Steps to avoid being infected by the ransomware pandemic

Best way to keep your system safe is to prevent, not react, to malware attacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Imag­ine your busi­ness has no access to elec­tron­ic infor­ma­tion on com­put­ers or a net­work. No file shares, Word doc­u­ments, email, data­bas­es or Excel spread­sheets. No PDFs. No appli­ca­tions. No access to Win­dows. How much would your orga­ni­za­tion be will­ing to pay to regain access and con­trol over its infor­ma­tion and sys­tems? Cyber crim­i­nals are count­ing on this readi­ness to pay when they unleash ran­somware on an organization.

Cyber crim­i­nals attack a wide vari­ety of busi­ness­es of all sizes. They even prey on indi­vid­ual home com­put­er users. Orga­ni­za­tions most often hit rely on com­put­ers to per­form crit­i­cal func­tions. In 2015, the FBI received 2,453 reports of ran­somware extor­tion, cost­ing vic­tims $24 mil­lion. These are only the report­ed cas­es, since many orga­ni­za­tions choose to pay the ran­som with­out noti­fy­ing law enforcement.

Orga­ni­za­tions, includ­ing insur­ance agen­cies, must learn to han­dle the threat of ran­somware. Among the ques­tions that should be asked are the following:

• What is ransomware?
• What can an orga­ni­za­tion do if it falls vic­tim to ransomware?
• How can a busi­ness avoid ran­somware infection?

What is ransomware?

Ran­somware is a type of mal­ware, or mali­cious soft­ware, that takes con­trol of an organization’s data files or com­put­er net­work. The under­ly­ing pur­pose of ran­somware is extor­tion that, in some ways, is sim­i­lar to kid­nap­ping. But instead of tak­ing a per­son and threat­en­ing to injure him or her if not paid, the cyber thief takes con­trol of an organization’s com­put­er and net­work sys­tems and threat­ens to delete data, appli­ca­tions or sys­tems if not receiv­ing mon­ey. Once the mal­ware has tak­en hold, the orga­ni­za­tion will receive the ran­som note, most like­ly in the form of a mes­sage on the com­put­er screen with the amount of mon­ey required and a count­down clock. If that amount is not paid with­in the time lim­it, the cyber crim­i­nal will delete the organization’s information.

The instal­la­tion of ran­somware onto a com­put­er may occur through human inter­ac­tion or with the use of an exploit kit to dis­cov­er the vul­ner­a­bil­i­ties and secu­ri­ty issues with­in a sys­tem. There are a few ways this can occur.

Relat­ed video: Expect ran­somware tar­gets, meth­ods to broaden

A cyber thief may set up a phish­ing scam—a legit­i­mate and trust­wor­thy-look­ing email with an attach­ment. They will send this email to one or more of an organization’s employ­ees. PDF and Microsoft Word doc­u­ments are most often used as the attach­ment. When an employ­ee opens the email and clicks on the attach­ment, the ran­somware loads onto the computer.

Or a cyber crim­i­nal may com­pro­mise a web­site and place a decep­tive pop-up ad con­tain­ing mal­ware on the site. When employ­ees go to this web­site and click the ad, ran­somware is loaded onto the system.

The newest gen­er­a­tion of ran­somware is insid­i­ous since it no longer requires a mis­take by a human to infect an organization’s com­put­er net­work. Instead, the cyber crim­i­nal uses an exploit kit—tools used to take advan­tage of vul­ner­a­bil­i­ties or secu­ri­ty holes in an orga­ni­za­tions’ net­work. Once dis­cov­ered, the crim­i­nal will exploit those weak­ness­es to enter the com­put­er net­work and instruct it to down­load and exe­cute malware.

Once ran­somware is active, the mal­ware begins lock­ing down the organization’s data files or com­put­er sys­tems and appli­ca­tions. Some ran­somware uses encryp­tion to lock down files. Encryp­tion scram­bles elec­tron­ic data into an unread­able for­mat using an algo­rithm. A key or pass­word, held by the cyber crim­i­nal, is required to unscram­ble the encryp­tion. Anoth­er type of ran­somware pre­vents an orga­ni­za­tion from run­ning cer­tain appli­ca­tions or access­ing Win­dows. Either way, an orga­ni­za­tion is no longer in con­trol of its sys­tems and files.

What can an orga­ni­za­tion do if it falls vic­tim to ransomware?

If an orga­ni­za­tion is hit with ran­somware, there are two options—pay the ran­som or don’t. In 2015, the FBI rec­om­mend­ed pay­ing the ran­som. Inter­est­ing­ly, in 2016 the FBI changed its posi­tion and now rec­om­mends not pay­ing. But it is up to the orga­ni­za­tion on whether or not to cough up the cash. Here are some things to con­sid­er in mak­ing that decision:

Back up: A good, well-test­ed back­up process may avert dis­as­ter. Back­ups may be used to recov­er much of the data encrypt­ed by the attack­ers with­out pay­ing a ran­som. These files should not be con­nect­ed to the com­put­ers and net­works that they back up, oth­er­wise they may become encrypt­ed or infect­ed with mal­ware, too. Your orga­ni­za­tion may need to go back sev­er­al months to find untam­pered data.

