When Kristie Green, owner of North Star Scaffolding, saw a traffic infringement notice email come through on the computer she uses to run her small business, she didn't even think twice about clicking it. The computer instantly froze up and then a message appeared on the screen informing her the device has been hijacked and that she needed to pay a $900 ransom to gain access to all her files again. Kristie had been hit by a cryptovirus.
Sleep picture from Shutterstock
Cryptoviruses are targeting Australian small businesses in force right now. According to Symantec security expert Mark Shaw, crypto malware attacks on Australian businesses have increased significantly over the past two years, making Australia the favourite target for cryptoviruses in the Asia-Pacific region.
Cryptolocker or Crytowall malware are the viruses of choice for these computer kidnappers, which have been involved in high-profile mass attacks that used targeted phishing emails posing as well-known Australian brands such as Australia Post, Energy Australia and the NSW Office of State Revenue with links to malware that usually disguises itself as a PDF or a ZIP file.
"This form of cybercrime is proving very lucrative for those behind it given the high clickthrough and infection rate," Shaw said, noting around three per cent of users actually fork out the ransom.
Kristie was one of them. The work computer that was in lockdown not only held important business documents as it contained valuable personal photos she couldn’t bear part with. She had not backed up any of her files. The timer on the screen ticking down to when her files would be destroyed sent her into a panic.
"I called up three IT guys and two didn't even want to deal with it," Kristie said. "They said it would take hours and hours to even try and fix the issue and that I was better off getting rid of the computer. The last guy said he could try and fix it but there’s no guarantee that I would get my files back."
Desperate, she went to ANZ Bank to pay the ransom. The culprits had sent a list of ways to make the payment and this was the quickest method. But the bank staff were less than helpful.
"One of them told me the bank won't take the money because it doesn't support online corruption and that the money would likely be used to fund terrorism," Kristie said.
She ended up paying through BitCoin. Once the ransom was paid, it took seven days to reinstate every file on the computer. While she did regain control of her computer, the damage had already been done to her business.
"There was definitely income loss during that time because during those days where the computer was affected the business ran on limited capacity. We couldn’t access documents that were crucial to the company because they were all on the one computer. Lucky we could still use our Xero accounting system," Kristie said, who has since replaced her computer entirely. The experience haunted her and she was worried the virus was lying dormant on the old laptop, waiting to attack again.
As criminals ramp up their efforts to make money in the digital space, small businesses should take preventative measure to minimise the risk of becoming yet another victim.
There is no miracle way to absolutely prevent an attack from cryptoviruses, but educating users about the potential threats is a start. If you see an email, even if it’s from a perceived reputable source, ask yourself a few questions: Is this from someone I know? Was I expecting this email? Does the email address itself look suspicious?
Having email security software would also help with the prevention process, but just make sure your software is up-to-date.
The most important step small businesses should take is to back up everything on their computers. It's surprising just how many businesses don’t have a habit of backing up their data. Kristie learnt the hard way the consequences of not backing up her laptop and has since started to do so. Her IT technician help her set up a Dropbox account where she now stores her work and personal files.
So what happens when it’s too late? What happens when you’ve already been crippled by a crypto malware? Here’s what Shaw recommends:
- Remove the malware using reputable security software.
- Recover the encrypted files by restoring from backup or the built in Windows System Restore capability. It is highly unlikely you’ll be able to decrypt the impacted files as the attackers typically leverage industry-standard, strong encryption algorithms.
- Don't pay the ransom. There is no guarantee that the attackers won’t up the ante or deliver the key needed to decrypt your files. Paying will serve to fund the criminals behind the attack, allowing them to target more victims.
If you run multiple PCs in your business, be aware that they may also be infected if even one is compromised by a cryptovirus.
"If you do get hit, quickly identify the infected workstation. While some of the crypto virus examples go after local drives, some of them start with network shares which can be much more damaging to your business. Isolate that workstation from the network to minimise any cross infection or encryption of your network data, Websense sales engineer manager Bradley Anstis told Lifehacker. "On the workstation determine what data could be lost, can you recover it from a backup? Check this without restoring to the infected workstation if possible.
"Also check back with your desktop security vendor, some of them do have recovery tools for some of the variants. If you can’t get the data back, there is no recovery tool then you are exactly where the attackers are hoping you would be!"
Has your business ever been attacked by a cryptovirus? Tell us more about what happened in the comments.