Technology Advisor Blog

You've Got Ransomware... Now What?

Posted by Ann Westerheim on 10/16/18 3:36 PM

Ransomware_ResponsesIf you're unfortunate enough to be the victim of a ransomware attack, there are basically only three options open to you. Ransomware is a type of computer virus that kidnaps your data and holds it hostage for money. It has become increasingly common attacking governments and all manner of business and non-for profit institutions.  These are often automated attacks that are broadly distributed, so even if you're a small business you're still at risk.  Too many small businesses think they're "under the radar" and in fact, about half of ransomware attacks hit small businesses.
Why is ransomware so nasty? Because it steals the most important thing your business possesses. Data. It's not about the value of your data to someone else, its about the value of your data to you.  Worse, once infected there isn’t generally a way out. No one can “disinfect” your machine. You aren't going to be able to call in IT support to solve the problem. Basically, you have three options.
  1. Pay the ransom. This payment is usually via bitcoin (a digital currency). Some ransomware viruses even provide help lines if you're having trouble. Of course there are no guarantees your will get access to your data - these are thieves you’re dealing with.  We strongly advise against this unless there is no other option.  Be sure to make a copy of all data before taking any recovery steps. 
  2. Don’t pay and lose your data - This has its obvious downsides, unless…
  3. You have a safe, clean backup. In that case, you are stuck with the nuisance of restoring your data with the backup, but you aren’t out any money. However, this comes with a caveat: your backups have to be clean. The problem with ransomware viruses is that just making backups may not be sufficient to protect your data, as the backups can be infected also.
As you can see, the first two options aren’t very favorable solutions. The only real defense against an attack is the third option. You have to be prepared ahead of time with a safe, segregated backup. Also, plan in advance to know the difference between a recovery point objective (how much data you may lose) and a recovery time objective (how much time it will take to recover).  Be sure to get the advice of a specialist on how to protect your data from this very serious threat to your business.  Ask Ekaru about our down-time calculator!

Tags: cybersecurity, ransomware, cybersecurity, SMB

A Creepy Twist on Ransomware - Using your hacked passwords

Posted by Ann Westerheim on 7/19/18 10:21 AM

HackerRecently there have been many reports on a clever twist on an old scam that's made more believable with your hacked password.  The email purports to be from a hacker who has compromised your computer and recorded you watching porn and will release the information to all your contacts if you don't pay the ransom (payable to a crypto currency account so it's not traceable).   

The added twist is that the the email opens with "I'm aware that <substitute password formerly used by recipient here> is your password".

Apparently the bad-actors have run scripts to pull emails and passwords from the Dark Web from major breaches such as the LinkedIn breach not too long ago.  In many cases, the recipients will note that the password hasn't been used in years, but it IS a password that they recognize, which still makes the threat very scary.  It does not mean that anyone was actually on your system.  

Whenever a major breach occurs, usernames and passwords wind up on the Dark Web and are bought and sold.  If you use Yahoo, EVERY credential has been breached, as an example.  LinkedIn and many popular sites have been hacked more than once in the past few years.

This underscores the importance of password management:  Use STRONG passwords, use DIFFERENT passwords for different sites, and CHANGE your passwords.  To help promote good password policies at your business, our recommended best practices include using a password manager and including Dark Web monitoring as part of your security policy.

For more detail, read the full article at Krebs on Security.

Tags: cybersecurity, ransomware, cybersecurity

Cybersecurity - What is the cost to Small Businesses? Another factor to think about related to Microsoft Security Patches...

Posted by Ann Westerheim on 5/14/18 10:55 AM

App_Security_400We've all seen the headlines of the major cybersecurity incidents:  Target, Yahoo, Equifax, Sony, etc... Cybersecurity is a topic that affects everyone, and we view it as a public safety issue.  With all the headlines over the past years, at this point, most people "get it" that cybersecurity is a big problem, but the education can't stop there.   

Too many SMBs see the big companies listed in the headlines and  think they're "under the radar" when it comes to cybersecurity, but half of all attacks hit small businesses.   A big part of our mission at Ekaru is to bring enterprise class IT to small businesses, and security is a big part of it.

And there's more:  The headlines tell just part of the story -it takes a little more digging to identify the real costs.  As an example, the San Francisco metro system was hit by Ransomware over a year ago.  At the time, the network was held hostage for $73K.  All ticket point of sales systems were rendered useless, so to keep people moving, free fares were offered for the busy holiday weekend.  With an estimated 700,000+ rides per day at a fare of  $1 to $2.25, the system lost between $1.3M and $3.3M.  This figure includes lost revenue, and doesn't include all the round the clock work to restore systems from backup.

