This is the first in a series of Technology Spotlight articles created with the help of our MSP partners. The series’ purpose is to educate our customers and partners about topics that they might find helpful.

Our first subject in the series is ransomware, which affects new businesses every day. We asked our friend and partner Michael Pfaff of Network Data Security Experts (NDSE) to share his insights on ransomware, and how your business can guard against its growing threat.


Loop: What are some problems you’re seeing more of these days?ransomware

Michael Pfaff: The most concerning things we’ve seen recently are the growing intrusion of malware into network infrastructure, as well as the growth and expansion of ransomware.

Thing such as e-mail filtering are now almost a requirement. Formerly used to simply limit spam, e-mail filtering algorithms now need to be able to detect spam and malware, and find where an ill-intentioned e-mail is coming from.

We need to conduct deeper dives to prevent the expansion of ransomware. Here’s an example of a new variation of ransomware that has come out, which we’ve seen twice so far: It gets into systems, hops the map drives and takes over the encryption of the entire unit, just like any variation of malware. But, this one gets into a system through e-mails.

Loop: How does an e-mail with ransomware gain access to a company’s system?

Pfaff: By leveraging social engineering, it finds its way in faster through user initiation. You might get an e-mail that doesn’t appear threatening. But when you click on something in it, it pulls down ransomware that is set to wait for a period of time.

Loop: Why would it wait instead of working right away?

Pfaff: It could be a couple of days before the ransomware will initiate itself, waiting for a time period when the system is not being watched as much.

During a workday, people will see alerts, and there’s a faster response time to problems. But if the ransomware is brought in on a Thursday or Friday and has a go-live date of 48 hours, that means it will trigger over the weekend when most businesses are not operational.

Not everyone is staring at their screens all day to wait for issues, so these threats often find their way far into the infrastructure before being caught.

Loop: How does NDSE guard against ransomware?

Pfaff: At NDSE, we implement safeguards that stop ransomware dead in its tracks. We have a real-time, 24-7 operations center that monitors for this kind of thing to happen.

When we’ve come across this type of ransomware, we’ve been able to stop it immediately, with no data loss or destruction. It gets isolated so that it cannot execute or run again because we’ve seen the code of this particular variant of malware.

Businesses need to remember that just because nothing has happened up to this point, that doesn’t mean it’s not going to. It’s a lot like having insurance, which people buy just in case something happens. Businesses need to weigh which option is worse: Paying for coverage, and having protections in place before a threat strikes. Or, cleaning up the mess after it has already happened, and risk downtime.

Loop: Is ransomware just a get-rich-quick scheme for hackers?

Pfaff: Not exactly. These hackers are generally not trying to get into a particular business to steal their money. The initial victims are not usually big enough companies with millions of dollars that these hackers would like to siphon off. They want to leverage small- to mid-sized firms that are conducting business with many other businesses. They want your customers’ data more than yours.

Michael Pfaff NDSELoop: Can you give us an example of a case you’ve encountered?

Pfaff: One customer had ransomware come in via e-mail. The e-mail contained an attachment that seemed to be a common document, and the user opened it. The user saw a blank page with nothing on it, thought it looked strange, closed it and moved on.

In the background, a download was initiated through a macro, something you can’t see that was embedded in the attached document. It started to pull the infection down to the back end of the workstation. As soon as it found a home on that machine, the timer started.

The infection didn’t launch until Saturday at approximately 5 p.m. The business in question is a manufacturing facility that stopped all operations at 2 p.m. on Saturday, and wouldn’t resume activity until Monday at 5 a.m.

Our antivirus product noticed the problem, and started sending alerts. Meanwhile, the advanced security agent installed on the infected workstation ran through the process of looking for user analysis, machine analysis and machine behavior.

As soon as the agent started finding something resembling abnormal operation of this particular machine and/or user, it immediately isolated the machine from the infrastructure, while still allowing remote access to the machine.

So, even though the encryption infected the workstation, the machine was quarantined from the rest of the network. Thankfully, the data was stored outside of that machine on map drives and shared resources, and nothing was lost.

The end result was positive. We got notified, took action to mitigate the issue, and experienced no downtime. Had our safeguards not been in place, the entire infrastructure could have been encrypted, thereby being held for ransom.

Loop: What would the next step have been then?

ndse michael pfaff

Michael Pfaff of Network Data Security Experts

Pfaff: If things had gone that far, the only options would have been to restore data from backup – which is the only good option – or pay for the ransom, which is not recommended. If you pay, you hope to get encryption keys that actually work.

But again, the payment is more of a distraction. While you’re figuring out how to make the payment (usually via bitcoin), the hackers are siphoning copies of your databases, giving them thousands of new victims to pursue. They’re looking for ways into bigger, more lucrative targets.

It’s important for businesses to remember that it’s not just your data that you’re protecting: It’s your customers’ data. Everyone that you’ve engaged with has some piece of data within your infrastructure. That’s the true risk.

Loop: Can you get into detail about how NDSE combats malware and ransomware?

Pfaff: NDSE employs multiple layers of prevention. It starts with stronger filtering for incoming e-mails, which are all being watched. Firewalls have malware protection scanning on the edge, preventing access to sites that could have malware.

Our e-mail filtering obviously goes beyond spam. It filters for malware, and for signatures of macros that could be malware embedded into e-mail attachments.

Antivirus agents run live on every workstation, and monitor web browsing, using known sites at the machine level.

We use DNS protection on a large scale, so that all internet requests are filtered, thereby allowing a whitelist/blacklist grouping of malicious locations.

The biggest thing we have is – as noted in the example above – an advanced security agent that sits on each machine, monitoring user behavior analysis and machine behavior analysis, looking for standard ways that machine and user work together.

What is normal operation of the software for that user? The agent categorizes it, knowing exactly the way the user and the workstation should behave. Anything outside of that is considered abnormal – and a potential threat – so the agent immediately takes action to isolate the machine. Doing that stops ransomware, along with the spreading of any virus or malicious attack.

Loop: What can individual users do to help?

Pfaff: Users need to be alert to what is presented to them, and what they’re accessing. They can’t be what we call “blind users,” who are so active and busy that they don’t take the extra second or two to take a look at what an e-mail is.

Be cautious about your online activity. You’re using a company’s resource to conduct business, so don’t carry out personal business with it. If you do, you’re asking for trouble, because you’re not just risking your employer’s business. Anybody from anywhere can now access data you’ve seen via the company’s infrastructure.

Stay vigilant about what you click on. If it looks suspicious, don’t click on it. If an e-mail doesn’t make any sense to you, the best thing to do it delete it, and ask for assistance. No supervisor or CEO will get mad if you delete an e-mail because you see it as unsafe. We have environments in which we can open any e-mail and not be at risk.

We’re all very busy, but the less we pay attention to what we’re doing because of that, the more risk we invite.


Do you have any questions about ransomware, business phone systems or another idea for a topic you’d like us to cover? Contact us now!