Ransomware - Help and Advice from Busted Networks
Ransomware encrypts your data and then demands a ransom to get the key to decrypt it. Once your data is encrypted the options are either to pay the ransom (and you may or may not get the decrypt key) or to restore the data from the last backup. The ransom is paid in Bitcoin which is untraceable. The NHS and Nissan were a few of the large institutions which were hit but there are hundreds of thousands which have been affected over the weekend.
This particular ransomware most likely used social engineering to get people to click on a link and then this click downloaded a program which used a hole in some Microsoft code. It looks like this hole in the Microsoft code had existed since before 2003 so nearly all versions of its operating systems were vulnerable. Microsoft offered a patch in mid March to address this problem.
This ransomware affects all systems before Windows 10.
Busted's customers fall into one of two groups, those with servers and those without. Please carefully read the section which applies to you.
1. Server Customers
For customers of Busted Networks who have one or more servers, we manage the updates and patches of your servers for you. When an update comes out these are tested on Busted Networks' networks and, if they don't break anything (which they frequently do which results in an update to the update), these are rolled out to your servers. I can confirm that all customer servers were updated with this patch before this Ransomware hit. Servers were checked again over the weekend.
For PC users on a server based network, it is very important that your PCs are up to date. Busted Networks manage the distribution of the updates to the PCs but in most cases it is the end user which causes the updates to be installed, unless the PCs are left on overnight. It is possible for a user NOT to install updates on their PC which can potentially compromise their computer and the network.
It is straightforward to see if there are PC updates waiting. Looking in the status bar in the bottom right you will see the icon above. If you see this icon then please immediately click the start button and you should see the option below, which is -- to install updates and then shut down, click this. Once shut down you can power up the PC as normal. In some cases you may need to repeat this operation.
We may have released PC updates over the weekend to our server based customers which means that the above most likely will apply to you.
If you have a laptop that is not often connected to the network, then now is the time to connect it, power it up and login and wait for the updates to appear. This may take 30 minutes or more from the update.
2. Non Server Customers
For customers without a server, your PCs are set to collect updates automatically from Microsoft. We regularly check that your machines are collecting updates as they should do.
However, given the importance of these updates, it is worth a manual check to ensure that the PCs are completely up to date. To do this click start, control panel, make sure the top right hand box in control panel says "View By: small icons" so that you can see all the icons and then click windows update. This will display a box similar to the one below. Click Check for updates and, once it has checked (and this can take up to 30 mins or even longer), click install updates. Once installed make sure that that there are no errors. In the case of errors contact Busted. It may say some updates can't be installed. In that case, after the inevitable reboot, repeat the process as sometimes updates are dependent on other updates.
It is VERY important that your backup is good and it is to a removeable drive (i.e. not connected 24x7 to your PC).
As I mentioned above, backups are generally the only way to get your data back. Make sure that you backup your data to the Busted Networks schedule plan to removable media. If you don't have a copy of this schedule let us know and we will email it out. Ransomware generally encrypts your hard drive and ALL other drives it can find, whether these be on a server, a USB connected drive, a USB stick, Cloud storage or Dropbox. Do not think that you are safe if you have your data in something like Dropbox or Google docs.
Busted Networks' customers use Trend Anti Virus. From late last year Trend has a specific anti-ransomware package which has successfully stopped quite a number of ransomware infections. This is a good package but undoubtedly, like all other Anti Virus providers, not 100% reliable.
Emails and Links
Modern malware is delivered to your PC through attempting to get you to click on a link that you think is legitimate. Always be ULTRA vigilant. Even if the email purports to be from someone you know, treat it with suspicion. If you accidentally click on a link from what you later deem to be a suspicious email, call Busted. It is easier to stop an infection as soon as we know rather than to leave it an hour or two because "it didn't seem to do anything." In fact, it is doing something - it's encrypting your disk!
So what do you need to do?
Make sure all PCs are up to date.
Call us if something suspicious appears on your PC.
Do NOT click on links in emails, regardless of how authentic they look. Modern clickbait is getting very good.
Take a look at the Busted Networks Facebook Page as this gives some examples on how to determine if an email is not legitimate as well as current clickbait. Make sure you have an up to date, valid backup to removeable media - in the case of disaster we can only restore from the last valid backup you have.
This undoubtedly will not be the last we hear of ransomware or viruses. The generally accepted figure is that around 1 million new computer viruses/threats are being released each day. It is only a matter of time before we see the next one.
If you need clarification of any of the above then feel free to contact us.