Overview
More and more in the news of late, there has been increasing attention brought to the serious threat of ransomware attacks. This has been the case especially as larger public entities with populations of over 500,000 people have been impacted. In 2019, the City of Baltimore and Greenville, North Carolina were impacted and in 2018, the City of Atlanta was also a target. Governmental and non-profit entities can be more vulnerable to ransomware attacks due to limited financial resources and staffing in IT operations.
How wide-spread is the problem of ransomware? There were 181.5 million ransomware attacks in the first six months of 2018 and this marks a 229% increase over this same time frame in 2017.
How exactly does ransomware work? Ransomware is a form of malware that is specifically targeted to encrypt critical data and systems for extortion purposes. Typically the malware gets run by an end user that clicks a link within a cleverly disguised e-mail that may falsely promise a resolution to a problem or promises some benefit or money. Or the end user opens an attachment that initiates the process. It is at this point that the malicious software begins encrypting files on that system, and any files that the end user has access to on other network systems including servers.
Once this encryption process completes, users will typically get some form of notice in the form of a pop up window or alert notification that their files have been encrypted and are directed to click a link to fix the problem where they will be asked to pay a ransom (generally in untraceable bitcoins) to have their files decrypted. Paying this ransom is no guarantee that the hackers will honor the agreement and decrypt the files. Even if the files are decrypted, code may be left on that computer to allow for future attacks which may encrypt the data again.
To Pay Or Not to Pay
The conventional wisdom regarding payment for ransomware attacks has been ‘not to pay’ as paying has never been a guarantee that an organization will be able to fully recover their files and data. Also, if organizations choose to pay, criminals may be emboldened to continue with more aggressive malware schemes, coming up with more sophisticated methods of attack and increased payment amounts, all while targeting more and more organizations. And of course, since you have shown that you are an organization that is willing to pay up, you become more of a susceptible target to the same hackers (and others looking for an “easy target”). Lastly, you can create an atmosphere of apathy regarding your IT operations and security measures, as it can be considered ‘easier’ to just pay the ransom. It can be easier to just pay up quickly, rather than taking the time-consuming path of critically assessing the strengths and weaknesses of your IT infrastructure while making the costly financial investment to upgrade and improve your systems.
However, there are certain circumstances in which paying the ransom is the best and only course of action. For one, organizations may be in a situation where the files they have lost access to must be recovered quickly in order to carry out their operations and serve their clients. Paying what is considered a relatively small amount of money when compared to the financial losses of not being operational is the preferred course of action in these situations. In some cases, the cost for organizations to restore the systems themselves far exceeds the cost of the asking price from the criminals. As an example, the City of Atlanta spent more than $2.6 million on emergency efforts to restore their systems while the criminals asking price was approximately $50,000.
Many organizations are choosing to purchase cyber insurance policies. If your organization chooses to purchase this type of insurance plan, take note that not all cyber policies are the same, and it is critical that you read the fine print. Cyber insurance costs depend on several risk factors that vary from business to business. For example, some annual policies might cost around $500, while others cost $5,000 or more.
How to Detect Ransomware
The obvious sign of a ransomware attack would be an encrypted drive or files, and a ransom message. If you keep your anti-malware software solution up to date, it may detect a ransomware attack at its inception and alert you to its presence and could potentially stop it in its tracks.
The Worst-Case Scenario: You Have Been Infected – How To Deal With It
First, isolate the machine the ransomware has been discovered on. This will help to prevent the encryption of files on other systems on your network. You will need to rebuild your system and restore files from backup. System Restore can potentially help to recover encrypted files. Without backups, the only other potential option would be to contact the FBI or DHS, who are more than willing to investigate ransomware incidents, and they can sometimes use a previously acquired decryption key to decrypt your files. However, involving either of these entities can be a time-consuming process, and there is no guarantee that they will be able to recover any files.
