I have received several questions regarding the recent news story about Hollywood Presbyterian Medical Center in L.A. whose computers were infected with "ransomware". For those unaware of the news story, here is a link to it.
Ransomware is malware (malicious software) that infects a computer and encrypts all of the user's files making them unusable until they are decrypted with a unique key. Once the files are encrypted, a ransom demand is made. This type of malware has been around since 1989 but gained popularity around 2013 with the popularity of BitCoin, an untraceable way to make payment to the extortionist.
So the question becomes how do you protect yourself from this type of attack. I have a client that was attacked this way in 2014 and several lessons were learned.
First, you should know that this type of attack is not isolated to just Windows computers. All computers that connect to the Internet use data encryption to protect your activity. Whether you are logging into your bank account or shopping online, your computer is using encryption to keep your data safe. In this case the data encryption is not use to protect you but rather to make your own files inaccessible.
Second, both Malware and Anti-virus protections programs, while helpful, do not give you 100% protection. In the case of my client, he was using both an Anti-virus program and a Malware scanner. Part of the problem here is that encrypting files is a completely normal activity for a computer and unless some unique attribute can be found, this malware appears as normal activity. Another part of the problem that is until someone is infected and the Anti-virus/Malware software companies have time to figure out a detection, everyone remains at risk. There is always a window of opportunity to be infected regardless of what software programs you use for protection.
In the case of the hospital in this news story, they paid the ransom of $17,000 and got lucky that the extortionist actually sent them the decrytion key after making payment. It is just as likely the extortionist would demand more money or simply disappear leaving the files encrypted.
The only real solution is your backups. I am not one to preach at people, nor use fear to motivate people. What I offer here is my own person experience with a client that suffered this same attack.
My client, a mortgage broker in California, contacted me once he got the ransom demand of $300 and was unable to get to any of his files because they were encrypted. His business came to a complete stop. He was told the ransom demand would double every day he failed to pay. Going to the backup seems like a simple solution but in this case it was not. The problem is that the backup files were on an external hard drive that was connected to the computer at the time the infection took place. All of the backup files were also encrypted, making them equally useless. Both business files and years of family photos were lost. A few things were recovered from a backup I had made personally when working on his computer the year before but that was little consolation.
Important Lesson Learned - If you backup your files to a device, such as a flash drive or external hard drive, YOU MUST DISCONNECT THE BACKUP DEVICE when you are not making the backup. Your backup is the only safe when it is disconnected and separated from the computer.
My personal advice to my clients regarding backups is this:
You need to have multiple backups, I recommend 3.
1. Have one near the computer but disconnected unless actually making a backup. This is your convenient backup. Used quickly and done often. Understand that this backup is at risk of being stolen, damaged or destroyed in the event of a break-in, or local disaster such as a fire. It is also at risk when it is connected to the computer.
2. Have one outside of the home/office. This protects you against anything that might happen to the backup that is near the computer or damaged while in use. It needs to be in a separate physical location such as with a trusted friend. It should not be in the same building or location as the computer except when making a backup copy.
3. Have one online using a service such as Dropbox or a cloud based storage. This backup is your final line of defense. A physical device in your possession is always superior but a copy online gives you the advantage of being accessible from any place. A backup online provides protection if the physical backup devices get damaged or stolen. Due to the generally slow Internet speeds in our area, it can be difficult to keep large files stored online and slow to retrieve them.
One last bit of advice regarding backups. If you use a software program to do your backups, realize you will likely need that particular software program installed on another computer to recover your backup if your computer is lost or stolen. I recommend not using a software program that creates a single backup file, rather one that copies all of the files individually so they can be read on any computer without installing the same backup software program to retrieve them.
This ransomware type malware is on the rise and often is it not talked about due to embarrassment. Heed the advice and check to be sure your backups will save you should you suffer the same fate as my client or the hospital in this news story.
All my best - Dan Porter