Before decid­ing not to pay the ran­som, consider:

• Were the avail­able back­ups hit by the attack as well?
• Is los­ing a month or two of data feasible?
• Can the back­up be restored successfully?

If pos­si­ble, try to restore the back­ups before the time­frame for destruc­tion ends. That way, if the restora­tion is unsuc­cess­ful, pay­ing the ran­som is still a viable option.

Avail­abil­i­ty of decryp­tion solu­tions: For old­er ver­sions of mal­ware, secu­ri­ty com­pa­nies have cracked the ran­somware, and now have the abil­i­ty to decrypt the files. If pos­si­ble, a com­pa­ny should deter­mine what kind of ran­somware has infect­ed its net­work and see whether it can be unlocked.

Pay­ing the ran­som: Some com­pa­nies deter­mine that pay­ing the ran­som is less expen­sive over­all and make a busi­ness deci­sion to pay. But pay­ing the ran­som doesn’t guar­an­tee that con­trol of the data or net­work will be restored. In most cas­es, it is. How­ev­er, there have been a few instances where after receiv­ing the mon­ey, the cyber crim­i­nal still delet­ed the infor­ma­tion. Also, since the ran­som was paid, oth­er cyber crim­i­nals may attack in hopes of receiv­ing pay­ment as well.

How can a busi­ness avoid a ran­somware infection?

Your orga­ni­za­tion must employ both tech­ni­cal and non­tech­ni­cal meth­ods to pre­vent ran­somware attacks.

Tech­ni­cal pre­ven­tions include:

• Updat­ed patch­es: Patch­es are soft­ware that update or fix a com­put­er pro­gram. With­out prop­er tim­ing of patch­es, a net­work can be vul­ner­a­ble to cyber attack. It is imper­a­tive to man­age patch­es to deter­mine what should be applied and when.

• Up-to-date anti-virus pro­tec­tion: This is designed to detect and destroy com­put­er virus­es. Ran­somware may enter an organization’s sys­tems or files through mal­ware or virus­es. New threats appear con­stant­ly, so be sure to have anti-virus soft­ware and that the sub­scrip­tion is up to date and updates are automatic.

• Vulnerability/penetration tests: Test­ing is avail­able to deter­mine vul­ner­a­bil­i­ties with­in a net­work, web­site or appli­ca­tions. Through these tests, an orga­ni­za­tion can learn about and fix any vul­ner­a­bil­i­ties or secu­ri­ty issues before the attack­er knows about them.

• Pop-up ad block­er: Cyber crim­i­nals often com­pro­mise legit­i­mate web­sites and add mal­ware-taint­ed ads. When such a pop-up ad is clicked, it loads ran­somware. These ads will appear legit­i­mate and often are on valid web­sites. Using a pop-up ad block­er is a good way to avoid mal­ware-infect­ed ads while employ­ees are on the internet.

• Lim­it admin­is­tra­tive access rights: A lim­it­ed num­ber of trust­ed employ­ees should have admin­is­tra­tive rights to an organization’s com­put­er sys­tems. These ele­vat­ed accounts should only be used when nec­es­sary and not for dai­ly work. If an employ­ee works on a stan­dard account, the files asso­ci­at­ed with that account might be affect­ed. How­ev­er, when using an ele­vat­ed account, all of the company’s file sys­tems are vulnerable.

Non­tech­ni­cal pre­ven­tion includes:

• Train­ing: Some ran­somware requires human inter­ac­tion, such as a but­ton click for the ran­somware to unleash on an orga­ni­za­tion. Most often, this attack comes in the form of social engi­neer­ing. Social engi­neer­ing is an attempt to trick an employ­ee into believ­ing that the email attach­ment or web­site ad is legit­i­mate and safe. To deter this type of attack, secu­ri­ty and pri­va­cy train­ing for employ­ees is paramount.

• Test­ing: Once employ­ees have been trained, test them. Send them phish­ing emails to see if they click the links or attach­ments. If they do, re-edu­cate them on the dangers.

• Aware­ness pro­grams: Train­ing one day a year is not enough. Cre­ate an aware­ness pro­gram to send out reminders about cyber secu­ri­ty and pri­va­cy issues through­out the year.

Ran­somware is on the loose in 2017. Pro­tect your organization’s sys­tems and files by min­i­miz­ing vul­ner­a­bil­i­ties and by train­ing your employ­ees about ran­somware. Before you are a vic­tim of ran­somware, have a plan to recov­er. Test your back­ups and con­firm that a copy is not con­nect­ed to your network.

More sto­ries relat­ed to ransomware:
Real-time detec­tion, response to ran­somware is critical
SMBs in cross-hairs as ran­somware becomes more dif­fi­cult to dodge
Ran­somware ram­page takes aim at busi­ness targets