So, today is Saturday, and I am off doing a few customers I could not get to during the week. While in between, I was listening to 780 WBBM Chicago noon segment. The Segment went something like this. Hackers are targeting small business with ransomware and infections were up 25% last year.
Very scary right? However, there is something you can do to take action against ransomware – backup your system. This excerpt came from BackBlaze, the company specializes in system backup storage, and this is what they say about the state of backups across the internet in 2021.
“Good news here, the results are positive! Of people who own a computer, more than ever are backing up daily, if not even more often: Our 2021 number is 11%. This is only an increase of one percentage point over last year, which may not seem like much, but does underline a positive upward trend over the years (6% in 2018, 9% in 2019, and 10% in 2020). As a computer backup provider, we’re thrilled that backups and disaster recovery are increasingly top of mind for people.
BackBlaze
While the number of people who never back up their computers is down about 54.5% from when we first started the survey (35% in 2008 versus 20% in 2021), that still means one in five people are at risk of losing all their data should they have a computer or systems failure. That’s too much precious data at risk.”
Wow, when I read that only 11% are backing up their computers on a consistent basis that means 89% actively are not. Of the 89%, some may not be backing up at all, or if they are the data may be so old or inconsistent the backup may not be useful. Not really good news?
If I am a Hacker
So, if I am a hacker, and I am looking at these statistics by BackBlaze, and I am thinking to myself—”it’s party time! It’s like shooting fish in a barrel, you can’t miss.”
The Hacker incentive to encrypt your files is monetary. If you want your files back, pay me, and I might give you the encryption key. That’s right might. In an article published by Forbes Magazine Citation it is an eye-opening read:
So, the main point of the article is that 92% of organizations that get encrypted and pay—recover some or none of their data according to the article written in May 2021. Well, remember they are criminals, and they don’t always keep their promise.
What to do:
I got one word and that is—Backup!
That’s right, back up your computer system and then make sure you have an offsite copy somewhere else. You may be thinking, “I’m not going to get encrypted. I am careful about what I open up in email and what I click on. I am a sophisticated user.”
From the Case files of Arnold Consulting:
The Company Who was Sophisticated and Knew Better:
Not long ago I got a great new customer. I did a complete Domain network upgrade from windows 2003 to windows 2008, so this tells you about how long ago this was.
During the system upgrade, I noticed the backup systems were in a shambles, and the last vendor set them up in such a way that made recovery next to impossible. When I presented my finding to the manager in charge, he asked for a proposal. He also added before you came, we were infected with a Cryptor virus can you protect against that? I advised that we can mitigate not prevent, and we can setup a system to recover backups in case that does happen. Unlike what you have now.
Backup Plan:
This is the plan written for them. There are two components of the plan On-Line and Off-Line Backups:
On-Line Backup:
- Hourly backups from protected workstations sent to central repository on site.
- At the end of the day, Arnold Consulting gets the last backup of all protected system sent to me offsite in Elgin, Illinois – Disaster recovery Copy
- I keep the replicated copies for a year on my NAS, and then start them over again – once a year. The NAS will only accept a certain file type and deletes are not permitted from the client to the NAS.
Off-line Backup:
- Weekly on Sunday – a Full backup is made of each protected system and sent to a hard drive in a drive dock attached the backup server.
- The Drive dock has a timer set to go on at a certain time and then go off early Sunday morning when I have calculated the backups are finished.
- The dock is a replicating drive dock with another drive in the front. When the drives are replicated, they both get the same exact information.
- On Monday, I would come in and sync the drives together. When the sync was done on late Monday after noon, the drive dock would be reset again for Sunday.
- The replicated drive would go in a safe, and the other drive would remain in the dock powered off until Sunday night.
If an infection did happen this time:
If a Cryptor did infect the network, it would only get the onsite on-line files. The drive dock is powered off and only gets turned on by an analogue timer, but could be potentially be infected when it goes on for the Sunday backup – Slim possibility. However, if it did, by Monday morning, if there was a problem, I would think the staff would be aware and we would not sync the drives from last Sunday and potentially infect the sync drive that would go into the safe.
