Ransomware is a nasty type of cyber threat that blocks access to your computer systems or information, and demands a fee to let you access them again. Typically the ransomware will encrypt your files, and provide a way for you to pay to obtain the key needed to decrypt them. Your files are still there but you can’t get to the data. Ransomware will also attempt to find any online backups and encrypt those too, to make it harder for you to get round the encryption.
The cost to businesses that are infected by ransomware can be very high. According to the FBI the financial impact goes beyond the ransom fee itself, and includes “…costs associated with network mitigation, countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees and customers”.
In my previous blog Protect your organization from advanced persistent threats, I wrote about the need for a balance of people, process and technology controls. This is just as true for protecting you against ransomware as it is for any other threat. The FBI recommendations for protecting yourself against ransomware include for example:
- Technology controls – Antivirus software, firewalls and popup blockers can all help to reduce the chance of being infected by ransomware
- Process controls – regular backups that are kept offline ensure you are able to recover affected data if you do become infected. This will reduce the impact of any ransomware incidents
- People controls – “Be skeptical. Don’t click on any emails or attachments you don’t recognize” is the key message here. If your people understand how important this is then the chance of your systems and data being affected by ransomware will be greatly reduced
Other organizations have also published advice on how to recover from Ransomware, for example Symantec guidance on Trojan.Cryptowall or McAfee Labs Cryptowall Ransomware Built with RC4 Bricks. Both these offer guidance that includes people and process controls, as well as technology ones.
Organizations that recognize the need for an appropriate balance of controls and invest accordingly, can certainly reduce their risk. For example a good employee awareness training scheme, with regular follow up can help to make it less likely that staff will click on malware links. The trouble is that some people seem to be almost immune to even the best training, while others seem to get the message, but the impact fades and they quickly revert. However much you emphasize the importance of taking care they don’t seem to realize that their behavior is part of the problem. So what can you do to identify risky behavior and take preventative action?
One approach that many organizations have found helpful is to send out their own phishing emails. These emails look similar to real phishing attacks and include links that claim to be the sort of content that is used to distribute ransomware. You can then see which of your staff members click the links and use this as an opportunity to educate those people.
It can be even more effective to monitor everything that happens on client devices, looking for behavior that could be risky. You would need to collect and analyze large amounts of data, with a view to recognizing problematic patterns, which does, admittedly, sound difficult. However, a tool like Nexthink can provide a complete solution for collecting and analyzing client data in this way, letting you see which users need additional training so you can focus your preventative efforts where they will do the most good.
If you implement this kind of approach to preventing ransomware infecting your network you will make a big difference to the likelihood of infection, but this still won’t be enough. My previous blog discussed the need to balance controls that protect, detect and correct, and you need this for ransomware too.
- Protect – prevent the ransomware using a combination of antivirus controls, firewalls, popup blockers, data analytics, user training etc.
- Detect – detection of ransomware is usually fairly easy, as it must advertise itself to you to get you to pay. Nevertheless data analytics can play a part here too, if you can recognize the behavior of the ransomware then you may be able to stop it spreading any further, or deal with it before it has encrypted every online backup
- Correct – one of the most important defenses against ransomware is the ability to recover your data from offline backups. It may be much easier to use online, networked, storage to store your backups, but if the infected computer can access the backups then the ransomware will infect the backups as well as the live data. Make sure you have backups that are completely isolated from the systems that they protect.
This blog, and the previous one, have been about how to defend against external attacks, but what happens if the attacker is an insider? Defending against insider attacks will be the topic of the next blog in this series.