Cryptoviruses are Killing Small Businesses

Cryptoviruses are malicious software programs written to deny a user access to their files. They're usually downloaded as an email attachment. If executed, they seek the hard disk for user-generated content (Excel files, Word docs, txt files, PDF files, etc.) and encrypts them; that is to say that the program scrambles the data and makes the file totally worthless.

That's pretty bad. Still, what's worse is that the virus doesn't stop looking at files on the local hard disk. It will also encrypt whatever it can on a network file share, or, an attached USB storage device (like an external hard drive).

When the user tries to open up the content, the virus may even display a message requiring the user to drop money into a Paypal or Bitcoin account as a form of ransom. Further, trying to open up the content may trigger the virus all over again as to re-process encryption on new documents.

Here's the deal: there's virtually no recovery from this and it's really bad juju for the small business. Even local backups against locally-attached USB hard drives will be affected. And it's not like this stuff is going away. These kinds of attacks are only going to increase this year.

Cryptoviruses represent an enormous threat to small businesses because they usually don't have the expertise to recover their files quickly, and, a complete loss of their files is an absolute loss of intellectual property. Hopefully, they won't actually pay ransoms because it only encourages more malicious software, and, they're helping to fund the virus-writers.

The files affected by a cryptovirus will be utterly lost unless:

1. The user has enabled a shadow volume on their Windows computer and/or server with sufficient drive space to go back in time x-number of days prior to the infection. 

2. The user/firm has deployed an online backup product. The online backup product has copies of user files securely on another computer outside the network from which backups can be recovered.

The situation is pretty bad if neither of these options are available to the technician attempting to recover this data.

In my opinion, there's a range of controls that need to be implemented in order to help safeguard small businesses from these devastating forms of malware.

Administrative Controls: Small businesses need strong policies controlling user behaviors, especially surrounding the use of USB (thumb) drives and personal email systems. Thumb drives bypass our Technical Controls and place a file directly on the system; private email systems cannot be monitored and filtered, and stuff transmitted across them can't be controlled. Users should be prohibited by company policy from using these kinds of technologies on work assets; if they want to check personal email, they should use their own phone. Finally, training: users should be trained on how to spot errant programs and suspicious attachments and taught not to open them.

Technical Controls: Certainly we can implement Technical Controls that prevent the user from using USB sticks, and, from accessing private email accounts (like filters on our firewall). We can also implement strong filters on our corporate email service to help screen viruses and spam. We can use modern web-based mail systems that prevent downloading of suspicious attachments. We can implement antivirus on our workstations. We can set mandatory shadow volume settings on workstations and file servers. We can centralize file management to a single set of repositories (like a server or a NAS appliance). And we can implement an online backup product against those repositories to allow for offsite recovery.

I help my clients with many of these things as a strategy for countering cryptovirus threats. I help my clients:

  • Develop Administrative policies and procedures to safeguard their IT assets
  • Implement the Technical Controls necessary to execute their Administrative directives
  • Audit the system and implement corrective actions to ward against evolving threats

The threat of cryptoviruses isn't insurmountable. They can be planned for. But that's just it: they must be anticipated and planned for. If their risk isn't managed, there's nothing that'll help the small business if they're hit by one of these attacks. Recovery is very difficult if not impossible.