by Steve Weil

Challenge

You log in to your computer and you see a strange page with a ticking clock and a message that says that your files have been encrypted. You try to open some of your files but they all look like gibberish.  You’ve been infected by ransomware! 

Ransomware is a form of malware that targets your critical data and systems for extortion. Typically, ransomware encrypts data with a key known only to the attacker until a ransom (usually in a cryptocurrency such as Bitcoin) is paid. After the ransom is paid, the attacker will sometimes provide a decryption key.

The FBI reports that approximately 4,000 ransomware attacks occur daily and that there has been a 300% increase in ransomware attacks since 2015.   Ransomware is becoming increasingly sophisticated and dangerous.  It’s a critical risk for all types of organizations.

Point B’s Approach

Backup your data

Backups are critical in ransomware recovery and response; if you are infected, backups are often the best way to recover your critical data. In addition to regularly backing up your organization’s significant data, be sure to verify the integrity of your backups and regularly test your backup restoration process; you don’t want to find out, in the middle of an incident, that your backups aren’t working.

Also, ensure that your backups are secured (e.g. physically stored offline) and not permanently connected to the computers and networks they back up. Increasingly, ransomware is designed to infect both computers & attached storage devices plus cloud backup services that are mapped to infected computers.

Use behavior based anti-malware software

Implement behavior based anti-malware (e.g. CrowdStrike, Cylance) on your organization’s information systems rather than signature based software.  Criminals are continually tweaking their ransomware strains and adding “features” such as encrypted or constantly changing code. Increasingly, signature based anti-malware software, which just looks for known malicious files, cannot keep up. Behavior based anti-malware software, which watches for malicious behaviors, is often more likely to detect ransomware.

Whenever possible, configure your anti-malware software to block and alert when it detects ransomware rather than just alert.  All alerts regarding ransomware should be rapidly responded to.

Have a security incident response plan (SIRP)

As unpleasant as it is to think about, you should assume that your organization will be infected by ransomware. Now is the time to prepare.   A well-documented SIRP that is specific to your organization will make it easier for you to launch a rapid and well-coordinated response. At a high level, your SIRP should include:

  • A description of the roles and employees who are on the security incident response team (SIRT).
  • Specific guidelines (e.g. when should law enforcement be notified, how backups are secured) and procedures that the SIRT will follow.
  •  Information about external resources (e.g. computer forensics firm) available to the SIRT.

Be sure to test your SIRP at least annually. You don’t want to be trying out your SIRP for the first time during an incident.

Phishing education

Properly trained, employees can be an organization’s front line defense against ransomware. Cybersecurity is not just an IT issue. Ransomware is frequently delivered via phishing emails so regularly train your employees to carefully assess links in emails and to not open unsolicited attachments. To improve employee awareness about phishing, use a tool like Wombat or Phishme to send simulated phishing emails.

Also, encourage employees to rapidly report suspicious activity that may indicate ransomware. Once in an organization, ransomware can spread very quickly via shared or networked drives, so it’s critical that all employees know when and how to report suspicious activity on their information systems.

The Bottom Line

Ransomware is a serious threat that all organizations need to be prepared for. Make sure your data backup processes are solid.  Use behavior based anti-malware software. Have a well-developed SIRP and regularly educate your employees about phishing. These key steps will defend your organization against ransomware.