The Threat of Ransomware
Ransomware is considered one of the most dangerous Cyber-threats for businesses these days. Many businesses in virtually every industry have experienced a ransomware attack. The tactics, techniques and procedures of cyber-adversaries have become increasingly more complex, sophisticated and effective over the years. Ransomware has become big business for nation-state threat actors as well as smaller, and less coordinated cyber-thieves operating from within the dark web.
What is Ransomware?
Ransomware is a type of extortion attack that works by encrypting your data and holding it hostage until you pay the ransom. Typically, the cyber-attacker has code that produces a pop up message once you click, or hover your mouse over the encrypted data. The message contains detailed instructions on how and how much money is required to pay the ransom. Traditionally, it accepts payment in the form of Bitcoin, which is a type of cryptocurrency. Nowadays, ransomware utilizes other forms of cryptocurrency as there are many to choose from. All cryptocurrencies have one thing in common, they provide anonymity to the seller – that is, the cyber-thief who has encrypted your data with their algorithm. You must pay first, and then the agreement is that they will send you the private key which will allow you to decrypt your data and be back in business.
Why has this type of attack become so successful?
The reason ransomware has been so successful is that, while not guaranteed, many cyber-extortionists provide the secret decryption key upon successful payment. This allows for a reputable business transaction, which nets the attacker the money they are after and allows the victim organization access to their files. Many “officials” out there, including our government, as well as experts in the field recommend not to pay the ransom. However, the decision to pay or not to pay contains many variables. Much of it depends on how prepared the organization is to defend against a ransomware attack.
How to Prepare for a Ransomware Attack
The organization needs to be prepared for ransomware. Following the core principles of security incident response, it is imperative that organizations take steps to prepare for the possibility of ransomware. This includes ensuring that all critical data to your business is backed up routinely, and periodically stored in an offsite backup, preferably one that is not continuously connected to the Internet. Once files are encrypted by ransomware, they can be restored from a known good clean backup, which allows the organization to avoid paying a ransom. However, offsiting backups can provide protection against ransomware encrypting your good backups.
Security awareness training for staff is another preventative control for avoiding ransomware. All to often, ransomware is delivered to a computer through a phishing attack, where the employee clicks a link, which downloads the ransomware payload, often undetected by the end user. Only later, when she attempts to access that important file, she discovers that the file has been encrypted and receives the pop up message. Other attack vectors include browsing infected websites, or downloading unknown applications or files from the Internet.
So, what if my computer and data have been encrypted with Ransomware, what do I do then? Follow the phases of security computer incident response:
- Preparation.
- Identification.
- Containment.
- Eradication.
- Recovery.
- Lessons Learned.
Get Prepared
Things you can do TODAY to prepare for an attack:
- Security Awareness Training is in place and operating effectively by training staff
- Ensure critical data is being backed up with the ability to be restored. Test restorations regularly. Ensure backups are being stored offsite routinely.
- Segment critical data and processes on the network to prevent ransomware from spreading.
- Apply the principle of least privilege wherever possible – that is, no one has more permission than they need to do their job.
- Ensure that email filters block dangerous file attachments, including EXE type files.
- Institute proper vulnerability scanning and patch management
- Prohibit writing to removable media (thumb drives).
- Disable inactive accounts.
- Ensure Anti Malware is present and operating effectively. Routinely scan all computers for malware threats.
- Consider purchasing a Cybersecurity Insurance Policy
- Consider hiring an Incident Response organization on retainer.
Identify, Contain and Eradicate
For the investigation, containment and eradication steps, ensure the following:
- Creating an initial incident response ticket or record – assign to a group that is tasked with collecting information about the attack
- Hire outside service provider to conduct IR triage (if applicable)
- Communicate with key stakeholders about the urgency and impact of the incident
- Determine if the data being held hostage is critical or valuable to the organization.
- Scan affected computers with Antivirus / Antimalware.
- Terminate malicious processes
- Disconnect affected computers from the network.
- Lock affected user accounts and change the password(s).
- Remove malicious emails from inboxes.
- Block the sender’s email address.
- Block malicious domains
Recover
For the recovery phase and lessons learned phases:
- Rebuild System from known-good baseline images and restore clean data
- Document as much as possible about the attack.
- Attack vector identified?
- Vulnerabilities exploited?
All this information is just barely scratching the surface of all that is involved in a real-world ransomware attack. It could turn out to be a very minimally impacting event, or it can cause business to shutdown and escalate to a full blown crisis management and business continuity event. The best thing to do is to be prepared. For more advice on ransomware, please visit https://www.cisa.gov/stopransomware
Contact 2Bware today for tips and advice about how to get prepared. Often, developing a solid security awareness program is a crucial first step. It’s not too late until after Ransomware strikes.
