The Blog

Don't Let CryptoLocker Hold Your Business to Ransom

CryptoLocker shows that this is just the kind of complacency that criminal gangs are banking on. Gene Marks, a well-known small business writer and commentator, certainly seems to agree.

This month the UK's National Crime Agency (NCA) issued a warning to small and medium-sized businesses and millions of bank customers asking them to be particularly vigilant about clicking on attachments within suspicious emails following a spate of incidents involving the CryptoLocker malware.

There is nothing particularly new about CryptoLocker which is a variation of ransom malware that those of us involved with Internet security have known about since the early 1990's. It is usually spread via email. Often, the user will receive an email purporting to come from some well-known organisation such as a leading bank or courier service. The email contains an attachment in the form a zip file which, if opened, reveals the malware executable code disguised as a PDF file. Clicking on this PDF icon releases the malware into the computer where it encrypts all the data and demands a ransom for the decryption code.

CryptoLocker rose to the fore in September as a trojan spreading through fake emails claiming, according to one security provider, some 12,000 victims in a week.

Practices like keeping your Internet security software up-to-date, good awareness communication to employees and regularly backing up your data to dedicated on-premise servers or, better-still, to the cloud are usually sufficient to keep you protected from this kind of attack. This might seem obvious but AVG's own research out this month suggests that among smaller businesses backing up in particular is often not as regular or as comprehensive as it should be.

The study, which looked at 500 small businesses in the UK and 500 in North America, clearly shows that small business owner-managers still do not understand the true value of their data. Although the majority do rely on automated backup systems it was shocking to find that most spend more time tidying their desk or ordering new business cards than backing up.

But it was when we started to ask about backing up mobile devices that one of the most revealing stats for me was revealed. It turns out most small businesses have never experienced losing a mobile device so are not really conscious of need to protect sensitive data on them. Yet almost 1-in-5 (19%) UK businesses (1-in-3 or 30% in the US) say that more than half of their data is business sensitive.

For a small business with a BYOD (Bring Your Own Device) policy workforce mobile devices will clearly have some sensitive data on them - even if it's only address book data for colleagues and customers - but most will not be enforcing backups. They may well have traditional automated network backup in place but with the rise of mobile IT has moved on yet small businesses' approach to backup is not keeping pace.

CryptoLocker shows that this is just the kind of complacency that criminal gangs are banking on. Gene Marks, a well-known small business writer and commentator, certainly seems to agree. In his blog he admits that as a small business owner he is as guilty as anyone of storing backups locally, backing up the wrong things and letting BYOD employees get away with not backing up all their data.

If you are unlucky enough to suffer an infection disconnect from any networks and call in a professional to clean the machine. We do not advise ever paying a ransom, after all there is no guarantee that the bad guys would send you the decryption key even if they had one.

Instead we do advise taking the following simple steps:

• Always back up your files - at least locally but use an online back-up service to be properly safe

• Save your work in the Cloud and upload photos to online accounts like Flickr

• Use a spam- and virus-filtered email service.

• Take care when clicking on adverts; never open Twitter links or attachments from people you don't know or trust.

• Make sure your operating system is up-to-date with the latest security

• Install the latest versions of your internet browsers and update add-ons such as Java and Adobe Flash

• Get reputable anti-virus software and ensure you update it frequently

Following these simple guidelines should keep you safe from ransomware and save a lot of grief. And if you are in any doubt as to just how secure you are why not take a few minutes to find out by taking our small business IT security health check.

Before You Go