Ransomware defense is often an uncomfortable subject where enterprises must face some hard truths and new responsibilities. Nevertheless, it’s becoming increasingly necessary.
According to the FBI, there were an average of 4,000 ransomware attacks per day in 2016. This represents a 300% increase from 2015. Unfortunately, when we consider data breaches, we are usually talking about how organizations are prepared and will act during a breach, not whether a breach will occur. We see and hear about ransomware at an increased rate, most recently the Wannacry attack. Wannacry infected hundreds of thousands of computers in over 150 countries, from individuals to large organizations.
What Is Ransomware?
Ransomware is a type of malware that infects the victim’s computer, encrypts critical data files, and then demands the victim pay a ransom to decrypt everything. The message may say if the ransom is not paid in time, the files will be permanently encrypted or deleted. Organizations may consider just paying the ransom, deciding the payout is less costly than any preparations and downtime – similar to settling a lawsuit rather than going through a long and expensive court case. However, it is likely that once you agree to pay the ransom, the criminals will ask for more money. Also, an organization that pays will be known to the attackers, and at a higher probability to be targeted by them again. This is one area where you don’t want to assume your team is smarter or better prepared than your adversary. This is where ransomware defense comes in.
Ransomware Defense – Prevention & Preparation
Preparation and prevention can mean the difference between paying a ransom and thwarting an attacker’s efforts. Recognize that you will have some cost if a ransomware attack is successful. Either your organization can pay the ransom and hope it is not asked for additional money, or you will need to invest time and effort to restore and correct the environment, as well as address any effects of the outage caused by the attack. Prevention and preparation can minimize the costs and impacts.
Traditional ransomware defense, such as malware detection systems and backups, are good first steps, but they lack the complete protection needed. Attackers have evolved their methods to target not just production data, but to attempt to delete or encrypt backups as well.
Conduct employee training and development
This may be the best line of defense, but it is also the weakest link. Frequent training and communication on what to be aware of and how to handle email and files are critical. If we can just stop our people from clicking on unknown links, most of the attacks will stop. I understand this is hard because those cute puppy videos are almost impossible to resist, but it is necessary.
Establish file sharing protocols and limitations
This is a balance between security and efficiency. Consider policies about personal data and non-business data use. With cell phone usage, there is little reason for employees to use company equipment to view personal media or emails.
Use spam filters, firewalls, and file scanning
If you do not have these in place, and you do not consistently review them, your organization is vulnerable – even basic malware can enter your digital environment. Given the probability of a human error (to click on a link), the more access you can prevent, the less likely that “click” will occur.
Keep software and patches up to date
Microsoft released a security patch in February 2017 that corrected vulnerability to the Wannacry virus, and the attack occurred in May 2017. While patching can take time and effort, and is not without impacts, it is critical that you maintain your environments. Software providers expect this activity and if you expect support, you have to stay up to date.
Migrate from unsupported environments
Microsoft released a patch to the known vulnerability, but they did not release a patch for XP as they no longer support it. Even so, a significant number of systems continue to run XP. Any environment no longer supported, whether operating system or application, is a risk to your organization.
Not just any backup. Viruses have become more sophisticated. They can penetrate backups or replicated data through infected systems that have file access, rendering the backup useless. We recommend that you have backups that are located on different storage locations and are not connected to production environments. They may be slightly less current, but some data loss is better than complete data loss.
Testing the restore process of the backups
Almost all organizations can back up data. Fewer can actually restore data from a backup.
Capability to isolate infected devices quickly
Remove infected systems from the network to keep the virus from spreading.
Capability to segregate infected and non-infected devices
Access to a non-infected device may help you recover data and mitigate further damage.
Capability to shut down environments quickly
Do you have shutdown procedures for your applications and environments? This may be the best defense in preventing the spread of a virus. The longer systems are up, and potentially communicating, the faster malware can spread.
Data breach plan
We recommend you have a plan specifically tailored to data breaches. This includes internal and external communications, plans for team responses, and specific triggers so there is less to do ad hoc.
More than any other outage or crisis event, a data breach is the most likely to occur. It will occur in your organization at some point and at some level. The numbers cited above should make all of us at least a bit nervous. Performing a due diligence assessment is a good activity around your digital security even if you feel you are prepared and ready – it is essential if you are unsure or feel you are unprepared. Having a strong system of ransomware defense could be the critical difference-maker for your business one day.
See the U.S. Government resources below for additional ransomware defense information.