More and more companies are being impacted by Ransomware. Not a week goes by where cyber-attacks, malware and ransomware are not featuring in the news. Unfortunately, this trend does not appear to be slowing down. There are a number of steps an organisation can take to help you reduce the risk of infection and to help you defend against similar threats.
What is Ransomware?
Ransomware is an advanced piece of malware (malicious software) that, once it has infected a system, seeks to encrypt or otherwise render useless data files, office documents, images and other important files. For a business to regain access (and use!) of these files, they are required to pay a ransom (typically in Bitcoin). The concept of ransomware is not new, and there have been incidents as far back as 1989, but the events in 1989 are a million miles away from what we see today. The Internet potentially makes every internet user a target, malware is far more sophisticated and difficult to detect; and organisations are far more digitally enabled and connected. You also need to remember that Ransomware is a lucrative business and the Internet knows no bounds – so there is an added incentive for Ransomware authors (rather than just kudos).
There is no question; Ransomware infections cost a business money, directly or indirectly. Many commentators say to avoid paying the ransom at any cost (as it encourages the cronies) whilst others believe the cost of cleaning up an infection is more than the ransom itself. A word of caution, it is believed in 20% of cases, even after paying the ransom, you will not get your data back…
Ransomware operators have achieved operational effectiveness; their software is mostly automated, it lacks emotion and it probably doesn’t care about you, who you are, or what data it has encrypted.
So how much? How much does a Ransomware infection cost? Intermedia published a report that stated:
Nearly three-quarters (72 percent) of companies infected with ransomware could not access their data for at least two days because of the incident, and 32 percent couldn’t access their data for five days or more, according to the report, which was based on a survey of some 300 IT consultants.
Richard Walters, senior vice president of security products at Intermedia commented:
If you’ve got a large number of users and downtime runs into multiple days, then the cost of that downtime adds up pretty quickly to the kind of ransom amounts that cybercriminals are demanding potentially.
Those losses occur even if a company has taken precautions to back up its data.
You have to contain the infected systems, then wipe them completely and then restore them. That process in more than half these cases took longer than two days.
In March this year, the US CERT and Canadian CIRT issued a warning about Ransomware:
How do I get infected with Ransomware?
You can become infected with Ransomware in a number of ways. The most common attack vector that we see at MTG is e-mail attachments. Despite anti-virus, policies, user-education and other controls; humans are often the weakest link. That said, attachments are not the only mechanism; social media, instant messaging, drive by downloads and other methods are equally effective.
What is the impact of an infection?
Ransomware targets both home users and businesses. The impact on a business can include:
- temporary or permanent loss of sensitive or proprietary information,
- disruption to regular operations,
- financial losses incurred to restore systems and files, and
- potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be recovered; it only guarantees that the malicious authors receive some money/Bitcoin. Decrypting files does not mean the malware infection itself has been removed.
How do I defend against Ransomware?
It is important to accept that there is no single solution to the problem. We have found user education and a combination of controls is the best method to (a) Defend against ransomware and (b) Allow you to recover from an infection, “If” it gets past your controls.
ServiceTech strive to defend all our clients against advanced malware attacks, but there are no guarantees. You have to accept the reality of the situation; Protection costs money. Business owners have to consider the cost of protection against the risk of an infection. Given the costs, you can understand why it makes sense for a business to get the fundamentals right first, before considering deploying an expensive sandbox solution or advanced heuristics defence platform.
- Backups. Backups are key. Ensure backups are kept on a separate device/media/network/location.
- Education. Educate your users not to open random attachments / websites / web-links.
- Updates. Keep your operating system, software and applications up to date. Many Ransomware infections are facilitated through out of date software, and the resultant vulnerabilities. Examples include Adobe Flash, Acrobat, Java, Office and Windows itself.
- Antivirus. Ensure you have up to date Antivirus. Note, Antivirus is not the silver bullet many people thing it is, it is only part of the solution (and arguably a diminishing one).
- Filtering. Use e-mail filtering and web-filtering. These platforms can scrub out dodgy files and identify malicious web-links, but much like anti-virus, they are not foolproof.
- Least Privilege. Consider a culture of least privilege. Ask your IT team/consultants to lock down access to areas of your networks, systems or folders to only those that need access. In the event of an outbreak, the infection will only be limited to “part” of your infrastructure.
- Segmentation. Many organisations have enterprise networks from Cisco, Juniper and the likes – but you would be amazed by how few actually leverage the capabilities of their investment. Segmentation carves up your network into logical areas and can implement access policies for traffic between these areas. For larger organisations, you can enforce segmentation and intra-organisation policies that can be used to contain infections or identify outbreaks.
- Understand. How can you possible adopt a least privilege approach or implement robust controls if, as an organisation, you do not fully understand what data you have, where it lives and who has access. Many organisations lack up to date documentation, or – where documentation exists, it fails to recognise “data” as an asset.
- White-listing. Similar to least privilege, white-listing only allows “approved” applications to execute. Application white-listing is implemented through software.
- IP reputation and Cloud Security. Using a service such as OpenDNS or Next Generation Firewalls actively scan network traffic to, or originating from your organisation for “indications of compromise”, or they assess remote websites/IP addresses based on reputation. Known malicious websites, botnets and command-and-control servers are blocked, and you are alerted. This are easy, non-invasive and relatively inexpensive solutions to implement.
- BYOD and WIFI. Mobile devices, tablets and WIFI networks are equally important areas to focus on. Ensure that any controls or security policies you put in place extend to wireless networks and mobile devices. Mobile and BYOD policies can allow you to restrict access based on device, time of day, “security posture” and other criteria. Essentially, you can ensure those who access your network are subjected to a robust network access policy.
- Layered Approach. Do not bank on one solution saving your bacon. You should employ multiple solutions, services or devices – along with a continual user-awareness/training approach.
- Prepare. In the event of an attack our outbreak, ensure you have a well thought out and tested contingency plan.
If you would like to learn more about how ServiceTech can work with you, or your IT team, to ensure you have (a) adequate defence and (b) a recovery strategy, get in touch today.