If you’ve been listening to the news at all the past couple of weeks, you have undoubtedly heard of a number of companies being affected by ransomware. The recent surge in this form of cyber attack has many organizations and users understandably concerned. And you should be. Ransomware is nasty stuff. But with some careful preparation, you can significantly lower your risk of being infected, and reduce the impact on you or your organization should you get hit.
Ransomware is a form of malware that infects devices, networks, and data centers and prevents them from being used until the user or organization pays a ransom to have the system unlocked. Ransomware has been around since at least 1989, when the “PC Cyborg” trojan encrypted file names on a hard drive and insisted users pay $189 to have them unlocked. In the interim, ransomware attacks have become increasingly sophisticated, targeted, and lucrative.
The impact of ransomware is difficult to calculate, since many organizations opt to simply pay to have their files unlocked – an approach that doesn’t always work. But a report on the Cryptowall v3 ransomware campaign, issued in October of 2015 by the Cyber Threat Alliance, estimated that the cost of that single attack was US $325 million. (You can read the full report here)
Ransomware generally works in one of several ways. Crypto Ransomware can infect an operating system so that a device is unable to boot up. Other ransomware will encrypt a drive or a set of files or file names. Some malicious versions have a timer and begin deleting files until a ransom has been paid. All demand that a ransom be paid in order to unlock or release the blocked or encrypted system, files, or data.
On March 31, 2016, the U.S. Cyber Emergency Response Team and the Canadian Cyber Incident Response Centre issued a joint warning about Ransomware following several high-profile infections at hospitals. (see https://www.us-cert.gov/ncas/alerts/TA16-091A)
According to this alert, infected users often get a message displayed to their device’s screen saying something like:
In some circumstances, this warning is displayed with embarrassing or pornographic images in order to motivate the user to get it off their system as fast as possible. But in every situation, systems are taken off line, critical data becomes unavailable, productivity is halted, and business operations are harmed.
Ransomware can be delivered in a number of ways, but the most common is as an infected file attached to an email. For example, today I received an email claiming to be from my bank. It had the right logo, links to real bank urls, and my name. The body of the message explained that they have detected suspicious activity on my account, and that I needed to install an attached file in order to verify my credentials. This seemed like a legitimate issue. But it wasn’t. It was a phishing attack.
The giveaway to me, of course, was that no bank should ever send a file and ask you to install it - certainly not to validate your credentials. Instead, the attached file was infected with Ransomware, which would have loaded onto my system if I had clicked on it.
But email attachments aren’t the only mechanism for infection. Drive-by downloading is another, where a user visits an infected website and malware is downloaded and installed without the user’s knowledge. Ransomware has also been spread through social media, such as Web-based instant messaging applications. And recently, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.
Here are TEN THINGS you need to do to protect yourself and your organization from the effects of ransomware.
Here’s why: For many of your employees, clicking on attachments and searching the Internet is part of their job. It is difficult to maintain the appropriate level of skepticism. Second, phishing attacks have become very convincing. A targeted phishing attack uses things like online data and social media profiles to customize an approach. Third, it is simply human nature to click on an unexpected invoice or critical message from your bank. And finally, in survey after survey, users feel that security is someone else’s job, not theirs.
What If I Getn Infected?
Hopefully, you have a recent backup and you can wipe your device and reload it with an uninfected version. Here are some other things you need to do:
According to the US/Canadian alert, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
Many operating system, software, and security vendors have security experts on staff that can provide you with advice on how to respond should your system become infected with ransomware. There are also third-party forensics experts who can help you get back up and running.
What do you do if your computer systems or network become unavailable? Do you have a failover plan? Is there a way to keep things running, even in a limited fashion, while your systems are being repaired? Do you know how much it will cost your organization per hour if your systems are unavailable? Is this cost reflected in your IT security budget? This information needs to be included in your security policy.
Cybercrime is a for-profit business generating billions in revenue. Like most businesses, cybercriminals are highly motivated to find ways to generate revenue. They use subterfuge, extortion, assault, threats, and enticements to gain access to your critical data and resources.
Ransomware is not new. But its recent rise in sophistication and distribution is the latest in an escalating trend to find new and unexpected ways to exploit individuals and businesses that operate online.
Now, more than ever, security is not something you add to your business. It is integral to doing business. Make sure you are partnering with security experts who understand that security is more than a device. It is a system of highly integrated and collaborative technologies, combined with an effective policy and a lifecycle approach of preparing, protecting, detecting, responding, and learning.
Security solutions need to share threat intelligence in order to detect and respond efficiently to threats anywhere across your distributed environment. They need to be woven into your network fabric so they can protect you seamlessly as your networked environment evolves and expands. They need to be able to adapt dynamically as new threats are discovered. And they need to never get in the way of you doing business the way you need to do business.
For more technical information on ransomware from Fortinet’s FortiGuard threat team, please see these related blogs: