Alain Penel, Regional Vice President, Middle East, Fortinet, discusses 10 steps for protecting your organisation from ransomware.
If you’ve been listening to the news at all the past couple of weeks, you have undoubtedly heard of a number of companies being affected by ransomware. The recent surge in this form of cyber-attack has many organisations and users understandably concerned. And you should be. Ransomware is nasty stuff. But with some careful preparation, you can significantly lower your risk of being infected, and reduce the impact on you or your organisation should you get hit.
What is Ransomware?
Ransomware is a form of malware that infects devices, networks, and data centers and prevents them from being used until the user or organisation pays a ransom to have the system unlocked. Ransomware has been around since at least 1989, when the “PC Cyborg” trojan encrypted file names on a hard drive and insisted users pay $189 to have them unlocked. In the interim, ransomware attacks have become increasingly sophisticated, targeted, and lucrative.
The impact of ransomware is difficult to calculate, since many organisations opt to simply pay to have their files unlocked – an approach that doesn’t always work. But a report on the Cryptowall v3 ransomware campaign, issued in October of 2015 by the Cyber Threat Alliance, estimated that the cost of that single attack was $325 million.
Ransomware generally works in one of several ways. Crypto ransomware can infect an operating system so that a device is unable to boot up. Other ransomware will encrypt a drive or a set of files or file names. Some malicious versions have a timer and begin deleting files until a ransom has been paid. All demand that a ransom be paid in order to unlock or release the blocked or encrypted system, files, or data.
On 31st March 2016, the US Cyber Emergency Response Team and the Canadian Cyber Incident Response Centre issued a joint warning about Ransomware following several high-profile infections at hospitals.
According to this alert, infected users often get a message displayed to their device’s screen saying something like:
- “Your computer has been infected with a virus. Click here to resolve the issue.”
- “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
- “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”
In some circumstances, this warning is displayed with embarrassing images in order to motivate the user to get it off their system as fast as possible. But in every situation, systems are taken off line, critical data becomes unavailable, productivity is halted, and business operations are harmed.
How do I get infected?
Ransomware can be delivered in a number of ways, but the most common is as an infected file attached to an email. For example, today I received an email claiming to be from my bank. It had the right logo, links to real bank URLs, and my name. The body of the message explained that they have detected suspicious activity on my account, and that I needed to install an attached file in order to verify my credentials. This seemed like a legitimate issue. But it wasn’t. It was a phishing attack.
The giveaway to me, of course, was that no bank should ever send a file and ask you to install it – certainly not to validate your credentials. Instead, the attached file was infected with Ransomware, which would have loaded onto my system if I had clicked on it.
But email attachments aren’t the only mechanism for infection. Drive-by downloading is another, where a user visits an infected website and malware is downloaded and installed without the user’s knowledge. Ransomware has also been spread through social media, such as Web-based instant messaging applications. And recently, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.
What Do I Do to Stop It?
Here are 10 things you need to do to protect yourself and your organisation from the effects of ransomware:
- Develop a backup and recovery plan. Back up your systems regularly, and store that backup offline on a separate device.
- Use professional email and web security tools that analyse email attachments, websites, and files for malware, and can block potentially compromised advertisements and social media sites that have no business relevance. These tools should include sandbox functionality, so that new or unrecognised files can be executed and analysed in a safe environment.
- Keep your operating systems, devices, and software patched and updated.
- Make sure that your device and network antivirus, IPS, and antimalware tools are running the latest updates.
- Where possible, use application whitelisting, which prevents unauthorised applications to be downloaded or run.
- Segment your network into security zones, so that an infection in one area cannot easily spread to another.
- Establish and enforce permission and privilege, so that the fewest number of users have the potential to infect business-critical applications, data, or services.
- Establish and enforce a BYOD security policy which can inspect and block devices which do not meet your standards for security (no client or antimalware installed, antivirus files are out of date, operating systems need critical patches, etc.)
- Deploy forensic analysis tools so that after an attack you can identify a) where the infection came from; b) how long it has been in your environment; c) that you have removed all of it from every device; and d) that you can ensure it doesn’t come back.
- THIS IS CRITICAL – do NOT count on your employees to keep you safe. While it is still important to up-level your user awareness training so employees are taught to not download files, click on email attachments, or follow unsolicited web links in emails, human beings are the most vulnerable link in your security chain, and you need to plan around them.
Here’s why: For many of your employees, clicking on attachments and searching the Internet is part of their job. It is difficult to maintain the appropriate level of skepticism. Second, phishing attacks have become very convincing. A targeted phishing attack uses things like online data and social media profiles to customise an approach. Third, it is simply human nature to click on an unexpected invoice or critical message from your bank. And finally, in survey after survey, users feel that security is someone else’s job, not theirs.
What If I Get Infected?
Hopefully, you have a recent backup and you can wipe your device and reload it with an uninfected version. Here are some other things you need to do:
- Report the crime
- A quick online search will guide you to the site to report cybercrime in your country or region.
- Report instances of fraud to the police or the local Internet Crime Complaint Centre.
- Paying the ransom is no guarantee
According to the US/Canadian alert, “Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.”
- Contact experts
Many operating system, software, and security vendors have security experts on staff that can provide you with advice on how to respond should your system become infected with ransomware. There are also third-party forensics experts who can help you get back up and running.
- Have a Plan B
What do you do if your computer systems or network become unavailable? Do you have a failover plan? Is there a way to keep things running, even in a limited fashion, while your systems are being repaired? Do you know how much it will cost your organisation per hour if your systems are unavailable? Is this cost reflected in your IT security budget? This information needs to be included in your security policy.