I don’t normally watch horror movies, but there is a correlation between the movie “Saw” and ransomware, in particular a variant called JIGSAW. This is pretty scary stuff — the first thing you see is the creepy image of Billy the Puppet from the horror film “Saw” on your computer screen, then you find out that your data is no longer yours.
Ransomware is a type of malicious software, commonly called malware, that blocks access to a device or data until a ransom is paid. It’s delivered by the same means as other cybersecurity attacks — most commonly phishing emails with malicious Office documents or zipped files attached, compromised websites, and vulnerability exploits in the software that you use every day. It encrypts your files so that you cannot access them without the encryption key.
Ransomware has been the most prevalent cyber threat for the past 11 years and the infections have outnumbered data breaches. A report released in December 2016 states that ransomware attacks against businesses increased threefold in 2016.
It’s no joke. Ransomware is capable of crippling businesses who encounter it. The criminals behind these attacks are continually evolving their tactics to allow them to continue down this lucrative path. They are primarily holding the data ransom and do not appear to be stealing the data for their own use, but that trend could change.
Other research shows that ransomware had cost businesses $209M in the first half of 2016—a figure predicted to increase to $1 billion once year-end totals were in. Money is not all that’s at stake. Ransomware can cost a business its reputation, lost productivity, and sensitive data such as financial records including banking information, confidential customer information, or intellectual property.
IBM Security announced results from a study that found “70 percent of businesses infected with ransomware have paid ransom to regain access to business data and systems,” with half of those paying over $10,000 and 20 percent paying over $40,000. Those behind the attacks will more than likely move on and affect other individuals and businesses. By paying the ransom, those affected only encourage these criminals to continue on to the next victim. Remember, there is no honor among thieves and paying is not a guarantee. It may be tempting to just pay them and think that you can quickly move on from this, but you can still lose critical files even if the ransom is paid. Another issue is: Can you trust the data now that some unknown person(s) have accessed it It’s a far better idea to protect your business so you are not a target for future malware infections.
How to Prevent Ransomware and Other Malware
So, before you decide to stop using computers, the Internet and technology totally, there are preventative steps that you can take to avoid being held for ransom. Having a comprehensive cybersecurity and response strategy will help you defend against these attacks — one that focuses on using business drivers to guide cybersecurity activities and incorporates cybersecurity risks as part of your overall risk management processes. You don’t have to start from scratch. You can continue to evolve and improve your current practices. Specific actions that are proven to work include:
Identify the business processes and users that handle critical business information, especially those that handle financial information, and enforce some form of higher-trust authentication. For example, two-factor authentication requires not only a username and password, but also something that only the user has on them — like a hardware or software token that generates a code (Google Authenticator or RSA SecurID) to name a few. Learn more about two factor authentication.
Secure the network. Firewalls and other security tools designed to fortify the network perimeter play a critical role in protecting your business. Ensure your firewall configuration is set to restrict outbound network traffic and monitor for suspicious behavior. Invest in layered security protection that can detect and stop ransomware attacks before they happen. There are lots of products on the market that provide this type of protection.
Make backups of your critical business data. Schedule backups to no-overwrite media. Make sure backups are located on segregated network storage, preferably offsite and that uses strong encryption that you control and manage. Have dedicated backup operator credentials – don’t share or otherwise reuse those credentials for other purposes, and don’t reuse the passwords with other accounts. Audit the integrity of those backups regularly. Maintain proper access management for these backups.
Secure email and browsers. Email clients and web browsers are used to trigger ransomware. Scan all attachments, particularly zip files and documents, for the latest malware variants. Get a secure email gateway and ensure it is configured to provide URL filtering. These could be either hardware products or software products.
Secure the operating system and all programs. Make sure all of your computers are patched religiously, including the operating system and third-party applications. Upgrade outdated software that cannot be patched.
Provide user awareness training to all employees. Train your employees to be suspicious of all attachments and links in external and internal emails by encouraging the simple practice of hovering over a link (prior to clicking it) to confirm whether its actual destination is legitimate. Encourage users to report suspicious emails to get a second opinion if they are unsure of the validity.
Create, maintain, test, and follow your incident response plan. Create an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. A great resource is the NIST Guide for Cybersecurity Event Recovery.
In addition, the FBI provides a library of ransomware prevention and response information that is available to you for free.
What You Can Do if You Are Infected
Businesses affected by ransomware should refuse to pay the ransom and immediately contact the FBI or file a complaint with the FBI’s Internet Crime Complaint Center.
You may be able to recover your files. Law enforcement and IT security companies have joined forces to disrupt cybercriminal businesses with ransomware connections. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cybersecurity companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals. You can contribute to the project by submitting your encrypted files and information about the ransom demand you received and they will help you to find a way to decrypt your files. In addition, the website maintains a list of decryption tools that you can use if you are infected by one of the ransomware variants that they have decrypted.
It is much easier to avoid the threat than to fight against it once you have been affected. If you follow the prevention tips above, you can avoid a devastating blow to your business. Follow your incident response plan to clean up and recover your business quickly and efficiently.
Other things you can do are:
Share threat information. Get involved with industry-specific information sharing and analysis centers (ISACs). These non-profit groups operate as clearinghouses for cyber threat information related to specific industries.
Make informal contact with the InfraGard network, a partnership between business and the FBI. If an incident occurs, that relationship will be in place and you will have a resource to help you recover.
Finally, stay proactive and continuously improve your security program.
Kathleen Martin is MEP’S IT Security Officer and a Certified Information System Security Professional (CISSP). Her work involves participation in NIST’s IT Security Program to establish and enforce security policies and procedures, assess MEP’s infrastructure and data to identify vulnerabilities caused by weaknesses or flaws in software and hardware, evaluate the effectiveness of existing security measures, and make recommendations to improve security based on assessments and knowledge of current and emerging threats. Previously she was MEP’s Database Administrator and administered MEP’s Reporting process and client survey.
(This article appeared on the Manufacturing Innovation blog)