than ever (stay tuned for an email with cybersecurity tips as well training offerings for clients not already using our preferred eLearning platform: KnowBe4)
  • We saw firsthand how valuable proper disaster recovery backups are; a file/folder backup is not enough if you want to be able to recover from an attack swiftly. Without recent system images of the servers the backup could have taken 1-2 weeks to rebuild all the infrastructure rather than a day.
  • We want to remind our clients just how important good passwords are. If you don’t have a password policy, read this article on How to Create a Strong Password.

A big thank you goes out to our client for their patience and understanding during the attack. It was a huge productivity loss with their whole office not being able to work. No one yelled or made unreasonable demands of our team. We stayed optimistic, worked together and ensured a smooth recovery.

Thanks,

Russell Shulin
Founder & Chief Client Success Officer
Boost IT, LLC

If you’d like to stay informed of cybersecurity news and ransomware prevention measures, sign up on our Contact page.

For more info on how the Dharma Ransomware variant works:

https://latesthackingnews.com/2018/08/13/new-variant-of-dharma-ransomware-discovered/

Identifying Gaps in Your Cyber Security

by

Many businesses recognize that cyber security is a growing threat and they prioritize it. They update software regularly, maintain their infrastructure and implement security measures to help thwart malicious attacks. They set up password protection access to computers, software, and apps so only those authorized can get access. The have their employees regularly change passwords. But is everything that they do enough?

3 Problems with Cyber Security

Passwords

Every day you log on to your devices, software, and apps. You access sensitive data that is password protected. Do you trust that your password and access are safe, or do you cross your fingers hoping that there are no gaps in your cyber security?

With more companies wanting to use unique passwords, it’s hard to continuously memorize them. Then there are the changes. With each request to change a password, it is estimated that a slight revision to the previous password  causes the new password to become weaker. In addition, users get frustrated because it’s not easy coming up with new passwords every couple of months. The result is that the password becomes more predictable.

As an added authentication method, companies may add security questions. With everything on the internet, how safe are these questions? Do you really think a cyber criminal won’t be able to get your mother’s maiden name, zip code, or even the name of where you went to Middle School?

Based on a Microsoft user study to measure the reliability and security of the questions, acquaintances guess the correct answer 17% of the time and 13% of the answers can be guessed within 5 attempts using the most popular answers. Even dynamic questions, such as asking about the last payment amount, can be guessed. There is a large margin of error allowed for these questions and if the amount is consistent every month or within the vicinity of where you live, it is easier to guess.

Insufficient Executive Support

The truth is one of the main reasons for gaps in your cyber security is executive support. Awareness and education are significant when it comes to being prepared for a cyber attack. There is no longer the thought of whether your business will be attacked, but when.

It is critical that executive support understand and invest in the appropriate preparations. For example, ransomware attacks are on the rise and are increasingly targeting small business. The attacker doesn’t distinguish between which type of industry; every industry from medical to engineering to retail to real estate and to government agencies is at risk. When ransomware strikes, you’ll have a hard decision to make – pay the ransom or spend multiple days recovering locked files from backups or pays the ransom. In many circumstances, businesses aren’t prepared with the appropriate security and monitoring, and don’t have the proper backup already in place.

Lack of Communication

In a survey of 674 IT and IT security professionals, the Ponemon Institute prepared a great report on this subject: Cyber Security Incident Response – Are we as prepared as we think? From this survey, lack of communication is cited as a major problem. It was reported that only 12 percent of survey respondents indicated that their organizations share cyber threat information with industry peers. Yet, 43 percent could produce unique intelligence from investigations of attacks against their organizations. In another related survey, only 20 percent of respondents indicated that executives in their organization were frequently briefed about cyber security threats to their organizations.

Cyber security isn’t perfect. As we continue to see cyber breaches in the news, we are reminded there are gaps. To understand how well prepared your organization is in handling these incidents, Boost IT can evaluate your system and implement our managed security package easily with no downtime to identify gaps and address issues, and block ransomware to help reduce your risk. We’ll work with you to make sure only authorized people can access your system and to provide appropriate backup and data recovery so you can make the best decisions in the event of a cyberattack. For more information, contact us at 404-865-1289.

