According to a NYT article today, ransomware is a Russian growth industry that has branched out from hitting large institutions in many directions. One of which is to sell the tools and phishing content for any dufus to break into a typical small biz network. The ransomware groups provide full service: tools to break in, tech support, ransom negotiation services, crypto currency handling.

I haven't heard of any small biz around here getting hit. Yet.

I am not at all surprised that the criminals have started targeting small business owners because they don't have the IT infrastructure like large companies. It is a numbers game so if they target 1000 business and 1 pays them a ransom, it is a win for them. Plus they being in foreign countries without any extradition treaty, how could they lose.

That is why i DO NOT ALLOW any remote access to my server. If I am at a different location, the data that I need goes with me on a 1GIG USB. All programs and data are backed up to an external HD every night.

ATSMAN, your server and data remains exposed to ransomware and other malicious acts--simply being connected to the web creates the exposure.

The only real way to mitigate the threat as much as possible is to be very diligent in what websites you visit, files you open, and executable files you run. Same with training employees what to look for, why something needs to be deemed suspicious, and how things may be malicious. Generally, it is an employee that is entirely too click-happy that allows ransomware to hit a network.

I maintain so many backups, I would simply wipe impacted devices and start from scratch if I were ever hit with ransomware. And if it were a type of ransomware that also hits the BIOS, I would replace the device or motherboard depending on type of computer.

Agree w Cornerstone on that remote access is not the usual entry point for ransomware. Though I did hear of someone who said they left Teamviewer enabled on a workstation during lunch, came back and a stranger had somehow accessed it. I've used TV for year and never saw that. But a good idea not to keep remote access apps running in the background. Don't think you can disable Windows 10 Quick Assist.

Frequent offsite backups for sure. And realtime off site backups if you can afford to. But that's not practical for every workstation. And ransomware hackers might wait a month before triggering a shutdown. So it might not be that easy to restore backups without reinfecting your system.

True, but backups are the second best defense small business have against it, with first best defense being educating yourself as the business owner and then in turn educating employees about what malicious activity may look like.

The web is one issue, but I have also seen companies configure their e-mails such that any incoming e-mails with attachments are held in a delivery queue until they can be scanned/reviewed by a person specifically tasked with protecting the network.

Updates are another critical issue, and it is not simply Windows. Any software or firmware updates that come out for network equipment need to be installed because they often contain patches for identified vulnerabilities. Maintain a separate guest WiFi network for employees, guests, and internet connected devices that have nothing to do with your work network, as they can often be an entry point for malicious people.

ATSMAN, your server and data remains exposed to ransomware and other malicious acts--simply being connected to the web creates the exposure.

My server is never connected to the Web directly. Miscrosoft Edge is disabled. The only workstations (3) that can connect are via hardwire Etherlink (no Wifi allowed) and I have a software and hardwire firewall. Only inside firewall addresses can connect.

When clients e-mail me files, it is scrubbed on a separate desktop connected to the internet BUT not connected to my internal network. Only scrubbed files are physically moved by a USB to the workstation for use in Tax and accounting software.

I agree nothing is 100% proof, but so far this arrangement though more work has kept me safe. Couple of years back I had this arrangement reviewed by an IT professional and he agreed that it is a pretty good arrangement for a very very small office.

I have gotten several phishing emails from the "blueyonder.co.uk" domain this year. Enough that I've setup rules that all email from that domain is to be marked as spam/phishing and sent directly to my spam folder. I did a little research a while ago and it appears a lot of old emails from that domain that are no longer being used have been compromised and commandeered by those with ill intent.

Spammers/hackers definitely target small business. Agree that we need to be really careful with the links we click and the files we download.

And for those that don't have it yet: I think it's a no-brainer to have an internet/cyber policy as well as E&O. I first got one a year ago and just renewed for another year recently so it's fresh in my mind.

Data breaches / compromises can be very expensive.

ManVsTax: surprised that the insurance co for the small CA police dept that got ransomed recently refused to pay ransom. No details of what the damage will be because a lot of confidential info has been released to the public that could place lives at risk.

