Read On

If your organisation is targeted, your IT team won't be able to rely on a hero like Liam Neeson's character in Taken to save the day. It is your responsibility to ensure systems are robust and ready to thwart attacks.

Experts estimate that ransomware strains like CryptoLocker, TorrentLocker and Locky have cost Australian businesses over $8 million. Proving that any company is vulnerable, they've even affected iconic businesses like Australia Post and the ABC.

Ransomware attacks are expensive, time-consuming and put confidential information at risk. Even organisations that rebuild from backups instead of paying the ransom suffer financial losses as a result of downtime and lost productivity.

Organisations must protect themselves against increasingly smarter attacks with proven security solutions. In this post, we’ll discuss:

What is Ransomware?

Ransomware is a type of malware that makes the victim's computer or files unusable. It demands a ransom in return for a cryptographic key that can be used to decrypt files. Attackers often request payment in an online virtual currency like Bitcoin. This prevents them being traced.

Ransomware infects systems via unglamorous methods. Hackers typically gain access to corporate data when an employee does one of the following:

Employees trained in identifying potential security threats may have difficulty spotting a ransomware attempt. Attackers are skilled at blending in.

How Ransomware affects your systems

If you fall victim to a ransomware attack, you'll know about it straight away. Compared to the stealthier malware used in more advanced threat attacks, the impact of ransomware is immediate, instantaneous and unavoidable.

PRIMARY IMPACT

First up, your corporate and personal documents and data are encrypted, rendering them inaccessible. These files can't be restored with off-the-shelf solutions. Complete recovery without the attacker's decryption key is near impossible.

SECONDARY AND TERTIARY IMPACTS

Next, the ransomware attempts to spread. File services and network share devices may be encrypted, and sensitive information disclosed. If the initial victim's computer is connected to a file server, the ransomware could be distributed to the entire network. Ransomware campaigns can also spread malware to new victims by stealing email credentials and affecting the entire enterprise.

Responding to a ransomware attack

Ransomware can cause significant damage in a short amount of time. But by the time you've succumbed to an attack, options for recovery are limited. There are three main options:

REBUILD FROM BACKUPS

If you have sufficient backups to rebuild your environment, you can avoid paying the ransom. In exchange, you may experience downtime and lost productivity as you wait for your system to be restored.

Maintaining regular backups is expensive and difficult, but it's worth it. Organisations that fail to maintain current backups risk losing huge amounts of data, which is expensive and time-consuming to recover.

PAY THE RANSOM

Though restoration from backups is the recommended recovery method, many ransomware attack victims choose to pay the ransom. In the first three months of 2016, over US$209 million in ransomware payments were processed in the United States. That's up from just US$25 million in 2015.

Don't pay ransoms, if you can avoid it. Doing so rewards attackers and burdens your organisation financially.

ATTEMPT FILE RESTORATION (GOOD LUCK!)

When backups are outdated and you don't want to pay the ransom, some organisations attempt to recover data through file restoration using a file recovery software tool or outsourcing decryption services to a Third Party. Before handing over a large chunk of hard-earned IT-Budgets, tread carefully as many ransomware variants delete shadow copies and some even detect file recovery software. "Since many variants infect the registry, system restore from a save point may not be possible even if the recovery point remains unaffected" (CSO) 1

Best practice for preventing ransomware attacks

Responding to a ransomware attack after the fact is not ideal. Organisations are better off setting up strict security methods, such as FireEye, to keep data safe across the main ransomware paths. Here are a few tips for keeping your data protected.

Maintain current backups

System backup and recovery are the only proven source of resolution to Ransomware exploits. If organisations have a backup system, then recovery is a matter of restoring the system to a save point. The issue with using backups is the recovery and restoration down-time to the business. And while backups are expensive, cutting corners to save money may end up costing more in data recovery after an attack. Back up critical machines (not just important files), run frequent backups and prepare offline backups that - unlike network drives - can't be corrupted in an attack.

Lock down email security

The first step in attack prevention is to keep email programs updated. Phishing emails should be blocked with spam filtering tools and files backed up regularly. A tool like FireEye can prevent ransomware distribution through email attachments and malicious links. FireEye opens suspicious email file attachments and watches for unusual responses, identifying threats before a user has a chance to open a file or link.

Tighten network and web security

Update your operating system and applications to the latest versions, and exercise caution when accessing news, advertisements and other websites. Installing pop-up blockers, or using the SmartScreen filter in Internet Explorer, can improve security.

You’ll also want added protection in the event that you do stumble across ransomware. FireEye can identify the distribution and infection path and block it to minimise damage.

Choose a network security solution that offers protection at every attack stage

Most network security solutions focus on file backups rather than attack detection and defence. To protect against ransomware attacks, you need technology that can both:

Accurately identify harmful websites

Provide customers with information and support to deter web and email attacks

Ransomware is an evolving threat. Following industry best practice for prevention can help keep your data safe. At ICT Networks, we recommend using FireEye to protect against threats. To find out more about how it can help you stay safe, download the FireEye Ransomware Response Strategies white paper.

References:

1 CSO: http://www.csoonline.com/article/3044036/security/how-to-respond-to-ransomware-threats.html#slide4