Ransomware – How Do I Keep My ERP Data Safe?

According to CEBR and Veracode, cyber-attacks cost British industry £34bn a year, and close to seven out of ten of all attacks on businesses involve viruses, spyware or malware. It’s these sorts of alarming figures that highlight the importance of cyber-security within the work place. As we usher in the dawn of Industry 4.0 and begin to realise the importance of Big Data and the role it plays within the factory of the future, so too have criminals. Gangs of cyber-criminals are hacking into business computers, restricting access to mission-critical systems and demanding money in exchange for access to be returned – effectively holding vital business data to ransom.

What is Ransomware?

Ransomware is an infiltratory piece of software designed to lock the user out of their computer by encrypting the files. The user is typically given a time period within which to pay a fee, in exchange for the decryption keys required to restore the files. If the fee is not paid, the hacker will delete everything on the computer. Due to the disruption ransomware can cause, and the need to get business back to normal fast, 58% of UK companies surveyed pay up rather than seek an alternative. However, this is definitely not advised! Not only does payment encourage the hackers to continue but it doesn’t actually guarantee that any data withheld from your ERP system, will be returned to you. Even if it is, it could well have already been compromised. In some cases, ‘back doors’ can be left open so hackers can regain access whenever they wish. The fee demanded can range dramatically, however the UK average currently stands at £525. The victim would be instructed to pay the balance by a non-traceable medium, such as bitcoin or MoneyGram, making the criminal difficult to track down.

Why Do Hackers Use Ransomware?

Quite simply, it is just to extort money out of people and businesses. Ransomware does not discriminate, the more computers infected, the more money can be made. Of course not everyone pays, but it’s a numbers game. In most cases the fee demanded will be reasonable, resulting in many people viewing paying the ransom as the better option as opposed to the inconvenience and costs associated with buying new hardware and losing vital business data.

Types Of Ransomware

It may come as no surprise that the world of ransomware doesn’t sit still. In fact, analysis from global security software company, Trend Micro has discovered an increase in ransomware families of  752% in 2016 alone! Even the once invincible Apple saw a 145% increase in vulnerabilities in 2016.

That being said, the current main offenders are still; CryptoWall, CTB-Locker and TorrentLocker.
A CryptoWall is written in JavaScript and targets the Windows operating system. They are sent via e-mail, disguised as a JPG and will create new instances of explorer.exe and svchost.exe to communicate with the servers and avoid detection. It will install three copies of itself; in the application data folder (where valid files store data), the start-up folder (programmes that will automatically load with a restart), and a randomly named folder on the root drive. A CryptoWall doesn’t activate immediately. It will wait until it has connected to the encryption servers run by the hackers and received a scrambling key in return.
CTB-Locker stands for “Curve-Tor-Bitcoin”. It uses an elliptic curve encryption scheme, is hosted on the Tor network and uses Bitcoin for the ransom payment. It is very similar to the CryptoWall virus but unlike the CryptoWall, doesn’t need an internet connection to begin encrypting your files.
The TorrentLocker sends out e-mails designed to look as if they have been sent from a telecoms or postal service provider, informing the victim they have a document to download. The e-mail addresses used are harvested from infected machines. A TorrentLocker will take contacts from the victim’s address book and then send the same ransomware onto an ever expanding chain of victims. A TorrentLocker will claim to be a CryptoLocker when the lock screen appears and also on the payment page, however it is the harvesting of e-mail addresses and ‘Torrent’ being written as the first registry key that defines it.

Another, particularly nasty, form of ransomware is Popcorn Time malware. This gives you the opportunity to have your files unlocked for free; but only if you send it on, and successfully infect two other users whom then pay the ransom. This is particularly effective as it can be tailored to appear more genuine than an automated ransomware attack, and only needs to infect a user who’s short on either money or morals to become the most widespread malware around.

How To Protect Your Business Against Ransomware

  1. Regular Back-ups: The best protection is also the simplest; regular back-ups! Having multiple copies ensures your important business data can’t be held to ransom. Cloud services should back up automatically, meaning it’s a weight off your mind but you should also make the effort to back up to a physical drive too! A good cloud provider is incredibly secure but always connected. By backing up data on an extra laptop or external hard drive, disconnected from the internet, you are 100% protected from cyber-attack. Just don’t lose the hard drive! Although, just because your data is fully backed-up, this doesn’t mean you can neglect tip number two!
  2. Anti-virus Software: A no brainer really. Anti-virus software is the first line of defence to make sure the stringent back-ups are never needed. A quality, up-to-date, anti-virus will regularly scan your system for known threats and then expel them. Amazingly, it is able to recognise unknown threats too. Ransomware behaves in a ‘typical’ way which is for the code to ‘hide’. It’s this typical behaviour that the antivirus searches for. As effective as anti-virus can be, unfortunately, it’s not perfect. Recently a malware virus was discovered that had been hiding on an ‘unspecified government organisation’ for five years!
  3. Application Control: Research from CyberArk found that 90% of ransomware can execute without administrator rights. This means ransomware doesn’t need explicit permission to make changes before encrypting files. However, the same research discovered that when application control is combined with the removal of local administrator rights, it is completely effective in preventing ransomware attacks.
  4. Blockchain: IoT connected devices are being seen as the easiest point of entry into a computer system and with the rise of Industry 4.0, more and more IoT devices are making their way into the factory. An IoT platform built on a blockchain would mean you can securely automate your factory. The complexity of a blockchain is what makes it incredibly secure. For a cyber-attack to be successful, the hacker would need to have access to every copy of the database simultaneously. Spreading the database across a network on multiple computers makes this an almost impossible task. Ironically, Bitcoin – a favourite payment methods of hackers – is the most famous example of a blockchain.
  5. Staff Education: Another simple ransomware prevention is to educate all your staff on ransomware and how it infects a computer system. A ransomware attack is typically delivered by e-mail, as an executable file (.bat, .com, .exe, .bin), an image or even a link to a website. Opening the file releases the ransomware into your system. It’s important to be cautious with any e-mail that is even slightly out of the ordinary, even official looking ones can be from a malicious source. If the e-mail does get opened and then you realise it’s from an untrustworthy source, delete it immediately and definitely don’t click on anything! If in doubt, don’t.

If you suspect you have become a victim of ransomware, www.nomoreransom.org is a fantastic resource for checking files for malicious content and reporting malware.

1 reply

Trackbacks & Pingbacks

  1. […] a certified vendor isn’t a watertight solution to your cyber-security! Some threats, such as ransomware, come via your e-mail […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

  • Contact Us

    : Head Offices.
    Baltimore House,
    50 Kansas Avenue,
    Manchester. M50 2GL.
    : +44 (0)161 876 4498
  • Connect With Us

  • Brochure Download