The US is bracing for the full impact of a global ransomware epidemic based on the Wanna Decryptor malware strain. It’s important to protect your business and data from this fast-spreading threat, but once we’re past it, you need to remember that Wanna Decryptor is only the noisiest example of the ransomware problem.
There are three things to know about ransomware: it’s scary, it’s growing fast, and it’s big business. According to the FBI’s Internet Crime Complaint Center (IC3), more than 992 CryptoWall-related complaints were received between April 2014 and June 2015, resulting in more than $18 million in losses. That malignant success is reflected in ransomware’s growth rate with the Infoblox DNS Threat Index, reporting a 35-fold increase in new domains created for ransomware in the first quarter of 2016 (as compared to the fourth quarter of 2015).
In general, ransomware drops an encrypted wall between a business and the internal data and applications that business needs to operate. But these attacks can be far more serious than simply the inaccessibility of the data. If you’re not prepared, then your business could grind to a halt.
Just ask Hollywood Presbyterian Medical Center. Long before Wanna Decryptor, the hospital learned a painful lesson when staff lost access to their PCs during a ransomware outbreak early in 2016. The hospital paid the $17,000 ransom after employees spent 10 days relying on fax machines and paper charts. Or ask the Tewksbury Police Department. In April of 2015, they paid the ransom to regain access to encrypted arrest and incident records.
How Do Businesses Get Infected?
If there’s a silver lining to Wanna Decryptor at any level, then it’s that it serves to prove, without a doubt, that the threat presented by ransomware is real. No business or employee is immune from a potential ransomware attack. It’s important to understand how ransomware infects computers before discussing how to protect your business from it or how to respond if you’re compromised. Understanding the origin and mode of infection provides insights into staying safe.
Ransomware typically comes from one of two sources: compromised websites and email attachments. A legitimate website that has been compromised can host an exploit kit that infects your machine, typically through a browser exploit. The same methodology can be used by a phishing website. A drive-by download installs ransomware and it begins encrypting your files.
In the case of a malicious email attachment, users are tricked into opening the attachment, which then installs ransomware. This can be as simple as a fake email message with an executable attachment, an infected Microsoft Word file that tricks you into enabling macros, or a file with a renamed extension such as a file that ends in “PDF” but is really an EXE file (an executable).
“In both of these cases, some kind of social engineering is used to lure the user into infecting themselves,” says Luis Corrons, PandaLabs Technical Director at Panda Security. “This provides businesses with a great opportunity to educate their users to avoid these risks but, unfortunately, most small businesses neglect this and miss out on the chance to save themselves a big headache.”
Currently, there’s no silver bullet to ensure your organization’s safety from ransomware. But there are five steps every business should take that can drastically reduce their chances of infection—and also ease the pain should an attack succeed.
A key component to prepare for a ransomware attack is developing a robust backup strategy and making regular backups. “Robust backups are a key component of an anti-ransomware strategy,” said Philip Casesa, Product Development Strategist at ISC2, a global not-for-profit organization that certifies security professionals. “Once your files are encrypted, your only viable option is to restore the backup. Your other options are to pay the ransom or lose the data.”
“You have to have some sort of backup, a real backup solution of the assets you’ve determined are essential to your business,” continued Casesa. “Real-time backup or file synch will just back up your encrypted files. You need a robust backup process where you can roll back a few days [to before the ransomware infection], and restore local and server apps and data.”
Panda Security’s Corrons offers a further caution: backups “are critical in case your defenses fail but be sure to have removed the ransomware completely before restoring backups. At PandaLabs, we’ve seen ransomware encrypt backup files.”
A good strategy to consider is a tiered or distributed backup solution that keeps several copies of backup files in different locations and on different media (so an infected node doesn’t immediately have access to both current file repositories and backup archives). Such solutions are available from several small to midsize business (SMB) online backup vendors as well as most Disaster-Recovery-as-a-Service (DRaaS) vendors.
As previously mentioned, user education is a powerful yet frequently overlooked weapon in your arsenal against ransomware. Train users to recognize social engineering techniques, avoid clickbait, and never open an attachment from someone they don’t know. Attachments from people they know should be viewed and opened with caution.
“Understanding how ransomware spreads identifies the user behaviors that need to be modified in order to protect your business,” said Casesa. “Email attachments are the number one risk for infection, drive-by downloads are number two, and malicious links in email are number three. Humans play a significant factor in getting infected with ransomware.”
