Ransomware: What You Need to Know Now

Ransomware: What You Need to Know Now

The internet is an amazing, useful and often wonderful thing. It’s also a giant mess. For every resource it gives your business that helps you succeed, it also offers a threat. Not-safe-for-work embarrassments aside, there are some genuine dangers on the internet that can destroy even the strongest businesses. Perhaps the ultimate bogeyman today is ransomware. There’s no gentle way to say this. You need both preventative and responsive measures in place to deal with ransomware, and you need them today.

We have a great deal of first-hand experience helping companies get beyond malware attacks. The pain we have seen is completely frightening. In the interest of seeing a bit less of this, here are a few thoughts on the subject.

What Is Ransomware?

In short, ransomware is a specific category of malicious software. As the name suggests, it involves holding digital assets hostage for a ransom. To put it in simpler terms, the malicious software will lock you out of accessing some or all data or applications on the infected device. It’s pretty easy to see how crippling this can be to any business. What’s even scarier is that ransomware can, and usually does, spread across your network.

Who Is at Risk?

Technically speaking, any device that has access to the internet is at risk for a ransomware attack. In practice, it’s not quite so bleak. Cybercriminals use this tactic to make money, so they’re going to target victims who have the money to pay the ransom and are more likely to do so. This means that every operating business in the world is a potential target. Businesses in industries that are particularly data dependent are the biggest targets of all. This includes health care and, ironically, tech companies.

Chances are that you invest a pretty penny in keeping your network and data safe. That’s a great thing, but even leading IT experts have fallen victim to ransomware. The problem is that crafty criminals exploit human error in order to get past security. If you employ more than one person, your personnel increase your risk of getting hit by an attack.

You might rush to retrain your staff and work on preventative measures, and that can work, but it’s important to understand the simple way a lot of ransomware gets past security. It asks for permission, and if a user isn’t paying attention, they can grant that permission. Obviously, there’s a lot more going on behind the scenes to beat your firewall and software security, but this is an important part of the equation. Human error is inevitable, and it can eventually expose your network to ransomware.

There’s an additional risk factor with all malware, and it’s probably the most important. Anyone who pays a ransomer is immediately at higher risk for a repeat attack. If you’re willing to pony up the cash, then you’re the best person to target with more ransoms. It’s a simple cost/reward analysis for the criminals.

This all applies to your personal devices and network, by the way, so there’s an extra reason to pay attention.

How Do You Deal With It?

Ok. If you shouldn’t pay the attackers, how do you deal with the ransomware? The first step is to remove the malicious software. Your IT team should be able to handle this part pretty easily (most of the time). Unfortunately, that easy step of removing the software won’t unlock your data. It will only prevent the problem from expanding. Once data is encrypted, your options are limited. You can trust that cybercriminals are using powerful encryption algorithms to make sure you must pay them. It’s extremely unlikely that you can force the vault open without spending exorbitant sums of money and time. Brute force simply isn’t an option.

Now, if you’re in a tight spot and you need that data, you’re going to be tempted to pay the attackers. It’s important to remember that the people who illegally infiltrated your computer are operating on the honor system. You have absolutely no guarantee that paying them will result in getting your data back. In fact, many ransomware processes corrupt data. Remembering that paying also makes you a more likely target in the future. Paying a ransomer is often tantamount to throwing money away.

As frustrating as it is, this is another case where the best defense is a good offense — sort of.

Backups, Backups and More Backups

The best way to deal with ransomware is to never get it in the first place. Make sure personnel do know the basics. Don’t talk to strangers. If you don’t recognize the sender of an email, don’t download the attachments. Likewise, don’t give permission to strange websites or unknown applications to make changes to your system.

And when presented with a log-on screen in a browser ALWAYS look at the URL or address:

avoiding ransomware

Be sure this is someone you know and trust – and beware of subdomains, for example:

Bla-bla-bla.microsoft.com is safe because the final part “Microsoft.com” determines where you are.

microsoft.ei.com – is almost surely DANGEROUS!

