by Scott Jack
Content Contributor, E-N Computers
More than a decade of experience in technical support including end user support, mobile device management, application deployment, and documentation.
When John arrived at his office in Virginia on Wednesday morning, he was met with an alarming sight. His wrecking company, which generates roughly $1M in annual revenue with less than 10 employees, was in trouble. The files on his main computer, including inventory and sales data, had been encrypted by ransomware. With this computer out of commission, he wasn’t able to help customers.
Ransomware is malware that encrypts your data with the goal of receiving a ransom payment from you. Ransomers target small businesses because they usually don’t invest in cybersecurity, making them easy targets. Even though the individual payout amount may be lower, there are plenty of potential victims.
In the United States, roughly one-third of small businesses are victims of ransomware each year. A single ransomware attack can cost a small business tens of thousands to hundreds of thousands of dollars in downtime and recovery costs. It’s estimated that about 60% of small business ransomware victims close within a year.
The best way to survive a ransomware attack is to practice good cybersecurity habits, have reliable backups, and develop an incident response plan. Otherwise, you can experience more widespread impact, lose your backups, and suffer from a longer recovery period.
John’s case was relatively mild, but we can use it to demonstrate some key points about preventing and responding to ransomware attacks.
QUICK ANSWER:
Why are small businesses frequently targeted by ransomware, and what are the key steps to prevent and respond to such attacks?
Small businesses are easy targets for ransomware due to their typically lower investment in cybersecurity; prevention involves good cybersecurity habits, reliable backups, and an incident response plan, while response includes immediate disconnection of infected systems, investigation, and, ideally, professional data recovery and system hardening.
Discovering the ransomware attack
As soon as John realized that his main computer — which acted as a server for his inventory and sales software — had been encrypted by ransomware, he quickly powered off the computer and removed it from the network to prevent any potential spread of malware. Then he called us for help getting back up and running.
Ransomware type
When our technician arrived, he began an investigation. Based on the ransom note and the file extension of the encrypted files, he determined that the ransomware was a Lockbit variant. Lockbit is a “dangerous and prolific” ransomware-as-a-service that makes it possible for non-technical attackers to deploy sophisticated ransomware against many targets.
Point of entry
Lockbit uses a few different methods to gain access:
- phishing emails with malicious links
- unpatched software vulnerabilities
- brute force attacks on remote desktop connections
- weak credentials
In John’s case, Lockbit may have gained access because of:
- industry software that is set up using a local admin account with common, weak credentials
- a variety of VPN and remote access software installed on the compromised computer
- lack of multi-factor authentication (MFA) on accounts
Scope of damage
Ransomware encrypted John’s main computer. On-premise inventory and sales data was inaccessible. Local backups were on an external drive connected to the main computer, so they were also encrypted.
The ransomware did not impact other computers on the network. The inventory software backs up to the cloud nightly, so inventory data was recoverable.
Ransom note
The ransom note did not specify an amount to be paid. It provided contact methods including email and Tox messenger, a peer-to-peer end-to-end encrypted messaging app. It also insulted the weak cybersecurity of the infected system.
Response measures
John was smart to immediately disconnect the infected computer from the network.
The next step was for our technician to do an initial investigation. He used two different tools, including Avast Free Anti-Ransomware Protection and Removal Tool. Key information that he gathered included:
- Lockbit variant
- only one computer affected
- local backups affected
- potential points of entry
We also contacted the attackers to find out the ransom amount, which was in the range of $5,000–$10,000. (This amount is relatively low, likely because many companies in the same industry were attacked.) We used Tox messenger in a sandboxed, or isolated, Windows environment to contact them. This helped us to limit our risk from temporarily installing untrusted software.
Because the owner knew someone with the expertise and willingness to help recover the data, a copy of the hard drive was made and sent to him.
Based on the information gathered, the next step was deciding how to proceed. In consultation with the owner, we decided to focus on replacing the infected computer to resume operations. We provided a computer and set it up. We made sure that the local admin account set up by the inventory software vendor was secured with a more complex, unique password.
However, the owner wasn’t ready to commit to fully securing his systems. So we focused on doing the minimal work needed to get him up and running.
Recovery and improving security posture
After a long day of work, John’s friend worked more than 12 hours through the night attempting to decrypt the hard drive he was sent. He was ultimately successful, saving John thousands of dollars in data recovery fees.
After restoring operations, it’s wise to work on improving your security posture. This includes network monitoring, regular software updates, and user account security. In John’s case, we recommended measures like:
- Enabling multifactor authentication on user accounts
- Installing only necessary and trusted software
- Updating network firmware
- Configuring the VPN feature of his existing network equipment instead of using a third-party software VPN
- Using OneDrive as a basic cloud backup utility that offers version history
- Setting up Microsoft Defender controlled folder access, which protects against ransomware
- Installing monitoring tools
Lessons learned
Recovering from a ransomware attack is typically expensive. According to PurpleSec, the average cost for small businesses to recover from a ransomware attack starts at $120,000. Companies with compliance requirements will have more legal and notification expenses.
While John’s IT friend was willing and able to help him recover the data, many companies don’t have that luxury. Attempting to decrypt data on your own can also cause more problems and make it impossible for professional data recovery teams to decrypt your data.
There are other costs, like lost productivity and downtime. John’s business was down for a day while we investigated and got a replacement computer set up. But it took several more days for him to get his decrypted data back from his friend. Additional time and expense is required to properly secure his systems to prevent future intrusion.
Installing untrusted, unapproved software is risky. Each application you install may have vulnerabilities that can be exploited by attackers. Businesses that require VPN should use business-grade network equipment that offers this feature. Remote access tools should be kept to a minimum and properly secured with MFA.
Software that requires a local admin account is usually not well-made and should be handled with care. Potential solutions include running the software in Windows Sandbox or using a privilege access management solution like AutoElevate. Every local admin password should be unique and sufficiently complex.
Finally, as a proverb says, “prevention is better than cure.” Being proactive about your IT environment and cybersecurity prevents many problems. Not only will you avoid expensive security incidents, but you can make your business more resilient.
Are managed IT services a wise investment?
What we frequently see is that many small businesses don’t want to spend on IT. For many, IT is seen as a cost center. But the fact of the matter is that your business fundamentally relies on technology to make money. Refusing to invest in foundational IT infrastructure puts the integrity of your business at risk.
On the other hand, investing in your IT foundation can strengthen your business. Our fully managed services come with strategic planning sessions to make sure that your tech is working for you and is aligned with your business objectives. We keep things running smoothly day-to-day, but we also help you prepare for future expenses.
Take a look for yourself. Use our pricing calculator to see how much fully managed IT services would cost you each month. Compare that to the low-end figure of $120,000 for responding to one ransomware incident. And keep in mind that 60 percent of small businesses close within 6 months of being a victim of a data breach.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Not sure if you need managed IT services?
Take the IT Maturity Self-Assessment
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