Training users to consider the ransomware threat is easier than you think, especially for SMBs. Sure, it can take the traditional form of a lengthy in-house seminar, but it can also simply be a series of group lunches at which IT gets the chance to inform users via interactive discussion—for the low price of a few pizzas. You might even consider hiring an outside security consultant to deliver the training, with some supplementary video or real-world examples.
The best place to start protecting your SMB from ransomware is with these Top Four Mitigation Strategies: app whitelisting, patching apps, patching operating systems (OSes), and minimizing administrative privileges. Casesa was quick to point out that “these four controls take care of 85 percent or more of malware threats.”
For SMBs that still rely on individual PC antivirus (AV) for security, moving to a managed endpoint security solution lets IT centralize security for the entire organization and take full control of these measures. That can drastically increase AV and anti-malware effectiveness.
Whichever solution you choose, make sure that it includes behavior-based protections. All three of our experts agreed that signature-based anti-malware isn’t effective against modern software threats.
If you haven’t prepared for and protected yourself against ransomware and you get infected, then it may be tempting to pay the ransom. However, when asked if this was a wise move, our three experts were united in their response. Corrons was quick to point out that “paying is risky. Now you’re certainly losing your money and maybe you’re getting your files back unencrypted.” After all, why would a criminal become honorable after you’ve paid him?
By paying criminals, you’re giving them an incentive and the means to develop better ransomware. “If you pay, you make it that much worse for everyone else,” says Casesa. “The bad guys use your money to develop nastier malware and infect others.”
Protecting future victims may not be top-of-mind when you’re trying to run a business with its data held hostage, but just look at it from this perspective: that next victim could be you all over again, this time fighting even more effective malware that you helped pay to develop.
Casesa points out that “by paying the ransom, you’ve now become a riper target for the criminals because they know you’ll pay.” You become, in sales parlance, a qualified lead. Just as there is no honor among thieves, there is no guarantee that the ransomware will be completely removed. The criminal has access to your machine, and can unencrypt your files and leave the malware on it to monitor your activities and steal additional information.
If the damage caused by ransomware is all about disruption to your business, then why not take steps to increase business continuity by moving to the cloud? “The level of protection and overall security you get from the cloud is far greater than what a small business could afford yourself,” points out Brandon Dunlap, Global CISO of Black & Veatch. “Cloud providers have malware scanning, enhanced authentication, and numerous other protections that make the odds of them suffering from a ransomware attack very low.”
At the very least, move email servers to the cloud. Dunlap points out that “email is a huge attack vector for ransomware. Move that to the cloud where providers bundle multiple security controls like malware scanning and DLP [Data Loss Prevention] into the service.” Additional security layers, such as proxy-based site reputation and traffic scanning, can be added through many cloud services and can further limit your exposure to ransomware.
Dunlap is enthusiastic about the protections the cloud offers against ransomware. “We’re at a fantastic moment in technology history with a multitude of low-friction solutions to many of the problems faced by small business,” said Dunlap. “This makes small businesses more nimble from an IT perspective.”
If your local machine becomes infected with ransomware, it may not even matter if your data is in the cloud. Wipe your local machine, re-image it, reconnect to your cloud services, and you’re back in business.
Don’t Wait for the Shoe to Drop
This is not one of those situations in which a wait-and-see approach is your best tactic. Wanna Decryptor clearly shows that ransomware is out there; it’s growing in giant leaps and bounds, both in sophistication and bad guy popularity—and it’s definitely looking for you. Even after this current threat blows over, it’s critically important that you take steps to protect data and endpoints from infection.
Create regular backups, train employees to avoid infection, patch apps and OSes, limit administrator privileges, and run non-signature-based anti-malware software. If you follow this advice, then you can prevent all but the most bleeding-edge infections (and those likely aren’t targeting SMBs). In the case in which an attack gets through your defenses, have a clear, tested plan in place for IT to clean up the infection, restore backups, and resume normal business operations.
If you don’t follow these best practices and you do get infected, then know that paying the ransom comes with no guarantees, qualifies you as a sucker to the criminals, and gives them the means to develop even more insidious ransomware (and the incentive to use it on you as often as possible). Don’t be a victim. Instead, take the time now to reap the benefits later: prepare, prevent, protect, and stay productive.
Image Source: SenseSy