The cost analysis doesn't stop there, though.  Last week Microsoft released a critical zero-day security alert.  As bad actors continue to find and exploit cyber vulnerabilities, the major tech vendors continue to update products to address the vulnerabilities.

In the case of security patches, these are actually required by law by the MA Data Security Law, HIPAA, and other industry-specific regulations.  

 "For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. "

So here's the curve ball.  The critical security patch released by Microsoft last week had a bug:  systems that got the security patch lost their ability to connect to the network!  This meant that these PCs became basically useless until the network connections were restored.  This led to downtime at customer sites, and enormous efforts by IT support firms like Ekaru to restore connectivity for affected users.  As we consider the overall cost of security, the downtime associated with failed security updates is also a major consideration. 

To secure networks and comply with regulations, we rely on Microsoft to continually address security vulnerabilities with security patches.  With the complexity of modern computing systems we realize that things are changing all the time.  Going forward, more diligence by Microsoft in testing of security updates is needed - 2018 has gotten off to a rough start!  That said, our message to all SMBs is that the risk of not complying with security updates is far greater than the risk of the rare problem update. 

So we continue our message to all users that cybersecurity is a public safety issue and we're all in this together and we all need to do our part!


Tags: cybersecurity, ransomware, cybersecurity

Cybersecurity is a LOCAL issue - Massachusetts school district pays $10,000 ransom to unlock its files after cyber attack.

Posted by Ann Westerheim on 5/2/18 3:59 PM

This past week a Massachusetts school district paid $10,000 ransom to unlock its files after a cyber attack.  The Police Chief commented that there is no further investigation of this crime because solving this crime is "impossible". This is unfortunately a sign of the times.


At Ekaru, it's been our mission for years to SECURE and EDUCATE our small business clients.  All of us see headlines in the news when big companies get hit with a cyber attack,  and too often we think that's a problem that only happens to large well known companies  (Sears, Equifax, Sony, Target, etc). 

Today's modern threats are automated and indiscriminate.  ANYONE,  no matter how big or small can get hit with a cyber attack.  When an attack is local, it's a reminder that cybersecurity affects ALL of us, and this is a matter of public safety.

In the case of the school, its unclear how the ransomware got onto the network, but one of the most common attack vectors is email, so its vitally important to train employees.  Clicking on phishing emails and using weak passwords are easy to fix with some security awareness education.   In addition, its clear that the school district didn't have a disaster recovery plan or even a robust backup if they had to pay the ransom.  

We're working to spread the word that with some technology, process, and people fixes (training!), we can all greatly reduce the threat of cyber attacks.

Unfortunately, sometimes it takes a case close to home to remind us of how real these threats are.

To read the full article, go to

Tags: Cybersecurity, email scams, cybersecurity, ransomware, cybersecurity

Phishing:  Would your employees click on any of these emails?

Posted by Ann Westerheim on 3/15/18 2:02 PM

Phishing with Fish.jpgEveryone thinks they won't click on a phishing link, but when we run tests, there's always someone who does!

Phishing is the leading tactic used by today's ransomware hackers, typically delivered in the form of an email designed to impersonate a real system or organization.  Often created to deliver a sense of urgency and importance, the message within these emails often appears to be from the government or a major corporation and can include logos and branding.  They look like the real thing!

Would any of your employees click on these emails?

  • Tax Refund - Recipient is due a tax refund and directed to a site to claim their refund.
  • Bank Account Low Balance - Recipient receives a low balance alert in the bank account and gives them the option to check their account.
  • Amazon Security Alert - Alerts Amazon customer that there were several unauthorized attempts to access their account from an unknown device
  • DocuSign Signature Request - Recipient is sent a request to electronically sign a document
  • Webinar Reminder - Recipient is sent an email reminder that the webinar will begin in 1 hour.
  • Netflix Account Reset - Netflix password has been reset and asks the target to change their password.
  • IT Reset Password - Email sent from IT asking to reset password
  • eFax Email - eFax email with instructions to download the electronic fax.

These are all examples of typical phishing scenarios, and are actual emails we use as part of of cybersecurity training.  Everyone thinks they won't click on the link, but when we run training tests, there is always at least one person who clicks on the link.

In a test scenario, the user is just warned that they made a mistake and its an educational moment.  However, if the email was malicious, this could take down an entire organization with ransomware.  

