If you’ve been listening to the news at all the past couple of weeks, you have undoubtedly heard of a number of companies being affected by ransomware. The recent surge in this form of cyber attack has many organizations and users understandably concerned. And you should be. Ransomware is nasty stuff. But with some careful preparation, you can significantly lower your risk of being infected, and reduce the impact on you or your organization should you get hit.
Ransomware is a form of malware that infects devices, networks, and data centers and prevents them from being used until the user or organization pays a ransom to have the system unlocked. Ransomware has been around since at least 1989, when the “PC Cyborg” trojan encrypted file names on a hard drive and insisted users pay $189 to have them unlocked. In the interim, ransomware attacks have become increasingly sophisticated, targeted, and lucrative.
The impact of ransomware is difficult to calculate, since many organizations opt to simply pay to have their files unlocked – an approach that doesn’t always work. But a report on the Cryptowall v3 ransomware campaign, issued in October of 2015 by the Cyber Threat Alliance, estimated that the cost of that single attack was US $325 million. (You can read the full report here)
Ransomware generally works in one of several ways. Crypto Ransomware can infect an operating system so that a device is unable to boot up. Other ransomware will encrypt a drive or a set of files or file names. Some malicious versions have a timer and begin deleting files until a ransom has been paid. All demand that a ransom be paid in order to unlock or release the blocked or encrypted system, files, or data.
On March 31, 2016, the U.S. Cyber Emergency Response Team and the Canadian Cyber Incident Response Centre issued a joint warning about Ransomware following several high-profile infections at hospitals. (see https://www.us-cert.gov/ncas/alerts/TA16-091A)
According to this alert, infected users often get a message displayed to their device’s screen saying something like:
In some circumstances, this warning is displayed with embarrassing or pornographic images in order to motivate the user to get it off their system as fast as possible. But in every situation, systems are taken off line, critical data becomes unavailable, productivity is halted, and business operations are harmed.
Ransomware can be delivered in a number of ways, but the most common is as an infected file attached to an email. For example, today I received an email claiming to be from my bank. It had the right logo, links to real bank urls, and my name. The body of the message explained that they have detected suspicious activity on my account, and that I needed to install an attached file in order to verify my credentials. This seemed like a legitimate issue. But it wasn’t. It was a phishing attack.
The giveaway to me, of course, was that no bank should ever send a file and ask you to install it - certainly not to validate your credentials. Instead, the attached file was infected with Ransomware, which would have loaded onto my system if I had clicked on it.
But email attachments aren’t the only mechanism for infection. Drive-by downloading is another, where a user visits an infected website and malware is downloaded and installed without the user’s knowledge. Ransomware has also been spread through social media, such as Web-based instant messaging applications. And recently, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.
Here are TEN THINGS you need to do to protect yourself and your organization from the effects of ransomware.
- Develop a backup and recovery plan. Back up your systems regularly, and store that backup offline on a separate device.
- Use professional email and web security tools that analyze email attachments, websites, and files for malware, and can block potentially compromised advertisements and social media sites that have no business relevance. These tools should include sandbox functionality, so that new or unrecognized files can be executed and analyzed in a safe environment.
- Keep your operating systems, devices, and software patched and updated.
- Make sure that your device and network antivirus, IPS, and antimalware tools are running the latest updates.
- Where possible, use application whitelisting, which prevents unauthorized applications to be downloaded or run.
- Segment your network into security zones, so that an infection in one area cannot easily spread to another.
- Establish and enforce permission and privilege, so that the fewest number of users have the potential to infect business-critical applications, data, or services.
- Establish and enforce a BYOD security policy which can inspect and block devices which do not meet your standards for security (no client or antimalware installed, antivirus files are out of date, operating systems need critical patches, etc.)
- Deploy forensic analysis tools so that after an attack you can identify a) where the infection came from, b) how long it has been in your environment, c) that you have removed all of it from every device, and d) that you can ensure it doesn’t come back.
- THIS IS CRITICAL: Do NOT count on your employees to keep you safe. While it is still important to up-level your user awareness training so employees are taught to not download files, click on email attachments, or follow unsolicited web links in emails, human beings are the most vulnerable link in your security chain, and you need to plan around them.
Here’s why: For many of your employees, clicking on attachments and searching the Internet is part of their job. It is difficult to maintain the appropriate level of skepticism. Second, phishing attacks have become very convincing. A targeted phishing attack uses things like online data and social media profiles to customize an approach. Third, it is simply human nature to click on an unexpected invoice or critical message from your bank. And finally, in survey after survey, users feel that security is someone else’s job, not theirs.
What If I Getn Infected?
Hopefully, you have a recent backup and you can wipe your device and reload it with an uninfected version. Here are some other things you need to do:
According to the US/Canadian alert, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
Many operating system, software, and security vendors have security experts on staff that can provide you with advice on how to respond should your system become infected with ransomware. There are also third-party forensics experts who can help you get back up and running.
What do you do if your computer systems or network become unavailable? Do you have a failover plan? Is there a way to keep things running, even in a limited fashion, while your systems are being repaired? Do you know how much it will cost your organization per hour if your systems are unavailable? Is this cost reflected in your IT security budget? This information needs to be included in your security policy.
Cybercrime is a for-profit business generating billions in revenue. Like most businesses, cybercriminals are highly motivated to find ways to generate revenue. They use subterfuge, extortion, assault, threats, and enticements to gain access to your critical data and resources.
Ransomware is not new. But its recent rise in sophistication and distribution is the latest in an escalating trend to find new and unexpected ways to exploit individuals and businesses that operate online.
Now, more than ever, security is not something you add to your business. It is integral to doing business. Make sure you are partnering with security experts who understand that security is more than a device. It is a system of highly integrated and collaborative technologies, combined with an effective policy and a lifecycle approach of preparing, protecting, detecting, responding, and learning.
Security solutions need to share threat intelligence in order to detect and respond efficiently to threats anywhere across your distributed environment. They need to be woven into your network fabric so they can protect you seamlessly as your networked environment evolves and expands. They need to be able to adapt dynamically as new threats are discovered. And they need to never get in the way of you doing business the way you need to do business.
For more technical information on ransomware from Fortinet’s FortiGuard threat team, please see these related blogs: