Why SMBs need a good disaster recovery plan in place

Graphic of a user engaging in a ransomware exchange
(Image credit: Bigstock)

"We think it's important to discuss cybersecurity for small and medium-sized businesses," said Eugene Kaspersky, welcoming guests to Malta. Yes, that Kaspersky of security vendor fame. While he wasn't actually in Malta, his words were plastered all over the hotel where assorted journalists, analysts and researchers were assembled to "save the world".

Speaking at the start of this cybersecurity conference, team director of Kaspersky Lab Research & Analysis, Marco Preuss, revealed that the company had stopped more than 80,000 ransomware threats for Android devices alone during the second quarter of 2016. Overall, across all platforms and devices, Kaspersky has seen ransomware attacks rise by 450%, from 131,000 in 2014/2015 to 718,000 in the same period during 2015/2016.

But as a small business, why should you care? Chances are that, as an individual, you have your photograph and music collections in air-gapped archives, or in the cloud right? And your business does the same with mission-critical data right?

So, let's look at the reasons why you should care. Number one is you're getting overly confident. Sure, some kind of physical media away from your digital domain is a good idea, but cloud stores and NAS devices have been known to be caught by the more patient ransomware; these use clever crypto routines to scramble multiple layers of your backups before declaring their presence. But let's agree, on a personal level at least, that you're pretty much sorted; so why should your business care?

Simply because if you run a small business then you're in the crosshairs of an increasing number of ransomware players. Kaspersky Lab's IT Security Risks survey for 2016 claims that just over 40% of SMBs fell victim to ransomware in the past 12 months. Some 34% of those small businesses paid the ransom to regain access to their data and, most worryingly, 20% weren't able to recover the data even once the ransom was paid. While I'm surprised that so many would cough up in the first place, I'm less surprised about the one in five who found themselves up the creek anyway. I've seen some of the ransomware code and a lot of it is very poorly put together.

Here's the thing. An original piece of code is taken and then messed around with by people who don't really understand what they're doing, let alone being aware of how crypto works; what they understand is making money. That means creating variants by changing stuff, and more often than you might imagine, this also means messing things up.

In fact, that's a very common reason for the data being lost once the ransom has been paid. Most criminals are clever enough to understand that if they take the money and run that the word will spread and nobody will pay up. During a recent trip to Helsinki with Finnish IT security outfit F-Secure, I saw examples of how some ransomware players have customer service and IT support in place that would shame many a legit company.

Anyway, the point is that as a small business you're a target and that's quite simply that. Year on year, again according to Kaspersky, ransomware attacks on business rose nearly six times over from 27,000 to 158,000. It's a clever play by the criminal enterprises behind the most organised of ransomware attacks, as a small business has valuable data it can't afford to be without, and has enough money to pay the ransom (if it's set correctly and usually it isn't stupid, greedy levels of money), but it doesn't have the resources to devote to dedicated IT departments, let alone IT security ones.

The average ransomware ransom, according to Kaspersky's Sergey Martsynkyan, was about $300 over the past 12 months. No surprise that a small business might consider paying up rather than risk losing data, and indeed facing the wrath of the Information Commissioner's Office if the Data Protection Act had been breached with customer information caught up in the process. Prevention remains better than cure, though, which means having good disaster-recovery plans in place whatever the size of your organisation. Having a backup strategy that actually works, by which I mean business-critical data archived to at least two places (one in the cloud and one off-site, detached from the network), should not be optional.

No More Ransom!

I'd further recommend every small business takes a look at the No More Ransom project (nomoreransom.org), which was put together in the summer of 2016. The founding partners of Europol European Cybercrime Centre (EC3) and the Dutch National Police, along with Kaspersky Lab and Intel Security, have done a pretty good job, truth be told. Good enough for 13 other law-enforcement agencies, including the UK's National Crime Agency, to now be on board.It's a great example of how the IT security sector and law enforcement together can disrupt cybercrime. In the case of ransomware, the best way to disrupt the criminals is to take their ransoms away, so No More Ransom operates to help victims to retrieve their data without paying a penny. It also recognises the power of education, informing end-users how ransomware works, and how they can avoid being victim.

Should you be unlucky enough to have fallen victim already, the project can help work out exactly what ransomware has hit you. It will reveal the actual crypto being used to lock up your data, and then determine if a solution has been found that can be used to unlock it again. With law enforcement and private security vendors working closely together, captured servers can be turned over to the coding experts, who can then create decryption software to unlock the encrypted data. It's these tools that are then made available to users.Currently, there are just a handful of decryption tools available, but the number is growing and will continue to do so. Right now there are decrypting tools for Wildfire, Chimera, Teslacrypt, Shade, CoinVault, Rannoh and Rakhni. The number of ransomware threats covered is greater, since some of these decryptors will work across multiple threats.

So, for example, the Rannoh decryptor will decrypt files that have been encrypted by Marsjoke (aka Polyglot), Autolt, Fury, Crybola, Cryakl, CryptXXX 1 and 2, as well as Rannoh itself. In the first two months alone, the project helped 2,500 victims to unlock their data without paying a ransom. It's estimated that cybercriminals have been deprived of 625,000 as a direct result.

This article originally appeared in PC Pro. Image credit: Bigstock.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.