Ransomware is a category of malware that infects your systems, encrypts your files and data, then threatens to destroy or publish this confidential material unless a ransom is paid for the decryption keys, usually requiring electronic deposits to some anonymous account. It has been around for decades. It’s made the headlines when large corporations, municipalities, hospitals, or other high-profile businesses are attacked. There are instances of individuals being targeted too. For a company now operating largely through remote services, often incorporating personal devices not always managed through company security protocols, this can become an existential threat. For the remote staff, it may mean the compromise of personal confidential files, business content, intellectual property, and correspondence vital to their lives and livelihood. For the company, the financial burden of ransom, on top of the operational disruption and interruption, can be crushing. But companies and their associates are not defenseless. Let’s look a bit deeper into this potential threat, and ways to prevent, mitigate, and respond to the associated risks.
One of the first known attacks happened in 1989, via the AIDS (aka Disk Aid Information Disk) that replaced AUTOEXEC.BAT files with a pseudo-file, including a counter. After 90 boots of the system, it hid all directories, encrypted all the file names on disk C: and asked for $189 to be sent to a P.O. box in Panama. Clearly times, and ransom demands, which can run from the hundreds of dollars for personal devices to tens of thousands upwards to millions for a big institution, have changed. Today it’s common for funds to be demanded in bitcoin or other cryptocurrencies which are unregulated, anonymous, and very difficult to trace. Once the purview of sophisticated hackers, many cyber security firms now report there is RANSOMWARE-AS-A-SERVICE posted on dark web sites making this an easier attack to launch by less sophisticated bad actors.
Often attacks start with phishing campaigns or other social engineering efforts with the intent of introducing malware through a downloaded file, an email enclosure, a link to an infected target, or through otherwise obtained credentials. Spreading from that single networked device, its authenticated credentials allow the malware to extend rapidly across the network, infecting every device it touches along the way. Usually, ransomware will take everyone offline, encrypting all data it finds and posting messaging stating demands and timeframes for complying before all data and systems are destroyed or otherwise permanently compromised. Where backup files may be present online, some attacks can also compromise those files, making simple recovery impossible.
The FBI and other law enforcement agencies also warn that paying a ransom is no guarantee of regaining permanent use of your data. Paying may lead to your organization being targeted by other actors, and to further ransom demands in the future. Or, the attacker may simply destroy data anyway, or ask for even more ransom. Regardless, the financial and operational risks are compounded by the losses of reputational, brand, and customer confidence that follow disclosure of such an attack. This is why careful planning for the event of such a threat, reducing risk wherever possible, is often far less costly than doing so after being victimized by a ransomware demand.
Taking action to reduce these risks may not need to be expensive. Many of the processes and practices best suited to addressing this risk are part of a strong core of cyber risk and security best practices: recurring training of end users, rigorous authentication management, and network and email security. There also needs to be strong governance over all the basics, to ensure they sustain effective performance across your organization. Let’s look at some specifics in more detail:
- Backup and recovery practices: These should be performed regularly. Daily if there are detailed transaction files to be preserved. Snapshot or difference files at this frequency with full backups monthly at least. There should also be a program to test backups. Those that are corrupted, incomplete, or stored on failed media offer no value for recovery. Testing different areas on a rotating basis, at least quarterly will help assure your backup procedures are working. Also, critical file backups should be stored on devices that are “air-gapped” from all connected devices on your network. It’s a good idea to consider off-site storage for these files, as further protection from physical risks to your operating locations. Examine your continuity plans and adjust them as needed.
- Staff education: There needs to be an emphasis on learning to recognize social engineering scenarios that could lead to user actions enabling malware admittance to your devices. Detecting phishing emails, responding to email content by clicking on links from unknown senders, avoiding online downloads from questionable web sites are all practices all staff must be aware they need to understand and follow rigorously for these controls to be effective.
- Restricting code execution: This is an access control matter. Be certain executables may not be launched from temp or data files. Users should be trained never to download or launch executables from untrusted, vetted sources, or from temp files resulting from enclosures or web searches.
