If you want to avoid the disruption of a cyber-attack, keep an up-to-date back up your computer data on a separate system.
Many MTA members use SAM automotive workshop or dealer management software to support their businesses. Darryn Crothall (pictured below), general manager of TSI Group, which owns the SAM business says anyone can be caught out – even his company.
Recently, a SAM staff member was working on what appeared to be a legitimate Windows Excel viewer on the cloud. He clicked Save and triggered the download of a malware programme designed to encrypt files and demand a ransom for their release
“With our resources and many backups available it meant only a little downtime but it still caused us a few headaches because our technicians had to spend several hours cleaning this up.”
Darryn says most ransomware payloads are developed by Russian organised crime which has top level programmers working for them and despite SAM’s problem coming from an infected website, most malware is delivered via email. TSI Group receives about 15,000 emails a day, of which about 12,500 are blocked as spam by special email filters.
“We obviously can’t block everything and a portion of what gets through contains malware, so all of our people have to be constantly vigilant.“
The point is to trick people into clicking on a link that will deliver a payload, so these emails are increasingly clever. Some are designed to appear to come from your own company email address.
“For instance it might be addressed from ‘firstname.lastname@example.org’ or it’ll be designed to use a common name like “John@sam.co.nz” that you might assume is someone new or who could actually be a genuine staff member. One click on the email and you’re done. Some will be triggered even if you just use the ‘reading pane’ to preview the email and don’t actually open it.”
Once the payload is downloaded Word, Excel and sometimes other file types are encrypted and then the user is directed to a website where they are asked to pay for a key to decrypt the files. “Often those decrypt keys don’t even work and if you’ve given over your credit card number to pay up, who knows what that opens you up to.”
Darryn’s advice is to keep multiple current back-ups, and if you do get attacked, don’t pay the ransom.
He says about 15-20 MTA member SAM clients were infected with the same CryptoLocker ransomware at about the time his company was hit.
One was Magnum Compliance, which has four Christchurch workshops using Orion software and another in Dunedin that uses SAM software. General Manager Riley McCallum (photo below) said all the businesses use the same server and in early April, they were attacked.
“We thought we had good security. We had our records backed up on our server – but the ransomware encrypted that as well. We lost three and a half weeks of the Christchurch workshop’s work records and all of our Dunedin workshop information. We had to manually go through all the paper work and re-enter it all. It was a mammoth task, taking five of us all of April to complete. We couldn’t get our statements out for March in time and had a whole month with no money coming in. Luckily our creditors were so understanding.”
Riley says he isn’t sure how the ransomware got into the system as no email goes into the server and there were no viruses detected on the desktops, which connect to the server via a protected remote access system.
The ransomware demanded US$5,000 for the key to unlock the files.
“We’ve changed our security and now backup every two hours, not weekly and all our backups are encrypted and hosted offline, not on the server.”
Apart from the huge amount of staff time taken to put things right, Magnum Compliance also faced a bill from their IT provider for the additional support they needed. This wasn’t covered by its insurance.