ATSMan, I assume you don't use any web-based cloud applications? Even though I still have a server, and hardware firewall, Kaspersky runs on the server (like the idea of a Russian based AV Anti Malware vendor), Sophos and Malwarebytes on every wkstation, very few of the apps I use run locally now. I'd think that puts the burden of protection against ransomware on the cloud app provider. Most of them have their staff workstations locked down so people can't bring in usb's or cds, can't click on anything etc.

I'm sure all of that real time AV and anti malware apps slows down processing and loading. Doubt those would protect against state-of-the-art malware, but wouldn't think ransomware hackers would waste their newest stuff on small biz's.

Even run Sophos on my phones. Thought that's probably akin to wearing a mask in a stiff breeze.

A CPA firm I worked for got hit with it 5 years ago, so it's not exactly a new phenomenon. They were able to restore everything from a nightly backup and only lost about a days' work, but it could have been much worse. About 100 billable hours out the window across all of the staff working that day.

Make sure you follow the terms of the E&O policy and do not BS them on answers. When they ask about security policies, be honest or quickly implement the required changes. Same with data security plan.

It still is not much coverage relative to damage that could be done, but at least it is SOMETHING. Mine is through AON and I seem to recall them indicating they would typically not pay ransom, and also advised firms to never pay ransom because there is zero assurance you will actually recover any data.

Hope we are fly over country? I think we can be had based on where they have previously roamed.

wouldn't you think these day the attackers would wait a few weeks after infection to trigger the ransom encryption event. that way the victim risks losing weeks worth of files. But then maybe AV and anti malware apps get updated to detect and remove the infection if attackers wait too long. I can see why banks etc lock down users so they can only log on to certain sites and can't click to open anything.

IT consultant told me that the insurance policies don't pay anything if you can't show that your system meets certain standards and is monitored constantly. I don't know if this is true - he sells monitoring services. Also, they don't pay the ransom, they assist with what you have to do to get back up, client notification, etc.

I have an online and offline computer. The offline computer only goes online when Lacerte makes me validate. That requires manually turning on the connection to "online". When I go online, the firewall (or something else, not sure) only allows the computer to go to Intuit and to Microsoft. In total, I think that computer is online for less than 1/2 hour per year.

Information could be corrupted by a file moved from online to offline via the USB drive, and that would be really bad, but I don't think the data could go out to any bad actors. I could be held hostage for locked up data, but not for the threat of data being disseminated.

If the destroying software was on the offline computer for a while before doing its destruction, I would have to hunt for the older backups. I would also potentially have to re-scan the 4 years of hard copy that I keep as a backup in case of a system failure.

I don't think this system could work at all in an office with multiple people, but I think it is as safe as I can possibly be.

More than likely all the recent ransomware code was injected into the system via e-mail attachments. So it makes perfect sense to NOT download any e-mail to your main processing network. Download it on a separate computer that is NOT connected to your network and scrub all attachments, DISABLE any Excel or Word Macros etc.

I don't use any cloud based application from any network workstation. My temps can NOT use my systems to do any personal business and they can not hook up their personal devices on my workstation USB ports.

During tax season we are extra vigilant almost to a fault

What do you mean by "scrub all attachments"?

What do you mean by "scrub all attachments"?

Basically run all files and e-mail through Norton, Malwarebytes, disable Macros on a separate computer NOT connected to your production network. Production network NEVER downloads anything until checked. I have used this method for a while and have caught some nasty trojan horses and questionable attachments. As an added protection I do NOT download any attachment from an unknown e-mail address to begin with. Though not 100% effective it does prevent the spammers wasting my time.

Thanks for response. I am a technological dinosaur. How to you disable Macros?

depends on your email client. In the Office 365 Outlook local client: File, Options, Trust Center, Trust Center Settings. you'll be able to disable or warn about opening macros there. I'm sure with a multi user Office 365 license you can set that for all users and not let them change it.

Correct. There is no good reason for me to use any Macros from a spreadsheet developed by my client to supply me with data. All I want is a flat spreadsheet with the data for the various categories that we agreed period. Same with Word documents.