The concept of a "human firewall" is getting a lot of attention these days.  A network firewall, security patch updates, DNS protection, and all the technical layers of protection needed for responsible network protection are just part of the solution.  The behavior of all users on your network will also impact your security (and the bad actors know it!).  Don't forget employee security training as part of your overall cybersecurity strategy.

Tags: Microsoft Security Patches, cybersecurity, ransomware, training, HIPAA

Help! My Spam Filter is Blocking GOOD mail

Posted by Ann Westerheim on 6/13/17 9:32 AM

BlockedMail.jpgA robust spam filter is an essential part of any business cybersecurity plan.  Almost 90% of all mail is spam, and a lot of spam contains viruses, such as the recent WannaCry Ransomware attack.  No spam filter is perfect, and in some cases, mail you don't want gets through (false negatives), and mail you do want, gets blocked (false positives).  

As a general rule, business class spam filters will provide a daily (or more frequent) quarantine report so that you can check for any missing emails.  At that time, you have the option to "release" the message to your inbox, and also "allow" the sender to get through the next time.  

In a typical month, the spam filters we apply for customers stop over 1,000,000 messages, many of which are identified viruses. Email security screening is essential.

Recently, we've seen a major problem in that the mail processing from a widely used email security vendor resulted in large groups of mail wrongly blocked as spam on a global list.  This is the tech equivalent of falsely ending up on a "no fly list".  

The reason why this might happen is because your security is working, albeit not perfectly.  All processing is done with automated algorithms by machines (billions of emails around the world), so there is no fast way to clear this up.  The false rating is reported, and then a manual process is done by the security platform to petition getting off the list held by the reporting authority.  This is an increasing problem with mail delivery, and one that unfortunately is highly disruptive to the users who follow the rules, because mail you want and NEED doesn't get to you.

We strongly advise against removing ANY security layers, even if at times they get in the way.  We are closely watching a recurring intermittent problem with one platform.  As of this moment, all customer email is flowing normally.

Tags: cybersecurity, ransomware

WannaCry Ransomware - 4 things you need to know

Posted by Ann Westerheim on 5/15/17 2:00 PM

Ransomware.jpgA fast moving ransomware variant "WannaCry" has infected tens of thousands of computers in over 100 countries since Friday.  The attack even caused Britain's NHS to cancel surgeries and chemotherapy sessions and left ambulance service in disarray.  

Ransomware is a particularly bad type of virus that holds your data hostage.  A message appears on a user's screen to inform the user that they have been locked out of their files, and asks for ransom to recover files.  The United States Computer Emergency Response Team (US-CERT) issued a warning  about the attack and discourages users from paying the ransom as there is no guarantee that access will be restored.  

We may be lucky this time around since a lone British cybersecurity researcher surreptitiously discovered a kill switch when he analyzed the code.  This may have saved the world from an even more devastating attack.

What can you do to protect yourself and your network?

1.  Keep your security patches up to date.  If you're on a support plan with Ekaru, we actively test and deploy patches, and also actively monitor status.  PLEASE REBOOT SYSTEMS.  Many security patches are sequential and need reboots for the subsequent patches to install.  We can program scheduled reboots for you, but most users like to reboot at their convenience - but it needs to happen!  Never use software that is discontinued and no longer receiving security updates.

2.  Use Multiple Layers of security protection.  There is no such thing as 100% protection, but putting together multiple layers is like bulletproof glass.  Each layer alone (patches, antivirus, antimalware, firewall, etc) can't do it all, but TOGETHER, you have solid protection.  SMB budgets are tight, but this is an area where what you "save" will only cost you more if you ignore it.

3.  Make sure you have a reliable backup - "It won't happen to me" is NOT a viable strategy for protection.  All your important files need to be backed up with a business class backup.  Often users lose track of where they keep files.  Review your systems, and get serious about protection.  The money invested in a solid backup will seem like nothing when you're faced with having your files held hostage.

4.  For mission critical systems, engage a business continuity strategy.  Getting your files restored from backup can take considerable time.  With immediate failover, you'll reduce your downtime.  We advise all businesses to consider this BEFORE a crisis.  Ask us about our downtime cost calculator if you have concerns.

Bottom line:  These threats aren't new, and they are not going away!  As bad as these current threats are, at least when they hit the popular press, they get people's attention.   Hackers are using automated tools to initiate broad attacks, so no one can hide.  Stay alert and keep up to date!

Tags: cybersecurity, ransomware

Subscribe by Email

    Most Popular Posts

    Browse by Tag

    See all tags...

    Connect With Us

    Older Blog Posts

    For older Ekaru blog posts, go to