Malware is the generic term given to all malicious software. It includes computer viruses, trojans, worms, spyware and Ransomware. The first virus was created in 1971; today over 300,000 new malicious pieces of malware are released every single day. It's difficult to say how many active pieces of malware are out there, but at the end of 2016, leading multinational cybersecurity and anti-virus provider Kaspersky had over a billion "signatures" of malicious software in its database.
Keeping your anti-virus software up-to-date is crucial to staying ahead of malware, but with so many new threats released each day, the Victorian Government went as far as to say in its Cyber Incident Management Plan 2019 that for organisations "it's no longer a case of 'if' but 'when' a cyber incident will occur".
While most people learnt about a type of malware called Ransomware during the CryptoLocker and WannaCry "outbreaks" in 2013 and 2017, Ransomware has been around longer than the web itself.
The first known Ransomware was released and distributed worldwide on 20,000 floppy disks in 1989 by a researcher.
Ransomware works by silently infecting your desktop computer, server or laptop where it assembles a list of files on your network and begins to encrypt (lock) them with a random password known only by the malware owner.
The malware takes your file contents, applies a complex mathematical formula to your data, scrambling the file contents so that the information inside is no longer understandable to you or your computer.
When the malware has finished encrypting (locking) your files, you will receive a message on your screen demanding that a "ransom" be paid in order to unscramble the files.
Ransomware is a big criminal enterprise, with payment required in Bitcoin, making it virtually untraceable.
The mathematical formula used by the encryption is reversible, but in order to know how to reverse this encryption, the "key" must be known, but the malware operators are the only people that have this key. These keys are usually unique for each computer that is encrypted so using someone else's key will likely not work for you.
Modern malware uses military-grade encryption cyphers to perform the encryption, so trying to unencrypt your files by guessing or trying each possible key, will take longer than your lifetime; even a key only 12 characters long would take a very fast computer 16,412 years to try every combination.
Ransomware can be spread via thumb drives, but is most commonly spread via the internet, either using email or websites. Some of the most effective malware was also spread to computers using what are known as "exploits".
An exploit is a bug in the operating system software (e.g. Windows, Unix, MacOS, etc) that your computer runs and these exploits are usually unknown to malware detection software (aka anti-virus) and even the manufacturer of your computer's software. This is one of the reasons that WannaCry malware was so effective, because it took advantage of an exploit in the Microsoft Windows operating system that allowed the Ransomware to spread without any interaction from the user.
Obviously protecting yourself from a Ransomware attack is key, but in the dental industry, the very nature of the business is to share dental x-ray images and other information via email and websites - so not clicking links or opening email is just not an option for any modern dental practices.
You can educate your staff in how to look for suspicious emails, but Ransomware operators have become very smart of late and are using very well worded emails that aren't possible to detect by a human or a computer 100% of the time. Statistics show the frequency of these fake emails has increased 65% in the last year and most employees are fooled into clicking them about 12% of the time.
If you have had your computer files encrypted you really have three options:
1. Pay the ransom
Most Ransomware operators will honour their agreement and give you the key to unencrypt your files when you pay the ransom, but you are in their hands - you don't know when they will strike again and you don't know how much they will charge each time.
2. Break the encryption
The second option is really a last-ditch attempt to try a number of different tools that may or may not unlock your files. Some older Ransomware had its own bugs that could be exploited to recover your data - but nothing is guaranteed and the process of downloading random software that promises to fix your computer could have been how you got Ransomware in the first place!
3. Restore from a backup
Erase your computer and restore your files from a known "clean" backup is the best way to recover from a Ransomware attack as you don't have to pay anything to restore your files quickly and easily.
But let's face it, backing up your company information isn't the most exciting thing to do and no one wants to come into the practice every Sunday and test your backups and restoration procedures to make sure they work. It's well known that if you're taking backups but not testing them regularly, you may as well not bother backing up at all.
There are many stories of companies that have taken backups regularly over the years without testing them and when a catastrophe occurred, they found that the backups were empty, corrupted or never actually completed.
When Ransomware strikes and you need those backups, it's too late to test the process. This is why you need to take regular backups and test the your ability to recover your system from them frequently. You should know approximately how long it will take you to recover systems in the event of an emergency so you can know how long it will take your practice to get back up and running.
Simply regularly taking and testing backups also isn't enough. Modern Ransomware will actively try to seek out your backup systems on USB drives and over your practice network. Common backup systems such as Network Attached Storage (NAS), Google Drive, OneDrive and Dropbox are detectable by Ransomware and the Ransomware will actively seek out these systems to encrypt your backups as well – rendering them useless as a recovery mechanism.
There are many cases where malware has been successful at encrypting backups and organisations have not been aware that this has happened until it is too late.
To protect your backups from encryption, you need several layers of defence.
Firstly, you need to keep your backups on a different network, preferably away from your practice where they can't be affected by fire or flood or Ransomware.
You also need a backup system that will monitor for Ransomware activity such as testing to make sure your files can still be opened correctly and are not encrypted. Your backup system should also be smart enough to detect changes to your backups that could indicate Ransomware activity and action should automatically be taken at your cloud backup provider as soon as these indicators of compromise are detected.
Remember - having a backup is a start, but if that backup is stored on your computer or is accessible from your home or company network - it can also be encrypted by the same Ransomware.
Real Ransomware case: Coogee Healthly Smiles
Coogee Healthly Smiles* had a very standard computer system setup. Like many other practices, they had a dedicated server, 2 reception computers, 3 PCs in surgeries and a sterilisation area PC. All computers were protected with a well-known brand of antivirus software; however, their backups were done using USB disks - 5 of them - one for each day of the week. The practice manager would always take the latest backup home with her.
Business was as usual, however there was something sinister sitting in the background of the reception PC that no one was aware off. At some point a few days before, an email arrived with a patient referral link which they of course clicked on as there would be no reason to feel it was suspicious. The link didn't appear to work, so they carried on with other work.
By at that moment, however, a type of Ransomware injected itself onto the reception PC, bypassing the antivirus software. It initially sat dormant, silently scanning the network and looking for vulnerabilities, files and other information. Over the next few days, it proceded to replicate itself to the server and most of the other computers. Whilst on the server, it was encrypting every backup disk they have used and over the next 5 days, all backup disks were encrypted. The practice manager, without any knowledge of this, was regularly replacing these disks, not knowing none of them would ever work. Once there were no more backups to infect, the Ransomware encrypted (locked) all files on the server and several other workstations. This included the practice management software system, X-ray imaging, OPG's, emails, accounting data, documents, etc. Everything lost–forever.
This practice has never been able to recover.
* Practice name changed for privacy reasons.