Due to an increase in the frequency and sophistication of an attack commonly referred to as Ransomware, and a recent alert released by the United States Computer Emergency Readiness Team (US-CERT) on behalf of the United States Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Center (CCIRC), NBT Bank would like to educate its customers on Ransomware, and provide guidance on how to prevent, detect, and respond to this threat.
If you have any questions, please contact NBT Bank at 1-800-NBT-Bank (628-2265)
What is Ransomware?
Ransomware phishing attacks begin when an individual clicks on a malicious link or attachment in an email, or an infected advertisement ("Malvertisement"). Malware is executed on the user's device and will 'lock' and render all of the files on the user's computer unusable through a process called encryption. The user will then be prompted to pay a ransom (Ransom + Malware = Ransomware) to obtain the key to unlock their files, otherwise known as the decryption key. In some instances, the Ransomware dialogue may indicate the user has done something illegal on their PC, and reference the police or other government agency. This is a scare tactic, and is used to create a sense of urgency in the user to pay the ransom.
Who is vulnerable?
Computer Users who have access to email or click on infected advertisements.
It is important to remember Ransomware attacks can be perpetrated against anyone, and caution must be practiced at all times. Not only have there been high-profile instances of Ransomware, such as a large medical center in Central California, which recently paid $17,000 to hackers for the recovery of their data last month, but individuals have also reported paying as much as $500 to recover files on their personal computers. Also, Malvertising has been detected on popular news and sports websites.
How will you or your business be impacted?
If you fall victim to a successful Ransomware attack, the impact to individuals and businesses can reach far beyond removing the infection and recovering your files, and could also include:
- Temporary or permanent loss of sensitive or proprietary information. Your personal or business files could be temporarily inaccessible or even lost forever.
- Disruption to regular operations. In the time it takes to respond to the attack, your computer files and possibly the files on your network of computers will be inaccessible, leaving your business inoperable or significantly impaired.
- Financial losses incurred to restore systems and files. In order to fully respond to and recover from this threat, you may be required to invest significant resources in repairing and restoring your device or network, whether it be through the use of an internal or external IT Professional, or in extreme cases where a lack of preparation has left you with no other option to recover your files, paying the ransom.
- Potential harm to an organization's reputation. Your business may suffer reputational harm when current customers or prospective clients learn of the impact these attacks have had on your business operations and their personal information. Being prepared to appropriately prevent, detect, and respond to these events can help ensure a timely resumption of services and the protection of private customer information.
How to protect yourself: Prevent, Detect, Respond
Preventing Ransomware before it can be executed is the most effective way to ensure against business interruption or financial loss. This may be accomplished through a variety of ways:
- Keep your anti-virus software active and up to date.
- Be suspicious of unsolicited emails. Avoid opening attachments and clicking on links in emails, especially if you're not expecting them. Avoid clicking on pop-up ads.
- Back up your files. Though creating a backup of your system will not prevent the execution of Ransomware, this preventative measure will allow for the recovery of data in an efficient and effective manner, without having to pay a ransom. In many instances, Ransomware attacks can target files backed up locally, or on the infected device, so it is important to back up your files using a cloud solution or removable hard drive.
- Enhance the security of your Microsoft Office components (Word, Excel, Powerpoint, etc.) Do this by entering your Microsoft Office Trust Center in the "File" tab of any open office document and disabling macros, or the programs that run automatically in office products. Malware in attached Word or Excel documents will often be executed through the use of macros, and locking external content is a dependable technique to keep malicious code from being executed on the PC.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Some Ransomware may be executed by clicking infected ads on compromised websites, otherwise known as drive-by Ransomware or Malvertising. If you are a victim of drive-by Ransomware, or through an error in prevention, make sure to use the following tips to detect the infection:
- Be wary of suspicious or unsolicited emails, especially those which contain attachments or links.
- If you open a file in an attachment and it seems to take a long time to load, or does not seem to load at all, malware may be running in the background on your computer.
- Pay attention to any other anomalies when using your device, whether your computer seems to be running differently than usual, or if your computer is on a network of computers and seems to be communicating in a way in which it does not typically.
Know what Ransomware looks like and how it works, and make sure to react quickly and rationally in any event in which you believe you may be a victim.
- Understand what Ransomware is by reading this and similar alerts, such as the one released by the United States Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Center (CCIRC), which can be found by typing the following link into your web browser: https://www.us-cert.gov/ncas/alerts/.
- Know what suspicious emails and advertisements look like and react by promptly deleting or avoiding them.
- If you suspect a virus like ransomware, shut down your computer and disconnect it from its network. Call an expert, whether that be an internal Information Technology team at your workplace, or a computer professional serving individuals.
- Paying the ransom is not recommended, and there is no guarantee the files will be decrypted upon paying the ransom. It is always recommended that victims work with an IT professional first before negotiating with the attackers.
- It is important to have your device inspected by IT Professionals. New variations of Ransomware can also infect your device or network with other types of malware such as Zeus malware, popularly known for stealing banking information. Minimally restoring access to your device or network provides no guarantee that the infection has been removed or that you are computing safely.
Subject: There is an outstanding obligation requiring your attention
Considering that we have not received the service termination request, I'm assuming that you might have accidentally missed this invoice 02/1600010290 (Past due). If you want to cancel the agreement, just let us know. Be informed that early withdrawal penalties will apply.
Refer to the enclosed document for billing information
= = = Sample Encryption Message = = =