Are you ready for a ransomware attack? Here’s a checklist to find out
Ransomware is a form of malware that encrypts a victim's files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.
One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they are downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some more aggressive forms of ransomware exploit security holes to infect computers without needing to trick users.
There are a number of defensive steps you can take to prevent ransomware infection. Start with protective controls that can help keep ransomware off your network and minimize the spread should it sneak in. Remember that ransomware can gain access to the network in a variety of ways – including email, drive-by-downloads, web-facing systems vulnerabilities, and even USB drives – so it is important to use multiple layers of protective controls.
Take these steps to help reduce risk
Here are some steps to protect your organization from ransomware and improve your defenses against all sorts of attacks:
- Scan and filter e-mails before they reach your users. The easiest way to stop staff clicking on a ransomware link in an email is for the email never to arrive in their inbox. This means using content scanning and email filtering, which ought to take care of many phishing and ransomware scams before they actually reach staff.
- Keep your operating system patched and up to date to ensure you have fewer vulnerabilities to exploit. Vulnerability scanning and timely patching are essential. All security hotfixes must be applied to all systems as soon as possible.
- Do not install software or give it administrative privileges unless you know exactly what it is and what it does.
- Take steps to reduce credential harvesting attacks. By compromising insider accounts, cybercriminals are well-positioned to effectuate and expand a ransomware attack. Use multi-factor authentication to make it far more difficult for attackers to obtain and use stolen credentials.
- Install antivirus software to detect malicious programs such as ransomware and whitelist software to prevent unauthorized applications from executing in the first place. Make sure this protective software is kept up to date. Many antivirus packages now offer ransomware-spotting features or add-ons that try to identify the suspicious behavior that is common to all ransomware: file encryption. These apps monitor your files for unexpected behavior, such as a strange new piece of software trying to encrypt files and aim to prevent infection. Some security packages will even make copies of the files that are threatened by ransomware.
- Network segmentation can prevent ransomware from spreading to where it could do significant damage. Some ransomware will attempt to move from the initial point of compromise to other PCs, network drives and servers. Segmentation can wall off the crown jewels.
- Ensure you have network and endpoint monitoring that can detect ransomware infections and provide an early warning. Systems might include a security information and event management system (SIEM) that is capable of combining and analyzing multiple data feeds to increase visibility across the organization. These products can give you an up-to-date view of your network and should help you spot the sort of traffic anomalies that might suggest you've been breached by hackers. If you cannot see what is happening on the network, there is no way you can stop an attack.
- Remember: Many breaches originate from third-party vulnerabilities. Ensure you conduct risk assessment reviews of any new or existing vendors that touch network-enabled systems.
- Back up your files, frequently and automatically! Having secure and up-to-date backups of all business-critical information is a vital defense. That will not stop a malware attack, but it can make the damage caused by one much less significant. It is imperative that backups are isolated and cannot themselves be impacted in the event of an attack. In addition, backups should be periodically tested to ensure data can be restored quickly and easily.
- Ensure you have an incident response plan. A recovery plan that covers all types of disaster should be a standard part of business planning and should include a ransomware response. It is not just the technical response - cleaning the PCs and reinstalling data from backups - but also the broader business response that might be needed. Things to consider include how to explain the situation to customers, suppliers, and the press. Consider whether regulators need to be notified, or if you should call in police or insurers. Having a document is not enough. You also need to test out the assumptions you have made, because some of them will be wrong. Responding to a ransomware attack requires mature incident response procedures that are rehearsed regularly so that every team member knows their responsibilities. This includes participation of IT, security personnel, management, human resources, public relations, and other important stakeholders.
- Make sure you have a tested contingency plan for critical communication platforms and operating systems. Any downtime could negatively impact the organization.
- User Security Awareness Training can significantly reduce the risk of employees making mistakes that can enable a ransomware attack. Make sure the “human firewall” at your organization is sufficiently trained to spot and alert IT to potential attacks.
- Consider bringing in a third-party to independently assess your security controls. Outside experts bring a second set of eyes and up-to-date knowledge from handling attacks at many companies and across many verticals. An independent assessor can identify critical issues that make it easier to build a stronger privacy and security program.
Think before you pay
One last piece of advice: Think before paying ransomware. Ransomware creators are criminals. Even if you pay, there is no guarantee that your computer or files will be decrypted. Moreover, paying ransom will only encourage attackers. In light of this problem, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) recently warned companies that they could face fines and potential sanctions if they pay cybercriminals.
A ransomware attack can disrupt business operations, render critical infrastructure unusable and significantly damage the organization’s brand. But there are ways to prepare your organization to prevent, detect and respond quickly to ransomware.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Intelligence and Insights