- Apply patches and updates promptly: This often leads to many groans from managers of complex or large-scale operations, with limited downtime for maintenance, but this remains an important consideration. Prioritize security patches assigned to address reported high-risk threats over routine performance or functionality updates. For releases from vendors with a high priority recommendation, work towards a target of completing the update within 30 days or less across all impacted areas. Keeping anti-virus and malware scripts on local devices current should be a routine practice, and where practical, automated to update independently of user action in the background. Testing for this software on remote devices, particularly personal ones connecting remotely is part of many mobile device management (MDM) tools.
- Restrict administrative accounts: These are often the prime targets of ransom malware because of their far-reaching access. Default sysadmin accounts should be deleted in favor of specific ones tailored to your operating needs—the fewer the better. There are rarely justifiable reasons for end users to have administrative privileges, and it can be a dangerous convenience to extend them. Default accounts and default passwords on new devices should always be revised or deleted.
- Strengthen email and web filtering: Spam, phishing and other suspicious email stopped “at the door” prevent end users from inadvertent clicking, and they don’t clog your servers with needless or suspicious content. Web filters can monitor and block access to sites with offensive or potentially infected content. Often tools for these practices offer the ability to disable or block content from emails containing executables such as .zip, .exe, .js, to name a few.
- Remove local administrative rights: Local users have few needs for admin privileges on their devices. Wherever possible, remove these. It helps prevent loading of personal software on company devices, and reduces the chance of an infected download being launched on a local device.
- Network Firewall Controls: One, in particular, is to limit remote desktop protocol (RDP) to specific actions by specific credentialed users. White and blacklisting of sites to the extent manageable. Access to command and control servers needs to be closely monitored too.
- Conduct periodic penetration tests: These are essential to locating vulnerabilities that might otherwise escape audits or risk assessments. Tracking the frequency of these, findings, and resulting remediation recommendations is something a GRC tool can help organize and manage.
This is not an exhaustive list but a representative one of the basic controls all operations should be embracing and executing to the greatest extent their resources permit. Most are well known, but often overlooked common best practices. Too often one or more of them is cited in a ransomware post mortem as the source of access by an attacker.
These preventive practices are easily found in most comprehensive control frameworks for cyber risk and security such as the NIST Cybersecurity Framework. You may already be using this framework, or others as the organizing foundation of your cyber risk and security programs. If you have a GRC tool to help you perform risk assessments and monitor remediation projects to shore up weak areas, you are better positioned to govern active adherence to these actions, and to understand your overall risk to assault by ransomware. GRC based risk assessments and the modules they often contain to identify and track projects, relate audit findings, and measure progress greatly assist senior managers when trying to understand their current risk exposure. This helps executives to target resources and determine priorities precisely from an informed base, leading to strong internal governance.
Of course, risk management is about balance. There is no effective way to assure, beyond reason or exception, that you can operate your business with zero risk. Should you, despite best efforts, fall victim to ransomware there are some immediate steps to follow:
- Disconnect and isolate all infected devices as soon as detected
- Go offline and physically disconnect data stores from the network
- Contact local authorities and the FBI
- Engage continuity plans in coordination with law enforcement authorities
There is a range of advice regarding how to proceed with attacker demands. There are no guarantees paying a ransom will lead to getting your lost or protected data returned to your control. Paying may lead others to view you as a softer target, inviting more attacks. Not paying, if you have weak recovery resources, may leave you with no continuance options for your business. Discussions between your management and law enforcement offer the best route to a decision for your firm.
Often there are management concerns over the costs associated with strong security practices, restrictions on creative efforts, or the need to monitor daily activity. This is particularly so now. But nobody wants to write the ransom check to recover their data or protect client confidential information. As companies find themselves operating with more remote staff, the potential risk, and the need for strong risk management in this area becomes greater. Fortunately, so is the ability to execute, manage, and monitor compliance with many of these practices that can help you operate across an extended, often remote environment, with reasonable protection from this dangerous threat to your organization. Cybersecurity frameworks, basic data hygiene, and leverage of GRC resource tools and reporting can help you avoid the threat of ransomware.
For even more specific details of actions you can take before, and if necessary, upon detection of a ransomware attack. click here for additional guidance from FBI.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.