Q: My team has been dealing with a worst-case scenario. One of our customers was hit with CryptoWall 4.0, and their systems need to be restored. We’ve paid the ransom, and the ordeal is over, but none of us (my customer and my team) want to deal with this again. To avoid another ransomware attack, I want to find out exactly how the malware infiltrated their network. How can I pinpoint where the breach happened and protect my customer from another attack?
Another day in IT managed services means another day dealing with ransomware. CryptoWall has evolved over the years and continues to find new ways to infect systems and collect ransom from unsuspecting users. Unfortunately, small businesses aren’t familiar with the common methods CryptoWall used to infect networks, which leaves their businesses vulnerable to targeted attacks.
To answer your question, we talked with Paul Hanley, one of the support engineers at Intronis MSP Solutions, to find out how to pinpoint the infection vector and protect your customers from future ransomware attacks.
Here’s Paul’s advice on how to react immediately following the attack and how to prevent it from happening again.
Recovery steps to follow
The good news is that with enough time and effort you should be able to find out how the malware entered your customers’ network. Just follow these steps to uncover the infection vector:
1. Confiscate the workstation
At this point, you already know that a system on your customer’s network has been infected. In many cases, businesses find out they’ve been hit when a user self-reports suspicious activity on their workstation or they’ve seen the ransom note appear on their machine. Once this happens, hopefully the employee tells someone immediately, and that person tells you—their IT service provider.
To encourage this behavior, advise your customers to promote self-reporting and avoid making people feel like they’ll get in trouble for it. You want the employees to share any suspicious activity right away so you can shut down their system as quickly as possible. Once you’ve determined which machine is infected, you’ll want to confiscate that workstation from the employee.
2. Isolate the system from the network
Now that you have the workstation in your possession, you’ll want to isolate the system from the network. Perform a hard shut-down, remove the network cable, and stop the propagation of the infection. This will make sure that the infection will not spread across the customer’s network and protect your customer’s business from further infection and data loss.
3. Run forensics tests
Once the machine is isolated, set it up and take a look at the extent of the damage. You can check the logs or files using system check tools. Also, check the integrity of the drives themselves. You’ll likely need to replace the drive entirely depending on how badly it’s infected.
In my experience with our MSP Partners, some of them have the capability and resources on premise to run their own forensic tests. For example, the MSPs I speak with that specialize in security services often have their own malware expert on their team. Some of the smaller organizations I work with don’t have these resources, though, and would need to outsource this forensic work to a consulting firm. There are a number of consulting firms available to MSPs to help them run the forensics and find the infection vector.
4. Find the infection vector
The common ways CryptoWall infects a system is through a drive-by download, an infected email attachment, an infected online advertisement, a user error like clicking on an infected link or mistyping a URL and ending up on a phishing page, or an exploit kit (a collection of bugs and targeted attacks). It’s much more difficult to detect the infection vector with an exploit kit and would require extensive forensic work.
For example, if you think that a phishing email was to blame, it’s fairly easy to tell which Exchange mailbox it came into if you have your mail server on premise or Exchange. If the small business is running standalone Outlook, it will be much more difficult to find the infection vector.
Prevention steps to take
After you’ve dealt with the infection, follow these best practices to keep your customer protected:
1. Run a training session with the employees
I’m always advocating for user education. It’s a pivotal step in preventing another attack, whether or not you’ve determined that an employee let the malware into the network this time. Employees are often targeted by cybercriminals, so it’s best to provide them with all the information they need to avoid falling victim to a phishing attack.
Topics to cover in a training session include explaining what a phishing email looks like, the most common ways that malware can infiltrate a system, what they need to be on the lookout for, and the general rule of thumb to never click on a link they don’t know or download any attachments from email addresses they don’t recognize.
To show the added value of your managed services, you can also proactively update your customers about current malware threats. Alert them to the latest variants on the security landscape, share information about new malicious software, and regularly refresh them on the basics of cyber security.
2. Make sure your customer’s data is backed up
Hopefully you’re already backing up your customer’s data, but you should also make sure you’re taking advantage of incremental backups, which can help you recover a small business customer’s information much more quickly in a restore situation.
As a best practice, follow the 3-2-1 rule which suggests that you should back up three separate copies of the data to two different locations, one of which should be off-site. For example, you would have the original copy of the data, a copy stored locally, and another copy stored off site. This will ensure that you’re always able to recover at least one copy of the customer’s data if they’re hit by ransomware.
3. Install anti-spam software on all your customer’s machines
In my opinion, no business should be running without an anti-spam software on their systems. These anti-spam filters will catch most of the phishing emails entering your customer’s network.
If your small business customer is using Gmail for their web mail, Google provides a fantastic anti-spam. If your customer has an on-premise Exchange server, they’re less protected, so you’ll want to make sure that they have software running on their servers.
I recommend evaluating the different anti-spam software options available and finding the right one for your customer’s price point and needs. To make it easier, find a way to include anti-spam software in the suite of security services you’re offering your customers. This way you can rest assured that each of your customers is fully protected.
Following Paul’s advice, you can discover how the infection made its way into your customer’s network and introduce additional layers of security to protect their business. Recovering from a ransomware attack can be a stressful ordeal for your customer, but as their IT service provider you can help restore their data and operations and minimize the risk of an attack happening again.
Ask an MSP Expert is a weekly advice column answering common questions from MSPs and IT service providers. It covers topics ranging from pricing and selling to marketing and communications—and everything in between.