What every business should know about ransomware attacks
Does your organisation have tens of thousands of dollars to spare? Even if you have extra cash lying around, you probably have better ways to spend it than responding to a ransomware attack.
If your organisation is targeted, your IT team won’t be able to rely on a hero like Liam Neeson’s character in Taken to save the day. It is your responsibility to ensure systems are robust and ready to thwart attacks.
Experts estimate that ransomware strains like CryptoLocker, TorrentLocker and Locky have cost Australian businesses over $8 million. Proving that any company is vulnerable, they’ve even affected iconic businesses like Australia Post and the ABC.
Ransomware attacks are expensive, time-consuming and put confidential information at risk. Even organisations that rebuild from backups instead of paying the ransom suffer financial losses as a result of downtime and lost productivity.
Organisations must protect themselves against increasingly smarter attacks with proven security solutions. In this post, we’ll discuss:
- What ransomware is, and how it affects enterprises
- How to respond to a ransomware attack
- Best practices for preventing ransomware attacks
What is ransomware?
Ransomware is a type of malware that makes the victim’s computer or files unusable. It demands a ransom in return for a cryptographic key that can be used to decrypt files. Attackers often request payment in an online virtual currency like Bitcoin. This prevents them being traced.
Ransomware infects systems via unglamorous methods. Hackers typically gain access to corporate data when an employee does one of the following:
- Opens an infected email attachment
- Visits a malicious website
- Visits a legitimate website that has been hacked
Employees trained in identifying potential security threats may have difficulty spotting a ransomware attempt. Attackers are skilled at blending in.
How ransomware affects your systems
If you fall victim to a ransomware attack, you’ll know about it straight away. Compared to the stealthier malware used in more advanced threat attacks, the impact of ransomware is immediate, instantaneous and unavoidable.
First up, your corporate and personal documents and data are encrypted, rendering them inaccessible. These files can’t be restored with off-the-shelf solutions. Complete recovery without the attacker’s decryption key is near impossible.
Secondary and tertiary impacts
Next, the ransomware attempts to spread. File services and network share devices may be encrypted, and sensitive information disclosed. If the initial victim’s computer is connected to a file server, the ransomware could be distributed to the entire network. Ransomware campaigns can also spread malware to new victims by stealing email credentials and affecting the entire enterprise.
Responding to a ransomware attack
Ransomware can cause significant damage in a short amount of time. But by the time you’ve succumbed to an attack, options for recovery are limited. There are three main options:
Rebuild from backups
If you have sufficient backups to rebuild your environment, you can avoid paying the ransom. In exchange, you may experience downtime and lost productivity as you wait for your system to be restored.
Maintaining regular backups is expensive and difficult, but it’s worth it. Organisations that fail to maintain current backups risk losing huge amounts of data, which is expensive and time-consuming to recover.
Pay the ransom
Though restoration from backups is the recommended recovery method, many ransomware attack victims choose to pay the ransom. In the first three months of 2016, over US$209 million in ransomware payments were processed in the United States. That’s up from just US$25 million in 2015.
Don’t pay ransoms, if you can avoid it. Doing so rewards attackers and burdens your organisation financially.
Attempt file restoration (good luck!)
When backups are outdated and you don’t want to pay the ransom, some organisations attempt to recover data through file restoration using a file recovery software tool or outsourcing decryption services to a Third Party. Before handing over a large chunk of hard-earned IT-Budgets, tread carefully as many ransomware variants delete shadow copies and some even detect file recovery software. “Since many variants infect the registry, system restore from a save point may not be possible even if the recovery point remains unaffected”. (CSO) 1
Best practice for preventing Ransomware attacks
Responding to a ransomware attack after the fact is not ideal. Organisations are better off setting up strict security methods, such as FireEye, to keep data safe across the main ransomware paths. Here are a few tips for keeping your data protected.
Maintain current backups
System backup and recovery are the only proven source of resolution to Ransomware exploits. If organisations have a backup system, then recovery is a matter of restoring the system to a save point. The issue with using backups is the recovery and restoration down-time to the business. And while backups are expensive, cutting corners to save money may end up costing more in data recovery after an attack. Back up critical machines (not just important files), run frequent backups and prepare offline backups that – unlike network drives – can’t be corrupted in an attack.
Lock down email security
The first step in attack prevention is to keep email programs updated. Phishing emails should be blocked with spam filtering tools and files backed up regularly. A tool like FireEye can prevent ransomware distribution through email attachments and malicious links. FireEye opens suspicious email file attachments and watches for unusual responses, identifying threats before a user has a chance to open a file or link.
Tighten network and web security
Update your operating system and applications to the latest versions, and exercise caution when accessing news, advertisements and other websites. Installing pop-up blockers, or using the SmartScreen filter in Internet Explorer, can improve security.
You’ll also want added protection in the event that you do stumble across ransomware. FireEye can identify the distribution and infection path and block it to minimise damage.
Choose a network security solution that offers protection at every attack stage
Most network security solutions focus on file backups rather than attack detection and defence. To protect against ransomware attacks, you need technology that can both:
- Accurately identify harmful websites
- Provide customers with information and support to deter web and email attacks
Ransomware is an evolving threat. Following industry best practice for prevention can help keep your data safe. At ICT Networks, we recommend using FireEye to protect against threats. To find out more about how it can help you stay safe, download the FireEye Ransomware Response Strategies white paper.
1 CSO: http://www.csoonline.com/article/3044036/security/how-to-respond-to-ransomware-threats.html#slide4