A business is infected with ransomware every forty seconds. Forty seconds is approximately the time it will take to read this article.
Ransomware is a nasty form of malware that viciously and unapologetically infects your computers and servers. It can spread like wildfire across your network environment in a matter of seconds, leaving your prized data and files encrypted, inaccessible and held hostage until you pay the attacker a ransom of their choosing.
How can information be held hostage? By encrypting it. The ransomware will encrypt hard drives and files until a ransom is paid in exchange for the decryption key.
The ransom is arbitrary and defined by the hacker. The payment method is always a type of digital currency, such as Bitcoin. Digital currency allows the hacker to remain anonymous. Obtaining the digital currency to pay the ransom is not as easy as one would think. The buyer must have a digital wallet, must trust an untrustworthy transaction (there are no actual banks involved) and is subject to a very dynamic and unpredictable digital currency market. Ransom fees range from a few thousand dollars to a few hundred thousand dollars. Lastly, paying the ransom does not guarantee the hacker will actually provide the decryption key. Remember this is a transaction with a criminal. In fact, the FBI officially recommends that ransoms are not paid to hackers for a number of reasons. One, you may pay for a decryption key and never get one in return. Two, if provided with a decryption key, it may or may not work. Three, once a hacker knows that you are willing to pay a ransom, they are likely re-infect your computer / network again and again until the technical vulnerabilities are actually remediated. Paying ransoms encourages more attacks and prioritizes you a great target.
Unfortunately, the ransom itself is not the only expense associated with the attack. Many ransomware attacks lead to business threatening downtime and some even lead to total loss of data and / or hardware. The real expense, the real pain is associated with the outage caused by the ransomware the effort to eradicate the malicious code and then recover system functionality.
To make matters more challenging, the vast majority of ransomware attacks are executed by highly sophisticated criminal organizations with the intent of financial gain. The attackers are smart and motivated. They are not launching ransomware attacks just for fun, it is big business and business is booming. Year after year we see more variations of ransomware created, more infections occur and more ransoms get paid.
The threat and impact of ransomware infection is real and there are essentially two things one can do to address it. The first is put effective cyber-security controls in place to prevent the infection. The second is be prepared to detect and recover from an infection.
Some specific steps one can take to address the threat of ransomware are as follows:
- Awareness Training – The vast majority of ransomware infections are the result of phishing scams. An unsuspecting user clicks on a link or opens an attachment and unknowingly downloads the malicious code. Security awareness training can teach people how to use technology in a secure fashion, thus preventing a huge source of malware and ransomware outbreaks.
- Vulnerability and Patch Management – Unpatched computers and systems are often the cause of ransomware infections. Routine vulnerability scanning should be used to detect Common Vulnerabilities and Exposures (CVE). Scan results will identify systems and computers that need operating systems and applications updated with current patches. Neglected systems are incredibly easy to compromise. Vulnerability Scanning and System Patching should occur on a regular basis because new vulnerabilities are discovered daily and software patches are released weekly, if not immediately by vendors to fix security flaws. It is important to implement a formal vulnerability and patch management program to keep systems current and secure.
- Anti-Virus / Anti-Malware – Anti-virus / Anti-malware software provides critical protection against all types of malware, including ransomware. Not all ransomware will be detected by Anti-virus software, but most of it will be detected and either quarantine or removed before it has a chance to do any material damage. It is imperative to install Anti-virus software on all computers and servers. It is equally important to keep the Anti-virus software current. The latest version of the software should always be in production.
- Email & Web Content Filtering – Many email and web filtering content technologies have the ability to scan inbound transmissions to detect malicious code. Consequently, ransomware can be detected and quarantined before the end user accidentally clicks on a link, downloads a document or runs and executable containing malware.
- Secure Remote Access Technologies – Secure remote access technologies such as a Virtual Private Network (VPN) should be used to access an internal, or private, network from an external, or public, location. There are many insecure remote access technologies such as Remote Desktop Protocol (RDP) that are effortlessly compromised, allowing ransomware attacks to succeed.
- Incident Response Plan – An incident response plan provide an organized approach to detect, eradicate and recover from cyber security incidents, including a ransomware outbreak. The plan offers structure and reassurance during the most chaotic and stressful situations. Creating an incident response plan is a fundamental component of being prepared to recover from a ransomware infection.
- Network Segmentation – Computer networks that are logically or physically segregated from each other are very useful in containing a ransomware outbreak. Assuming that computers reside on one logical network and all servers reside on a different network; if a PC is infected with ransomware it will not spread to infect servers and vice versa. This makes recovery much more practical and obtainable. If all assets reside on the same network, the likelihood of the ransomware infection spreading and encrypting everything is very high.
- Effective Data Backup Strategy – Reliable and current data backups allow one to recover from ransomware attacks by simply restoring systems, applications and files to a previous and non-infected state of operation. Backup jobs should be configured in accordance to system criticality, monitored for success and routinely tested for recovery assurance. It is also good practice to have multiple copies of backup files stored on different types of media and in different locations.
- Disaster Recovery Plan – A disaster recovery plan has several key components, one of the more important ones being a step by step recovery procedure. Reliable and current data backups are only useful if they can be used in a successful recovery effort. Be sure to document this procedure and test its effectiveness at least annually.
Ransomware is an incredibly popular, effective and profitable cybersecurity attack. It is a real menace. The good news is that the right prevention and recovery tactics will prepare anyone to address the threat of ransomware with confidence and success.