It’s a bit ironic that today is the first day of a month’s worth of the National Cyber Security Awareness month as well as the day I officially moved from Windows Server for Small and Medium Business category (the old SBS category) to Enterprise Security in the Microsoft MVP program. I am increasingly concerned about the state of affairs in small business security. Even Microsoft doesn’t have an exact category for Small Business Security which often sees different issues than consumers and enterprises. So while I’ll still be blogging about SBS and Essentials servers like usual, I’ll be also focusing on how to stay secure in a world where we are increasingly relying on a single password used over and over again on multiple web sites to keep our data safe.
I’m concerned about the issues I’m seeing and the lack of awareness and bad choices we are making in the small business space. So while this blog originally was nicknamed the “SBSDiva blog” because I helped David Coursey with his SBS server and he used that nickname in his review of the product, consider it also a nick name for “Small Business Security Blog” now too.
At least once a week these days I am seeing a small business network or workstation nailed by CryptoLocker – a nasty virus that will infect a machine and then go actively searching for “Everyone-full access” file shares across the network and encrypt every file and then demand a ransom. Of course, don’t even try to pay the fee, you’ll be impacted with identity theft. Your best post infection remedy is a backup. Your best proactive protection is limiting the use of “everyone full access”, ensuring that all Java/Flash is patched and up to date, not relying on antivirus and being EXTREMELY careful in what is opened as a file attachment.
I’ll be blogging about how to set up Software restriction policies, how to identify network shares/full access where you are at risk for this and other tips this month along with a post a day on the topic of security awareness.
Here’s a copy of a blurb that Amy Babinchak’s clients got from a LOB vendor as a warning/prevention guidance:
“We have been notified that two of our existing customers have
been infected by a specific breed of Ransomware known as
CryptoLocker that has been making the rounds this month.
The malware uses social media or email as attack vectors, and
users will see a message purported to be from FedEx, UPS, etc..
with a tracking notice. The enticement for a user (especially a
business who ships things using these carriers) is that it is
legit and they open it. Boom. They are now infected.
This malware will look at the local and network drives and shares,
and will ENCRYPT files matching a set of extensions for common
business applications. This includes office applications (Excel,
Word, WordPerfect) and databases like access and Foxpro.
Therefore (LOB app name) is directly affected and (LOB app2 name)
is indirectly affected.
For (bizapp name) the damage is fatal to the indexes. The software
ceases to function and no recovery short of a file restore is
possible. The underlying images stored in tiff are unaffected.
For (bizapp2 name) the internal data files are safe, however word
based documents, RTF files, Excel spreadsheets will all get
corrupted. The virus operates on file extensions, so typical
WordPerfect non-extension files are probably safe but WordPerfect
forms with the .wpd extension will be corrupted/encrypted.
Corrective actions involve: (1) Removal of the malware from all
infected computers, and (2) restoration from a prior backup of all
the files listed in the extension group listed here: *.odt, *.ods,
*.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls,
*.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb,
*.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf,
*.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg,
????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay,
*.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw,
*.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw,
*.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
Here are two useful links that describe the malware in detail and
provide IT departments with technical background for removal:
Emsis CryptoLocker Blog
Bleeping Computer CryptoLocker
It is also worth noting that this malware is sophisticated enough
to understand and bypass current anti-virus and anti-malware
software. So even if the user is using strong protection, that
will not be enough.”
I’ll be in Southern California at the SMBTechFest to talk about CryptoLocker and other security issues in just a few short weeks so I hope to see you there.