Every single device that connects to the network needs active antivirus and malware protection software. GDV provides the best security posture of any cloud-based DR solution. We extend LogRhythm, a Gartner Magic Quadrant SIEM solution, combined with Bitlyft,an automated, AI-based remediation solution for all customers’ backup repositories. This enables GDV to detect and shut down brute force attacks, unauthorized process execution, improper data movement, unexpected encryption – such as a malware attack, and other serious security threats.

But, as we’ve said, prevention isn’t foolproof. There is only one way to be completely sure that you can beat ransomware. You have to have reliable backups. In IT, we’ve called it the “3-2-1-1 rule” for a long time. Perhaps we should start calling it the “law of 3-2-1-1” instead. Here is what we believe, for all you data you should:

3 – Have at least three copies,

2 – Store the copies on two different media types,

1 – And keep one backup copy offsite,

1 – And finally keep one OFFLINE,

and use a professional cloud backup provider. The additional “1 OFFLINE” is what we call the air-gapped copy. For those of you who aren’t IT experts, the air-gapped, local backup is tape, a flash drive, an external hard drive, or even data server that is powered OFF. For this copy, unless it is actively updating its copy of your data, it should be completely disconnected from your network and other devices – and not have power!

protecting against ransomware using the 3 2 1 Rule

The idea is that a physical barrier (air) exists between this backup and any device that could potentially infect it. It’s then your ultimate get-out-of-jail card.

If you are disciplined in the rule of 3-2-1-1, then defeating ransomware gets a lot easier. Once the malicious software is removed, you can delete the encrypted (and probably corrupted) copy and simply replace it with one of your backups. The best part is that this protects you from a lot more than just malicious software. Device failure, disasters, emergencies and anything else that can threaten your data will have a hard time getting all three copies of your stuff at once.

That about covers it. Keeping up with the names and specific details of ransomware attacks would be daunting. Stick to the best practices your line of defense is solid.

The Case for Office 365 Backup

The Case for Office 365 Backup

In the wake of Microsoft’s September 4 – September 5 South Central U. S. outage for Office 365 and Azure, it’s worth asking, should you be concerned with backup of your Office 365 data?

It’s your data, and while Microsoft normally does a good job with protecting it, it’s ultimately your responsibility. If it’s lost, especially if it’s not lost as a result of their failure, don’t expect Microsoft to race off to your rescue.

Learn more about the risks associated with Microsoft hosting your email and a protection strategy here.


Counting down the worst cyber security breaches of 2018 – #4

Counting down the worst cyber security breaches of 2018 – #4

Fitness apparel manufacturer Under Armour gave us a good example of how companies can try to protect their user’s data but often fail to fully cover everything that needs protecting. The information that was stolen from Under Armour is minor compared to some of the data stolen from other companies hacked but still gives us a closer look at what hackers target, and that is why it makes our list of worst breaches of mid-year 2018. It’s a solid reminder that any security breach of this magnitude is significantly detrimental.

In late February of this year, Under Armour announced that its MyFitness Pal app had been hacked. With nearly 150 million users on their platform, the affected information included usernames, email addresses, and hashed passwords – the majority had been protected with the strong hashing encryption function called bcrypt, but other exposed information, including usernames and email addresses, was protected by easier-to-crack SHA-1 hashing.

This article by Wired explains how Under Armour, “had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials.” Under Armour even had protected passwords but failed to protect all their passwords which lead to customers data being stolen.”

What happened after the hack is paramount. Under Armour had to conduct forensics to determine what was stolen, what data was vulnerable, and what was protected. But all that accomplished, really, was to allow users whose information was stolen to know it was stolen. It’s unfortunate, but there is not much more that can actually be done. High profile hacks such as the UA event shine more light on the questions about the overall security of your data and more importantly, how you will recover from a disastrous event. If Under Armour had a good backup copy of their data, they could best assess what was comprised and begin the best course of action to recovery. It begins with a good backup and disaster recovery plan.

Global Data Vault’s Mid-Year Count-Down of the Worst Cybersecurity Breaches

Global Data Vault’s Mid-Year Count-Down of the Worst Cybersecurity Breaches

Number 5: VPNFilter

More and more, our business environments are connected to the cloud. The transmission of data and the speed to which it can be accessed is critical to business intelligence and competitive advantage. When that data becomes attractive to hackers, the vulnerability also becomes the biggest threat to a company’s livelihood. 2018 has seen a number of newsworthy cyber security breaches to date, and GDV is highlighting the top few in a series of blog posts, starting with #5: VPNFilter.

