Each month, we’ll take a look at what’s happening on the front lines of the battle against various types of cyber-attacks, new variants of malicious software, phishing and other scams, vulnerability exploits, and other threats to the security of your networks, systems, and data.
There was a time, not so long ago, when the only time we ever heard about the concept of ransom was when a high profiling kidnapping case was in the news. Today, criminals have found it’s easier and more profitable to capture and hold hostage data instead of people.
Using a particularly insidious form of malware called ransomware, attackers can easily do just that with little risk to themselves, especially when they operate outside the country of their victims. Ransomware turns one of IT’s most important security mechanisms – encryption – against us. It encrypts data, application, or operating system files, thus rendering them unusable by their rightful owners. Some ransomware targets only data files – for example, .doc, .xls, .txt, .jpg, .mp3, and so forth. Others encrypt entire drives.
Then the attackers demand payment, often in Bitcoin so as to preserve their anonymity, for the decryption key that will release of the files. Of course, as when dealing with more traditional kidnappers, paying the ransom is a gamble. You may get your data back – or the ransomware attacker may disappear without delivering after receiving your money. Sometimes the attacker will claim “the price has gone up” if you delay, and demand additional payment(s).
It’s easy for attackers to distribute ransomware through email that contains links or attachments, or via “drive-by downloads” from compromised web sites. Many of these ransomware attacks are coming from international organized crime groups, such as the Russian-based Ryuk attack that has been targeting large organizations for the past year, or the Hermes ransomware that is attributed to a North Korean group.
Ransomware is an ongoing and increasingly costly form of cyberattack that’s hitting individuals, businesses, and government agencies hard. The U.S. Department of Homeland Security has called it the fastest growing type of malware. This past month has seen a number of major ransomware cases, with a continuation of the recent pattern of targeting municipalities and health care facilities.
A Georgia court system was one of the June 2019 victims. Computers in the administrative offices were infected with ransomware, causing the court’s network to be taken offline. This followed closely on the heels of the SamSam ransomware attack on the city of Atlanta that reportedly cost the city $2.7 million to repair the damage (much more than the original ransom demand of $51,000).
Also in June, ransomware hit the networks of two Florida cities. Given Atlanta’s experience, it’s not surprising that those cities gave in and paid the ransom. In Riviera Beach, the city council agreed to pay $600,000 to “free” their email system, 9-1-1 dispatch system, and data. In nearby Lake City, leaders paid $460,000 in ransom demands in a similar attack.
Unfortunately, while paying the ransom may ultimately save taxpayer dollars, it also emboldens the attackers and encourages them to strike again – against the same or other victims. Forbes warned that a ransomware tsunami is likely on the way because attackers are getting what they want. The better investment is preventative medicine: putting the money into securing the systems and network more effectively in the first place.
Defending your organization against ransomware begins with the same general protective measures that form the foundation of any good security strategy. In order to do its dirty work, ransomware must first get into your network and onto your systems. Because some ransomware code does this by taking advantage of vulnerabilities in the operating system, applications, or network protocols, the first step is to ensure that all of the software and firmware running on computers, devices (including mobile and IoT devices) and network equipment gets updated as soon as new security fixes are released.
Make sure strong authentication methods are in place. It may be less convenient but requiring multi-factor authentication and strong passwords can help to keep unauthorized users from infiltrating your network and planting ransomware on your systems. “Just in time” and “just enough” administration policies – which restrict which users have admin privileges, to what extent, and for how long – are also basic security best practices that can help protect against all types of malware, including ransomware.
Use good anti-malware protection. Although ransomware is more difficult to detect than some other types of malware (because it only resides on the system for a short time before it has locked up the computer and/or its data), good malware detection/protection software or services can help by recognizing the earliest stages of a ransomware attack and blocking it.
Educating employees, as well as partners, customers, and anyone else who might have access to any part of your network, is a must for keeping ransomware out. Train users not to click every link in every email message, not to open attachments from untrusted sources (and how to recognize when an attacker is masquerading as a trusted source), and how to practice safe surfing when navigating the web.
These steps alone will go a long way toward reducing the risk of ransomware gaining control of your systems and data. Unfortunately, however, ransomware authors are wily and like any clever criminal, they try to keep a step ahead of those who are looking to thwart them. That means that despite your most diligent efforts, your organization may still find itself at the mercy of a cyber hostage-taker. Then what?
Preparing for an attack beforehand can help you survive it without paying the ransom or spending many times the demand to get back up and running or losing valuable and irreplaceable data. That means backing up everything. Create virtual machine images of your servers and systems that can restore the software quickly and easily if it’s rendered inaccessible.
Your most important asset, though, is the data that you’ve created, which may not be able to be recreated without days or weeks of work, or maybe not at all. Making full regular backups of those files and storing them offline and out of reach unless and until it needs to be restored is your best protection in case of a ransomware attack.
To summarize, then, the key points to ransomware avoidance and recovery are:
- A good patch management system
- Implementation of strong authentication
- Anti-malware protection
- Education and training
- A good backup strategy for both system and data files
Ransomware is becoming more sophisticated and the stakes are getting higher as attackers find more organizations willing to pay the ransom. It’s now a billion-dollar industry that thrives on lax security and user naivety, but there are ways your organization can avoid becoming one of the statistics.
In subsequent blog posts, we’ll delve more deeply into the details of some current forms of ransomware and other malware.