How to mitigate the risk of ransomware

How to mitigate the risk of ransomware

Posted on September 26, 2017

Testimony of a situation recently experienced by one of our customers.

« This is a cautionary tale about the internet and the dangers of exposing your control and optimization systems to it needlessly.

A few months ago, one of our clients called our service department about an electrical storm taking out some of their computers. At first we worked over the phone with the client but something was peculiar, so we decided to send a technician to assist them on site. Upon his arrival, he immediately found that the storm had nothing to do with it. They had been infected by a ransomware virus, and not just the four initial PC’s, but every one of them.

This was a Monday evening, by Tuesday morning we’d purged and restored all of the PCs involved. The LAN backups the client had were also being ransomed, and so were lost to us. They had no external backups, or printed copies, of their parameters. At that point, there was only one course of action, our service and engineering teams worked non-stop to reformat and reload the system from scratch and six hours later, Tuesday afternoon, they were operational again.

From this impacting incident, there are many lessons that should be passed on to our customers in order to mitigate the risk of being ransomed or infected by a malicious virus or worms. »

First off, here are some good practices for protection against viruses (ransomware or other types):

  • Ensure that the operating systems of the computers that have access to the Internet are up to date regarding Microsoft security updates. Microsoft has issued bulletin MS17-010 as a result of the « WannaCry » ransomware virus.
  • In the following link, they indicate the numbers of articles (KB) to consult for more information on the corrective measures to apply, the release dates for the different operating systems, and how to check that they are applied.

https://support.microsoft.com/en-us/help/4023262/how-to-verify-that-ms17-010-is-installed

  • More specifically for Windows 7 - KB4012215 (March security rollup).

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012215
It is necessary to choose the one that applies to the correct operating system. The majority of the computers in the Autolog systems use Windows 7 x64 (64-bit).

  • For newly installed systems over the last year, Windows 10 is used. Microsoft recommends using the Windows updates tools directly to have access to the latest updates. Otherwise, the same method used for Windows 7 may be applied.
  • Antivirus and antimalware software may also be used. They must be set up appropriately for the correct operation of our systems. Autolog can assist to ensure that the setup is optimal for the performance and operation of the system.

Secondly, the following precautions are to be taken for prevention:

  • Do not open emails of unknown origin, especially if there are attachments
  • Do not access web sites on the computers that manage the production of control and optimization systems for the mill
  • Do not use external media without being certain that there is no risk (USB key, USB disk, etc.)
  • Educate the users. Like other malicious software, "ransomware" often infects a system via attachments, downloads, and online navigation.
  • Have a policy for the management of backup copies. The customer is responsible for managing offline and offsite media and that is fully inaccessible to a virus. In the event of a virus, the data must be accessible to avoid losing everything. Our systems already have automatic daily backup copies, but they are located on a computer that could potentially be affected by a virus. The responsibility of the customer is to therefore have a copy of these backups on another media source. (USB key, USB disk, DVD, or on another network.)

Thirdly, here are the immediate actions to be implemented if you have been infected:

  • Turn off the infected computer
  • Stop and disconnect all infected systems within the context of your overall risk mitigation strategy
  • Isolate the infected host if possible
  • Do not try to clean the system or perform AV or malware analyses. These processes will be carried out later.
  • Evaluate your organizational exposure for all devices using the Internet

Most important of all, do not pay, after having assessed all possible results - if you are infected, payment should not be an option. Even if you pay, the files/folders encrypted are not returned to the user by the person who encrypted them. The only option to recover the data is through a regularly made backup copy and then formatting, followed by a reinstallation of the computer that had the problem.

Screenshot of an infected file

Screen shot infected file

 

Screenshot of the content of the TXT file with instructions to recover the folders and documents

TXT file with recovery instructions

 

Service Team

Back to previous page