Additionally, I have offsite backup in Elgin, I should be able to go to the day before the infection and pull backups for restore.
I might have backed up the Cryptor, but that backup is setting in an inactive file. Remember, I keep the last backup of the day so I have many last days backups. The logic goes, if you did not have the issue on Friday let’s look at Thursday to see if we have a clean backup.
I created a great system for this company, and they did have to use it once or twice. It was not for a virus infection—somebody accidentally deleted 30 Gigabytes of data from a directory, and it took about an hour, but they got it back.
Did it Cost:
You may be thinking, “I bet that cost a lot.” Well, that is a yes and a no. They had about 13 systems. There is the licensing for each system, I don’t have much control over that. There were the site visits and they were $50.00 per visit, and I would have made maybe 4 per month, and there was offsite Storage Fee. At that time, it was a $220.00 flat fee, and I was holding 6 Systems for disaster recovery. All total their bill was in about the $1200.00 per month.
I lost the business and a few years later…
So, yes it was expensive, but remember they do have a lot more systems than the average small business. They were like a medium sized business, bigger than what I usually deal with. Eventually, I lost the business to a competitor who came in with a lower price. Lower Price does not mean better.
I learned from a business associate this company got their entire network encrypted back in February, and here it is in May and still do not have all their systems restored fully – Even their 30-day backups got encrypted.
The insurance negotiator got the criminals to release one decryption key for $3,000.00 as a sign of good faith – so the $1200.00 a month I was charging for backup was a deal compared to that. Am I really too expensive – now?
Methodology:
I created the backup methodology for a very specific reason, and when I was updating the network, Domain Upgrade, I put very specific things in place so as not to let a Cryptor type virus spread through the network. After I left, I don’t know how they changed the network, but the changes they made were not good and got away from the methodology I put into place.
So, in the 4 years, I did the network and backup they had no issues with viruses, but in just under two years with a new backup vendor they got encrypted again—this time the whole network. Less expensive is not better.
Insurance Policy and Options:
When I bring a new customer on, I explain that disaster recovery is like an insurance policy, and if you do it right you can recover 99% of the time. Wait…why do you say 99% of the time why not 100?
Well, it’s like this. Large Customers have computer Domains, and there are time limits on what they call Active Directory Objects. The time limit is 90 days, and this limit is imposed by Microsoft. What that means to a backup vendor like me is you can not restore an object older than 90 days, and why is that important.
Criminals know this as well, and if you are a big company, and they want to encrypt your network bad enough they will target it specifically and footprint it to find a weak spot to get in and plant a novel Cryptor virus, one that is not familiar to Antivirus companies, so as not to be detected.
On whatever day after 90…, they remotely activate the Cryptor virus, and it will spread through the entire network. By the time the admins figure out what’s happening, it is too late, and they can’t go to backup because the backup is infected by the dormant Cryptor virus.
Now, the company, might get lucky with their AV Vendor and figure out a detection pattern and clean the dirty backups, but that is if they are lucky. Data is different, and it does not have a tombstone life so to speak.
A company in this kind of a problem has two options, in my opinion. Pay the crooks, you may not get the decryption keys, or rebuild the Domain from clean computers and a server software load. That is the most painful and expensive way to go. If you pay the money, the problem is perpetuated. Besides, if you do pay and decrypt the systems who is to say they did not leave another Cryptor virus to activate at a later date—After all remember, they are criminals.
Conclusion:
99% of the Cryptor infections I see is a bad email clicked on and infects the system, or a link on the internet. Systems infected in this way are very recoverable, and there are strategies that can be put into place to mitigate damage or stop. The number one most effective way is back the computer up and have an offsite repository that will help with disaster recovery.
Remember the article from BackBlaze they were all happy about 11% of people in 2021 were backing up their computer systems. 89% of the computers on the internet are exposed to potential data loss, but they don’t have to be—Back them up! Arnold Consulting can help! Call us (847) 464-5855.
Sincerely Rick Arnold, Arnold Consulting
