Encountering CryptoWall

How a New Type of Virus Is Destroying Small Businesses

By DELCIE BEAN

Since the advent of the computer, even before the Internet, there have been viruses.

At its most simple form, a virus occurs when malicious computer code is hidden inside of other programs or data. While the concept of a virus itself is anything but new, just about everything else about them is.

A computer virus typically fits into one of three categories. First are nuisance viruses, typically created by a single person or a very small team that creates a virus that makes a computer do something that frustrates or annoys the user. In these cases, the most that is ever gained by the authors is bragging rights among their peers.

Second are resource viruses, which turn a computer into a robot that can be controlled by a hacker to do things like send spam e-mail. Typically the creator has a financial motive, but the end user whose computer is infected doesn’t typically suffer any consequences and, in many cases, might not even realize for months that they are infected.

For many years, these were by far the two most common types of viruses, but over the last 18 months, we have seen an unprecedented number of infections by a third category called ransomware. This type of virus infects a user’s computer and then holds the data contained on it hostage for a ransom.

As if that wasn’t scary enough, there is something else that makes this particular category a real concern. Normally a virus will come out, it will run its course, a protection will be developed by the antivirus community, and the problem will slowly fade out of existence. In this case, however, not only has the antivirus community been having a very hard time figuring out how to block it, each time they have been successful, the virus has come back a few months later even stronger and harder to stop.

The latest virus of this third category we find ourselves tangling with is called CryptoWall 3.0. We have been dealing with versions of this virus for the past two years; however, this latest strand is without question the most dangerous and complex virus that has ever hit the U.S. This is without question cyberterrorism, and the victims this time, more than ever, aren’t just home users, but businesses.

Once you get this virus, it immediately begins encrypting any data it can see. It scans your network drives, Dropbox, Google drive, and desktop, and encrypts everything it can touch. It is even able to infect your backups so you can’t simply just restore your files.

Once the files are encrypted, you have to pay a ransom to get them unencrypted. Some versions of the virus are even using a complex algorithm that estimates how much money they think you can afford. Most people end up with a $500 ransom at first that gets larger the longer you don’t pay it. However, you have only 30 days, and after that, you’re done. If you pay the ransom, they will promptly send you a key that will unlock all of your files. If you don’t, your files are gone forever because you will never be able to open them.

Over the last three months alone, I have personally seen a wide range of victims, including medical offices that have lost access to their electronic medical records as well as other critical patient data, law firms that lose access to client-management systems and case files, companies from all industries that lose access to their e-mail, municipalities that lose access to their billing systems, and manufactures that lose access to their ERPs.

In every single case, it was a work-stopping event where the business owner was put in the very difficult situation of having to decide to pay a ransom to an overseas terrorist or lose access to critical data forever.

In the short term, there is little we can expect from law enforcement. The terrorists seem to be aware of how to escape prosecution, using bitcoins as their form of ransom payment and being careful to never hit any one customer for more than a couple hundred thousand dollars, well beneath the realm of investigation for the FBI.

Fortunately, there are some things you can do. First, have your e-mail filtered externally by a reputable third-party cloud service. This helps to keep an e-mailed infection from ever reaching your network. Second, have a business-grade firewall that has the option of subscription-based security services, — and, of course, activate them. Third, use a remote backup application to back up your data offsite and in a way that the virus can’t infect. Fourth, make sure you are using a reputable anti-virus product that has a centralized management component, that it is installed on every machine, and that it is set up to send out notifications to whomever manages your IT if a threat is detected.

There is no silver bullet here — it just isn’t that easy. With just one of these groups estimated to have reaped $3 billion in revenue last year alone, stopping their attacks isn’t going to be easy, and it’s only going to get harder. Your best defense is to make sure you have well-educated and experienced resources looking out for your business’s interests.

Delcie Bean is founder and CEO of Paragus Strategic IT; (413) 587-2666, ext. 105; [email protected]