Please take the time to read this post. It could save your business a lot of money and heartache!
YESTERDAY (the 7th of April 2016) a client was hit with a new variant of ransomware (malware that encrypts all your files and holds them to ransom). I’ve spent the last 24 hours scouring through their log files trying to ascertain how the infection occurred – suspecting that it was either via email or a compromised web page.
FINALLY, I discovered that this new variant entered the network via Remote Desktop Protocol (RDP). RDP is the technology typically used to remote into a Windows server or desktop.
This client’s router had been configured to allow remote access to each of their staff to dial into their own desktop from home (or remote locations). It appears that the malware exploited the RDP connection of each computer that was left on overnight and once the attackers had gained access to the computer, they began to encrypt all the files on the computer – and any mapped drives. The malware even deleted Microsoft Office and other common business software.
Luckily, the client uses our Back-Up + Disaster Recovery [BUDR] solution, and it was a trivial matter to recover their data – however due to the damage done to the computers, we are now going through the laborious task of formatting and re-configuring three computers from scratch! Something that will result in those staff being unable to work for a couple of hours.
The reason I am bringing your attention to this is because I know MANY businesses have their IT guys set up their computers so they can dial in remotely. If you are doing this and you’re not using a VPN or SSLVPN to connect to your company, you are very likely to be hit by the same malware this client was hit with.
If you are doing this, Contact your IT Guy TODAY and talk to them about blocking remote access IMMEDIATELY unless it is via a secure VPN. If you have a Remote Desktop Server that is publicly accessible, shut down remote access and implement a VPN immediately. The time to rebuild an Remote Desktop Server could be a few days if it is compromised, and that’s not taking into consideration the risk of data loss (you check your backups, right?).
If you are UNSURE if you are doing this, get someone in to check (us perhaps?!). I would hate to see another business go through this trauma. Thankfully this client was doing an office move and we knew their backup was working, so we just continued with the office move and then began the cleanup at the other end whilst they continued to roll furniture in – so the only downtime will now be that of those who’s computers were attacked.
If you want to know more about this, please reach out to Insane Technologies on: (07) 5539-6116
PS: If you know someone who would like to opt in for security tips and download a free report we’ve recently published on protecting yourself from cybercrime, forward this link to them: https://www.insane.net.au/cybersecuritytips/