How to Prevent Ransomware

by

Do you know the one I.T. question you should be asking?

This question is directed at you. Whether you are an individual trying to secure your digital footprint or an employee /owner working for a business, do you know the one I.T. question you should be asking? We do, and we want you to know it and know how to solve for it. The one I.T. question you should be asking is: How can you prevent ransomware?  In this post, Boost IT shares 5 tips on how to prevent ransomware.

The Current State of Ransomware

Virus.
Malware.
Phishing.
The dark web.
Cyber attack.
Ransomware.

Everywhere you look, I.T. security buzz words appear. LifeLock commercials about identity theft, to the latest computer popup reminder that your antivirus software needs to be upgraded, the theme of “is my information secure?” seems to resurface.

Grey’s Anatomy even dedicated its winter finale to ransomware. Hackers breached the hospital’s practice management and EMR system causing anything connected to the network to shut down; computers, electronic charts, patient monitors, labs, testing equipment, phones. The message read:

“Hello, Grey / Sloan Memorial. Currently, we control your hospital. We own your servers…your systems…your patient’s medical records. To regain access to your medical records, you need an encryption key…which only we have. You will need to pay us exactly 4,932 bitcoin to retrieve the key. Failure to pay this ransom in a timely manner will cause your records to be destroyed and your systems to be rendered inoperable.”

The hospital was given a deadline to pay the ransom. Shonda Rhimes appropriately named Grey’s Anatomy Season 14, Episode 8: Out of Nowhere. Fitting, isn’t it?

It’s easy to believe that hackers come out of nowhere.

But the reality is that hackers are everywhere, growing more sophisticated, hovering in search of weak spots that need to be secured.

While real-life authorities advise not to pay such ransoms, we acknowledge that it is a difficult decision when a life, or one’s livelihood is on the line. Ten to twenty years ago, hospitals and businesses were using paper charts and files. Today, however, nearly everything runs on the network.

Ransomware isn’t limited to TV drama. Attacks happen daily and the FBI reports that they are on the rise.

Most systems that are vulnerable to ransomware lack a layered I.T. security approach.

The city of Atlanta was faced with a similar ransomware scenario when systems were shut down by hackers requesting $51,000. The attack affected systems ranging from law enforcement, to the city water department, municipal courts, and more. The city has worked diligently to restore, but the threat is very real.

According to the FBI, ransomware is the fastest growing malware threat. Since 2016, more than 4,000 ransomware attacks occur daily, targeting individual users to a variety of businesses from hospitals, to schools, government, SMB and private corporations.

FBI on How to Prevent Ransomware

What is ransomware?

Ransomware is a form of malware. Hackers hold your system hostage in exchange for a ransom amount that is to be paid within a certain amount of time. Ransomware can shut down your entire network and bring business to a halt. If the ransom is not paid, your data is deleted. However, if you do pay the ransom, there are no guarantees that your system will be restored without additional malware infections.

How do we solve for ransomware?

The answer is different for an individual versus a business.

For an individual, we recommend signing up for a program called Webroot. Webroot is a cybersecurity and threat intelligence service. Their antivirus software runs on your computer and does a good job of protecting your computer with very little weight to it.

For a business, there are five things that every business needs to address how to prevent ransomware.

5 Tips on How to Prevent Ransomware for Businesses

How to prevent ransomware: 5 tips

1. Secure the Perimeter.
The first layer of prevention is the perimeter. You need a device at the single point of origin where the data comes in the network that protects the entire network, including Wi-Fi. Securing the perimeter is like installing an alarm system at your office – if anything is breached, you have a reaction system in place and receive an alert to act.

2. Secure the Endpoint.
The second layer of protection from ransomware is securing the endpoint. Software should be loaded on each device within the network so that I.T. can monitor, detect and contain harmful activity.

3. Secure the Software.
Third, make sure all applications on machines are updated with the latest version and apply security patches. Securing the software is an important layer because it is designed to update, fix and improve your software by applying patches or bug fixes that improve security, usability and performance.

