Ransomware is an access-denial attack that infects computer systems via Trojan horse email.
Do not have time to read? You can listen to this article below.
Ransomware defined
Ransomware is an access-denial attack that infects computer systems via Trojan horse email attachments, compromised/hacked websites or website ads. Once downloaded, this malware encrypts a system’s files, making them completely unusable until the victim pays a ransom to decrypt and re-access their data.
You know you’ve been hit when your computer screen freezes with a pop-up message saying your personal files have been encrypted–and that you must pay to get the key needed decrypt them. Often, the perpetrator claims to be a federal agency informing you that your computer will remain locked down until you pay a fine to compensate for violating some bogus federal law.
The great threat
In a recent WSJ article, Chris Stangl, an FBI’s Cyber Division section chief, described ransomware as a “prevalent, increasing threat…costing victims $24M + in 2015.” I believe this is a low estimate because much ransomware crime goes unreported by businesses afraid of the potential negative publicity
In fact, ransomware has successfully targeted a wide range of organizations, including businesses, financial institutions, government agencies–even police departments and hospitals, wreaking complete havoc. The potential damage includes loss of critical proprietary information and shutting down operations.
Basic protection
First-level ransomware protection encompasses many of the same fundamental system security strategies described in previous Insights post.
- First and foremost–regularly back up your data to either an external device or a safe offline location, one not linked to your network. You can experience a complete system meltdown for many reasons.– I recently spoke with a customer whose website was hacked several years ago. Most of his information was lost because he had no backup. Failure to backup your data is like playing Russian roulette.
- Automate regular updates to your antivirus software, operating system, and web browsers.
- Regularly update the software on all your devices. Use the same protections on your mobile devices as you would on your computer when using the Internet.
- Create strong passwords, as described in a previous post.
- Never open unsolicited e-mail attachments or attachments from people you DON’T know.
- Never open suspicious looking emails, even from people you DO KNOW. If their subject line seems ‘off,’ , their account may have been hacked.
- Never click on a URL embedded in an unsolicited e-mail, even if it looks OK. If it seems important, close the email and access the organization’s website directly.
- Only visit websites that have a good reputation.
- Only download software—especially free software—from sites you know and trust.
Not directly related to ransomware–be careful before initiating manual downloads even of trusted software. It’s easy to click on and accidentally download invasive software (e.g., for tool bars, etc.).
Next, I’ll explore some recommended ransomware prevention strategies for mid to large-size organizations.
According to the FBI, many ransomware hackers are located in Eastern Europe
According to a recent study, if you apply the basic security measures outlined in this article, you’ll reduce the risk of malware/ransomware infection by 90%. With the risk so high, I’d like to share some additional protective strategies.
Pay the ransom?
Many organizations have paid ransoms to re-access their data despite the advice of Federal authorities not to do so. Be aware, however, that if you pay there’s no guarantee the criminal hackers will give you the key to decrypt your files.
According to the FBI, many ransomware hackers are located in Eastern Europe and other offshore locations that are shielded by elusive internet infrastructures. Government IT security experts recommend that all victims of ransomware contact their local FBI field office and consider securing the services of a reputable private Internet security consultant. By doing so, authorities have a shot at neutralizing botnets and other mechanisms that allow these attacks to begin with.
Emergency actions
If you suddenly realize you have opened an attachment that you believe may be ransomware, there may be enough time to stop it from completely taking control of your system.
Immediately do the following–
- Disconnect from The Internet/WiFi Because it takes some time to encrypt all your files, you may be able to stop the malware before it succeeds in seizing all your files. This means you need to move more quickly than it–an iffy proposition.
- Use System Restore. If you have System Restore enabled on your Windows computer, try taking your system back to a previous clean state. Unfortunately, newer versions of Cryptolocker and other ransomware quickly delete old file versions before you can execute
Additional basic strategies
- Educate Your Users about Security. If your employees don’t fully understand the threat of unsolicited email phishing, you could be in deep trouble. Train them carefully on this and all other security threats.
- Create a Separate Portal for The Internet. Workers needing unrestricted internet access should be provided a separate external portal.
- Use Internet Ad Blocking. When online, employees should avoid ‘malvertisements’ that target individuals based on their online identifiers and browsing history. These attacks are especially dangerous because they are perpetrated by criminals who often have gained an accurate idea of the victim’s ability to pay.
- Scan the Content of Inbound Emails to Validate Their Origin. Unfortunately, few corporations authenticate inbound email based on IP address and server domain. Companies having such protection too often only quarantine questionable emails without deleting them completely. Check out Sender Policy Framework (SPF) as well as Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM).
- Protect Your Email Servers. Establish scanning protection for all your incoming, outgoing, and stored server mail to add another level of protection to your system’s perimeter defenses.
In my next and final installment, I’ll describe three, higher-level strategies that provide the highest level of ransomware protection.
You’ll need the support of IT professionals
If you execute the basic protective strategies against ransomware described so far, you’ll significantly reduce your vulnerability to attack.
For more complete protection, you’ll need the support of IT professionals and/or advanced protective software that provide sophisticated monitoring to preventatively diagnose distinctive ransomware patterns. With that in place, infected files will be quarantined automatically before your system can be hijacked. You’ll also gain access to diagnostic information to help you understand how the incursion happened.
Three advanced strategies
- Apply Behavior Analysis: Antivirus software protection fails to protect against ransomware because it is limited to static, signature-based methods that are blind to constantly morphing versions of the threat. Behavior analysis-based security tools like Sentinel One, TrendMicro, Cisco and Kaspersky Labs provide behavioral assessment protection.
- Utilize Stealth Malware Detection: Newer ransomware versions stay in a stealthy dormant state while being scanned by security tools. They come to life only when it’s safe to come out of the ‘sandbox.’ Minerva Labs recently introduced a new tool that tricks ransomware into remaining in a limbo-like endless loop.
- Integrate Multi-Level Protection: Clearly, your business requires multiple levels of defense against ransomware. Integrating them into an effective shield requires time and effort. Any overall solution to the problem requires careful monitoring both of evolving malware threats and the newest, most effective defenses against them.
By all means, include the two strategies presented above while incorporating more basic download protection, browser protection, firewall and other standard protections.
Make Your Malware Response Plan Available for Immediate Launch
Have an action plan ready for immediate launch in the event of a ransomware attack. Begin with an inventory of your critical data assets, their locations and the effect of any loss or inaccessibility of those data.