Last month, it was discovered that hackers working for the Russian government had infected more than 500,000 consumer-grade routers worldwide. The attack began by using a type of malware called VPNFilter which can be used to create a huge botnet. It can also spy on and change web activity on compromised routers.

An example in this article by Ars Technica of ways this attack can affect networks, “It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.”

What’s worse now, is that a senior executive at Talos cites that the hackers are now manipulating everything that travels through the device as well.

This attack taking place on routers around the world is still ongoing and we find out new information each day about the effects and consequences of the VPNFilter campaign.

You might be asking yourself if your router was one of the thousands infected with the malware. We have a list of the devices below. The bigger question is, if not now, when you are a victim of a malware attack, how would you protect your data?

The best way to prevent any loss of data or any sensitive information is to ensure your data is protected by backing up. In these examples where we see infected devices, a simple backup of all data could save you hours of resources to re-establish a clean data set.

List of infected devices:

Ars Technica listed known infected devices:

Asus Devices:

RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:

DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:

HG8245 (new)

Linksys Devices:

E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)

Mikrotik Devices:

CCR1009 (new)
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:

DG834 (new)
DGN1000 (new)
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:

TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link Devices:
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

Upvel Devices:

Unknown Models* (new)

ZTE Devices:

ZXHN H108N (new)

VeeamON 2018

VeeamON 2018

Who’s going to #VeeamON 2018?

Register here.

Please let us know if you will attend. We’ll be there in force. Here is what you can accomplish at VeeamON 2018:

• Gain Access to over 60 breakout sessions covering the latest in data management and Hyper-Availability
• Connect with experts and get hands-on experience with Veeam Solutions
• Attend VMCE trainings or sit for my VMCE certification onsite during the conference
• Discover Solutions in Veeam’s Partner Expo Lounge where over 50 sponsors will be exhibiting
• Network with peers and industry experts to learn what is and is not working best in their industries

Hope to see you there,



Don’t Let the Reaper Get Your Data

Don’t Let the Reaper Get Your Data

According to a recent article in the Wall Street Journal, concerns are escalating over one of North Korea’s three major hacking organizations because of both their adeptness and sheer brazenness. APT37 aka, “Reaper,” is the hacking group is well known for attacking South Korea, but has since decided to attack companies in Japan, Vietnam and the Middle East. What is especially noteworthy about its recent slew of attacks is the heightened level of sophistication — and that they have made little effort to disguise their bad deeds.

Cybersecurity company FireEye, Inc. monitors Reaper’s attacks and in a report issued earlier this month reveals that Reaper is utilizing a toolset that includes access to zero-day vulnerabilities and wiper malware. Reaper has shown preference to hacking information within companies involved in automotive, aerospace, chemicals, and health care industries. They also recently attacked South Korea when they discovered a vulnerability with Adobe Flash which was then able to install malware on infected computers who opened the corrupt Adobe Flash files.

FireEye squarely points the finger at the North Korean government as the true face of Reaper due to malware development artifacts and targeting that supports state interests. FireEye claims to easily trace these attacks back to the Pyongyang IP addresses that Reaper has been using.

Reaper is just one of a growing collection of hacking groups linked to North Korean leader Kim Jong Un’s regime, including “Lazarus,” which the US blamed for the Sony pictures Entertainment data theft in 2014. Bloomberg Technology posits that North Korea has been widening its cyber-operations to gather cash and intelligence to offset the penalties of international sanctions. The sanctions against North Korea have been on the rise, yet North Korea seems unconcerned and continues to ramp up attacks on foreign countries.

Whether your company is a Reaper target or potentially attractive to another cyber-criminal, attacks are on the rise. Being vigilant within your own company is mission-critical to prevent losing data. The best defense to a cyber-attack is to have a comprehensive and tested disaster recovery plan in place that include an air-gapped backup. You may still be vulnerable to cyber threats, but your day-to-day impact is significantly minimized.