Ransomware: Could Your Company Be at Risk of Falling Victim?
By: David Newell, Chief Executive Officer, Loptr LLC
Kristopher Meier, President, Station 28, LLC
Edward O'Keefe, Director of Application Development, ABC-Amega, Inc.
Ransomware. The term strikes fear in the heart of any IT department, even a well-prepared and well-rehearsed one. However, it’s a surprisingly misunderstood threat by many of the managers and business owners that we interface with on a routine basis. Much of managing a business effectively comes down to managing risk, whether that’s taking a chance on a big client project, deciding on when to ramp up staffing, or simply balancing your insurance coverage appropriately; successful business executives are adept at managing risk on a daily basis. The trick to doing this effectively is understanding; understanding not only of the nature of the threat itself, but the likelihood of that threat occurring. Our goal in this article is to provide an overview of the ransomware threat, explain how ransomware spreads, and detail what you can do within your organization to be better prepared.
Ransomware, as the name implies, is based on the premise of extracting a ransom from its victim. While they all operate with the same primary output objective, ransomware-based malware comes in many different flavors, comes from countless different authors, and varies in a number of different ways. At a high level however, some things hold true universally. Once a system is infected, the malware goes to work behind the scenes encrypting files at a rapid pace. Most ransomware takes care not to encrypt system files, thus leaving the system itself in an operable state, but instead focuses on user documents, Microsoft Office files, Adobe PDFs, pictures, movies, music, etc - anything it can get its hands on that may be of value to you. Additionally, if the system is in a corporate environment, the ransomware will work to encrypt files on network file shares as well. Once this silent encryption process is complete, the malware will present a request for a ransom payment to unlock these files. The premise is simple; send your money to the bad guys, and the bad guys will (hopefully) send back a key to unlock the files.
Some ransomware versions have been “cracked”, and decryption tools have been made freely available by security researchers. In many instances however, ransomware is well-written using industry standard software development and encryption practices, making it impossible to circumvent the encryption in any way (other than paying the ransom of course). The criminal groups behind ransomware are generally well-funded and well-organized, with support “staff” ready and waiting to process payment from their victims. Payment is generally accepted in BitCoin, a digital currency that is extremely difficult to track, making it the perfect payment solution for anyone with the ethics (or lack thereof) of a ransomware author.
The delivery mechanisms used to spread these infections are as varied as the ransomware flavors. Email phishing campaigns, “bad” advertisements, and “hijacked” legitimate sites, are all common delivery mechanisms. The sheer volume of ransomware variants in existence, paired with an every-changing ecosystem of attack methods, makes tracking and blocking this malware a nearly impossible game of “cat and mouse”.
So what can you do to protect your organization from these extortionists? We’ve assembled the following recommendations:
Backups, Backups, Backups – The single most important thing that any organization can do to protect themselves is to make sure that all critical files are backed up on a routine basis. That way, should you fall victim to ransomware, you can quickly restore your business critical files. Backups should be versioned, giving you the option to restore from multiple points in time. They should be “offline”, out of the reach of ransomware that may seek to encrypt your backups along with your data. You should retain a primary or secondary copy offsite, allowing you to restore even if you experience a major outage at your primary business location. Lastly, your organization should have a documented, tested, and routinely practiced disaster recovery and business continuity plan. Post-disaster is NOT the time to find out that your backups haven’t been running successfully, or that data couldn’t be recovered due to a technical issue.
Train Your Users – One of the most common ransomware delivery mechanisms is a phishing campaign. Technology can do a reasonable job at filtering out some of these emails, but the last line of defense is always the user sitting behind the keyboard. Train your users on common indicators of phishing campaigns, encourage them to reach out to their IT departments when they’re not sure about something, and test them on a routine basis. Phishing your own user base on a routine basis is an easy and quantifiable way of testing and evaluating your own training programs.
Put Solid Patch and Application Management Practices in Place – Another common way that ransomware is spread is through compromised websites. The attack breaks down as follows: the bad guys will compromise a popular website in an effort to install an “exploit kit” of their choosing. This “exploit kit” will quickly scan each connecting computer for vulnerable and out of date software such as Flash, Java, Silverlight, and so on. If a vulnerability is found, then that flaw will be leveraged to install and configure the ransomware “payload” of their choice, thereby infecting the victim machine. Keeping the underlying operating system up to date is clearly important, but it’s equally important to ensure that all third party browsers and support applications are routinely patched and updated as well. Taking that concept one step further, when is the last time a site you visited needed Flash? What about Java? If the answer is “Not in a long time”, then remove these third party applications from your systems altogether. Many times these third party “support” applications are installed out of habit, rather than legitimate business need.
Create and Rehearse a Structured Incident Response Plan – Depending on the size of your organization, this can range from extremely simple to complex, but the goal remains the same - identify and remove the infected computer from the network as quickly as possible, while preserving it for analysis by internal IT resources, and outside security experts. It’s not uncommon for the encryption process to be “caught in the act”, prior to it completing its encryption process, especially in very large file share directories. Having a documented and rehearsed response plan will help to limit your exposure, and speed up recovery time.
If these recommendations seem like standard IT best practices, they are! Solid backup, training, patch management, and incident response strategies have long been cornerstones of a well-designed IT program. So, set some time aside to sit down with your IT team to review your current policies and procedures, and address any gaps that may exist.
If you are lucky, you will never be hit by ransomware and the work you do will only help you to prevent attacks and be more prepared. If an attack does manage to make its way through your defenses, good backups, training, patching, and incident response planning will help you detect and contain an attack quickly. You will save your business from days of downtime and lost revenue. At either end of the spectrum, it’s time well spent!