Ransomware – Protect Rather Than Pay Up
Over the past few months, you likely have noticed that incidents of ransomware are on the rise. You are not imagining things.
State and local governments, hospitals and school districts, law enforcement agencies, businesses large and small – these are just a few that have been impacted by ransomware -what the FBI calls, “an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.” Ransomware is nothing new; however, since 2015 law enforcement is seeing an increase in these types of cyber-attacks against all kinds of organizations. Why? Because the payoffs are higher. This number is already sure to grow in 2016 unless we prepare for these attacks in advance.
Before you can fend off an attack, you must first understand what it is you’re defending against. Ransomware is essentially a type of malware that infects your computer, restricting access to your data. Your computer is held for “ransom” by the malware operator, and unless you pay the requested fee within a certain period of time (usually 24 hours), your data will be wiped clean. The FBI estimates that more than $20 million has been accrued by these cyber-criminals.
The FBI says that in a ransomware attack, the intended victim opens an e-mail addressed to them and may click on an attachment or a URL that appears legitimate but contains a ransomware code that is activated instantly when clicked, infecting their computer with malicious software. The malware begins encrypting files and folders on local drives, any attached drives, backup drives and potentially other computers on the same network that the victim computer is attached to. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Anti-virus software companies such as McAfee and others have developed software to protect users from ransomware, although it is difficult to keep up with defense mechanisms with all the new ransomware variants that keep attacking on an almost daily basis. In fact, the research team over at Proofpoint just published their findings, which confirm that the proliferation of these variants poses a significant threat. They recently uncovered CryptXXX 2.006, which is resistant to decryption tools that worked against its first version, CryptXXX. Certainly not an exhaustive list, other variants include:
- ROI Locker/Manamecrypt
- MM Locker
In addition, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”
For those who are victims of this malware, it can become a “pay up or else” situation, and many find it easier to just pay up, rather than risk losing their valuable data. The ransom amounts are usually small (less than $100). Rather than go through the hassle of trying to retrieve data and start all over, they just pay the fee and get access to their files, as if nothing happened. Obviously, this is a less-than-desirable situation and outcome, so measures must be taken to ensure this doesn’t happen.
The FBI doesn’t support paying a ransom in response to a ransomware attack. “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom,” says Mr. Trainor. “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Tips for Dealing with the Ransomware Threat
If your company’s data is taken for ransom, you will suffer downtime, productivity and revenue loss, as well as data loss. This is not something that most companies can afford, particularly if it happens more than once.
The most obvious measure of protecting your company from ransomware is to make sure you have a reliable firewall, with the most current anti-virus software. While most ransomware is poorly coded and easily guarded against by the anti-virus companies, there are a few that are quite sophisticated in their encryption and coding.
Aside from installing the most up-to-date and technologically advanced anti-virus software, all employees should be given security awareness training to identify possible red flags related to ransomware and other malware programs. Your company should also put together a manual that clearly sets out policies and procedures related to data security.
- Patch operating system, software and firmware on digital devices (which may be made easier through a centralized patch management system).
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts; no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Configure access controls, including file, directory and network share permissions appropriately.
- Disable macro scripts from office files transmitted over e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations such as temporary folders that support popular Internet browsers, compression/decompression programs, etc.
- Back up data regularly and verify the integrity of those backups regularly.
- Secure your backups, making sure they’re not connected to the computers and networks they are backing up.