In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.
Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.
The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.
Tips on preventing this type of infection in your organization:
- Planning – Aggressively patch all systems to prevent known vulnerabilities. All endpoints should also be protected with anti-malware and anti-virus software to automatically detect and respond to any infection attempts. This should also include user training to help users understand how infections are executed, what they can do to minimize the risk of attack, and who they should contact if they have concerns or questions. All user files should be backed up to another location that can’t be accessed by the malware. You want to minimize data loss in the event of a successful attack.
- Active Detection – You can minimize the damage from an attack if you are monitoring your enterprise systems and are alerted to the attack as quickly as possible. Threat intelligence software should be used to block suspicious software and alert you to a possible attack. This includes screening email attachments and embedded links, blocking access to known internet malware sites, and security rules to block common malware folders on endpoints to help spot infections before the files are encrypted.
- Isolation – Even if malware slips through your defenses and an infection occurs on one device, you need to have procedures in place to isolate the infected system and limit the exposure of the remaining endpoints. To help prevent additional files on the network from being encrypted the infected device must be isolated from the network.
- Counterattack – During a ransomware incident, once it has been contained you must eradicate it by using effective counterattack procedures. First replace infected devices and format the compromised hard drives. If you have been effective at the previous steps, you can recover user files from your backups and nothing was lost on the device. By formatting the hard drives you make sure the infection is removed from the device, without the need to worry about residual or hidden files. If you have a network infection, the infection can be much more difficult to contain and cleanup will be much more time consuming. A good relationship wth your anti-malware vendor is essential to make sure they help you with any possible infection, even one from an infection they haven’t seen before.
- Resolution – The best way to recover from an attack is having backups of all your important files. Once user systems have been cleaned and files have been restored, the last step is reviewing what went well and what still needs some more work. Was the infection caused by a user bypassing a security control? Was your anti-malware software ineffective? Are there required changes to your procedures or training that would have made your response faster or more effective?
Never be satisfied with “good enough” security, and look for ways to improve your response times, better educate your users, and provide a safer overall environment for your business. Your level of success against a ransomware attack is largely dependent on you and how seriously you prepare for the possibility of a malware attack.