Ultimately you want your organization to be as protected as much as possible against a ransomware attack, so you don’t have to make the difficult ‘pay or not pay’ decision. Listed below are best practices we recommend:
1. Training, Training and More Training
Truly, the best and most effective first line of defense again ransomware is to have a consistent employee training program. Even if you have the best systems in place to protect against an attack, if your employees aren’t educated on these issues, the best software in the world won’t be able to guard against everything. In most cases, ransomware is triggered by an employee opening an e-mail attachment or clicking links within an e-mail. And with hackers becoming more and more sophisticated in how they trick employees into opening e-mail, it is more important than ever to provide ongoing training for all employees. More and more, hackers are creating e-mails that look genuine as these e-mails pretend to be from someone the target knows discussing subject matter related to their business. This creates a false sense of legitimacy. Because of this increasing level of sophistication when it comes to e-mail hacking, employees must constantly be on guard, alert, and never make assumptions. We recommend the following best practices when it comes to e-mail:
●If you receive an internal e-mail that appears to be suspicious (i.e. asking for protected data), pick up the phone and call the sender or ask them directly in person to verify the legitimacy of the e-mail.
●Other signs that an e-mail may be suspicious include the use of all capital letters, spelling errors, typos, and grammatical errors.
●Do not click on any links, open any attachments, or download any files in an e-mail that you aren’t convinced is legitimate.
●If you receive an e-mail with the attachments .exe, .vbs, or .scr, even from a “trusted” source, don’t open it.
●If you do click on a questionable link inadvertently and are prompted to log-in with your user credentials, register your credentials, or provide confidential information, do not proceed to do so. Notify your IT department instead.
●If you do end up logging your credentials on a questionable website or disclosing confidential information, change your password immediately and let your IT department know what has happened right away.
●One good method to check the legitimacy of the e-mail is to hover your mouse pointer over the e-mail address or any links to confirm that the URL that the link is being directed to is correct. If the URL seems suspicious or from an e-mail address you don’t recognize (even if you know the sender’s name), do not open any files or click any links. Instead, forward the e-mail to your IT department immediately.
2. Back Up Your Systems Locally and in the Cloud
Always back-up your system both locally and in the cloud. These backups should be performed securely by not only encrypting the backup data where it is stored but also by encrypting the data stream between the system you are backing up and the location where the backup is being stored. By doing so, you will prevent any malicious software from having access to your backup data, which could also be encrypted in a ransomware attack along with the files on your system. Refer to our previous article on best practices regarding cloud storage.
3. Segment Network Access
Divide your network into distinct security zones protected by routers and firewalls that analyze, limit, and restrict data traffic across these zones which will limit the data an attacker has access to thus ensuring your entire network is not compromised in one attack.
4. Install Early Threat Detection and Prevention Systems
An early threat detection system or firewall will help identify and prevent potential attacks. A firewall is a network security device that continually monitors incoming and outgoing traffic and decides whether to allow or block specific data traffic based on a specific set of security rules. A firewall can be hardware, software, or a combination of both. Refer to our previous article on best practices for choosing a firewall.
5. Install Anti Malware-Ransomware Software
Install anti-malware software on all devices that are on your network, configure it to update frequently, and perform full system scans regularly. Nowadays, most software of this kind can provide some level of protection against ransomware as well by monitoring the system for files that are being encrypted, so it would be a good idea to make sure your anti-malware is capable of this.
6. Block Unknown E-Mail Addresses and Attachments On Your Mail Server
Use a service to monitor your company’s e-mail at the server level to filter out known or suspected spam and phishing e-mails from ever getting to your end-users. The service should also be configured to scan all attachments for potential malware. Microsoft Office 365 and many other online e-mail providers have this sort of service built-in and turned on by default.
7. Apply security related Software and OS Patches ASAP
You should automate the process of installing security-related patches on applicable systems as those patches are released. This ensures that any known security vulnerabilities are unavailable for any would-be hackers to use to infiltrate your network’s systems.
8. Block Vulnerable Plug-Ins
Because Internet browser plug-ins such as Java and Flash are still used on a lot of websites, they have become very easy to attack, so it is important that these plug-ins be updated regularly to prevent them from providing an entryway for malware to penetrate your network. If these plug-ins are not needed on your network you should consider un-installing them.