4. Secure the Team.
While we can create layers of I.T. security to protect the systems that are in place, you also must plan and anticipate user error. Thus, securing your end users and training for ransomware prevention is extremely important.

Ransomware often finds its way into the system via social engineering and/or phishing attempts. An attack may arrive in the form of an innocent email instructing an employee to reset their password, click a link, or open an attachment. Most unassuming victims believe they are resetting a password to increase security.  Instead, they fall victim to a ransomware infection. These traps were created to target end users.

Keep these questions in mind when considering how to prevent ransomware by securing end users:

  • Do users know how to identify phishing?
  • Can users recognize an email that is fake?
  • Are we using complex passwords?
  • Does each user have their own rather than a shared login?
  • Does each user know not to reuse the same password across different platforms?
  • Do employees keep passwords secure and out of sight rather than on a sticky note by the computers?

Therefore, anticipating common mistakes and re-training your team to increase network protection is one of the most important steps in preventing ransomware.

5. Secure the Backup.
If for some reason there is a breach or failure in the first 3 layers, securing the backup means that you have a ransomware-resistant backup & disaster recovery system in place. And don’t forget to discuss your expected recovery time with your IT group ahead of time. If you don’t have a recovery time objective (RTO), watch our video on backup and disaster recovery.

In this ransomware scenario, you would have two options: either delete all of the locked down data and restore it from clean backups, or spin up a clean copy of your entire server. Thus, the goal is to restore the system to a point in time prior to the breach.

Summary: How to prevent ransomware

In summary, when planning on How to prevent ransomware, whether you are an individual or a business, make sure your I.T. security has layers.

  • 1st Layer = Secure the Perimeter.
  • 2nd Layer = Secure the Endpoint.
  • 3rd Layer = Secure the Software.
  • 4th Layer = Secure the Team.
  • 5th Layer = Secure the Backup.

The first four layers are preventative measures. When combined, these security layers significantly reduce the risk that a user’s mistake will result in a breach. The final layer, securing the backup, is the last resort.

To prevent ransomware, begin by planning against the worst-case scenario. As businesses grow more complex and rely more on technology, ransomware is becoming more prevalent. With the proper security layers in place, your I.T. group has multiple opportunities to remain on the offense.

Do you have more questions on preventing ransomware at home or at work? Let us know.

Take a quick Boost IT Cyber Security Self-Assessment for businesses to reduce your security risks.

Do You Know Where Your IT is Vulnerable?

by

You might know a few people who avoid social media because they feel their personal identity will be compromised. You might also know a few people who are hesitant to use online banking for this same reason. Most of these people have no idea how many of their devices are connected to the internet and how much they are using it. That leaves them vulnerable to a cyber attack.

While having some level of caution is healthy when using the internet, we simply can’t avoid it. Knowing where our IT is vulnerable is important to preventing a cyber attack or other serious issues.

In today’s business world, you don’t just use the Internet to surf. Your devices are connected to it all the time. Based on a research report from BI Intelligence, a total of 22.5 billion devices will be connected to the internet in 2021, up from 6.6 billion in 2016.

Last year, many people experienced how vulnerable these devices were with the DYN hack. Earlier this summer, criminal hackers exploited a flaw in ‘retired’ Microsoft software, which was not routinely updated and patched for security, to infect computers with the WannaCry ransomwareAttacks like the DYN and WannaCry ransomware illustrate how much our IT is vulnerable.

Fortunately, the impact from DYN and WannaCry was not as bad as it could have been because of security measures companies have put in place to limit the damage. This includes security measures that control access to patient records in healthcare facilities, strong password protocols that help protect bank accounts, and simple updates to software and browsers.

So, even though we hear in the news daily about hacks that compromise sensitive information, there are security measures we can take to limit the vulnerability of our IT. Those security measures are needed to protect against your biggest vulnerabilities: your hardware, your software, and, most often overlooked, your people.

Assessing your hardware

A good first step to prevent a cyber attack is to perform an assessment on your IT system. This should include a security audit that evaluates how your IT is functioning and any potential risks. Remember that whether it is a point-of-sale terminal or a video surveillance camera, cyber criminals will do anything malicious to try to get into your network and closer to your valuable data, systems, and intellectual property.  And hackers love to target small businesses, despite what you may think.

Keep current with software and browsers

It is critical that you maintain your devices with continual updates of apps, software, and browsers. From your assessment, you should have a list of all your devices that connects to the internet and could be vulnerable. The best way to keep your devices current is to turn on automatic updates, anti-virus and anti-malware programs.

Take precautions when online

Even if you address all your hardware and software vulnerabilities, this is only part of the solution. You could still have issues with phishing, human error, and engineering or configuration problems. A big issue is that the tactics cybercriminals use change day to day. Anti-malware, anti-spyware, and anti-virus protections are must-have preventative security measures in a comprehensive managed security service. You also need to be wary of suspicious email, links, and websites. When something doesn’t look right, question it before installing or clicking.

With managed security services from Boost IT, we will perform an assessment of your IT security and recommend what is needed to minimize your IT vulnerability. It’s not intrusive, other than when we block the virus infections that can keep you up at night, and we can implement it with no downtime. We’ll continuously monitor your system so that you always have the proper security configurations, protection against malware, spyware and viruses, and updates to your software and browsers. For more information, contact us at 404-865-1289 or check out our IT Assessment Checklist.

Where’s My Data? The Future of Cybersecurity

by

More businesses realize cybersecurity is a necessity. Cybercrimes are on the rise and small businesses are increasingly being targeted. Cybercriminals are becoming savvier and their attacks are becoming increasingly complex. The need to stay on the forefront of information technology and IT skills development increases. Just as important is the need to be prepared and ready to respond to a threat and minimize the damaging effects.

In our last blog Cyberattacks: Why Hackers Target Small Businesses, we talked about the realistic possibility of a cyberattack. While the initial phases of diverting an attack in cybersecurity involve intrusion detection and secure software development, there will always be a risk that will get through even the best detection and development technology.

It’s no longer a question of if you will have a cyberattack but when and how you will counter it. Therefore, it’s critical that cybersecurity include risk identification and mitigation, and cloud security. These areas involve identifying risks, creating a plan of reaction and mitigation, and protecting data. It may sound complicated, but Boost IT has a managed security service that is a simple fix.

Risk Identification and Mitigation

A scary form of attack is cryptolocker, a particularly nasty type of ransomware where your computer and network are hijacked, the data is encrypted, and the cybercrimal demands a fee to unlock it. For more in-depth information, refer to the article The Ransomware Nightmare and Its Real Cost.

It costs companies large amounts of money and can take up a lot of time to unlock hijacked computers after a ransomware attack. Once you get the key, there is no guarantee you’ll get access to your data back. In some cases, your data is wiped clean.

Cryptolocker is one of the biggest risks businesses identify when it comes to data protection. By recognizing the need to plan and developing a risk mitigation plan, businesses can evaluate ways to react by developing a plan of action that helps to reduce the threat.

When developing a plan, the question often asked is, “Where is the data?”

Access to data by only those authorized is vital for the continued operation of the business. Therefore, cybersecurity professionals look at all ways to counterattack and protect the data from a breach so you know exactly how to respond to a threat and thus minimize the damaging effects.

Cloud Security

Knowing how your data is stored, who has access to it and how it is protected is extremely valuable knowledge in the face of cyber risk. Therefore, the future of cybersecurity involves more than preparation and planning against an attack. It involves taking precautions to safeguard your data so it will not be compromised and/or can be recovered in a minimal amount of time so you and your employees can get back to business.

As part of a cybersecurity measure, businesses are increasingly migrating to the cloud for data storage. This helps them to access their data at anytime, anywhere. It eliminates the question of where their data is. But it also causes businesses to rely more on the cloud providers to safeguard their data. However, as the cloud infrastructure develops, it becomes a more lucrative target for cybercriminals. Boost IT has ransomware-resistant cloud products.

As attacks become more possible on cloud systems, the knowledge in cloud security is continuously growing. Keeping up with the complexity and continuous training on cybersecurity is necessary. That is why many businesses are outsourcing cybersecurity to Boost IT. We stay on top of the innovative ways to combat cyberattacks and protect your data. To learn more, contact us at 404-865-1289.