“My firm WILL be affected by ransomware.” If you intone that rather gloomy mantra to yourself every morning before you go to work, you might end up being prepared to deal with the situation when it happens.
Ransomware is a type of malware that most often encrypts the contents of a hard drive and then rather helpfully offers you an email address or phone number to contact for removal instructions. And did I mention they’re going to ask for payment for the key to your now locked-up hard drive? They’ll ask for payment. And when the email with the funny cat pictures is spread around your office and more systems are affected, they’ll ask for money to unlock those too. Can the FBI help you at this point? No, because the kidnapper (of your data) is some kid working out of a grimy apartment overseas and they don’t have the resources to mount an international manhunt over the few hundred dollars that are being extorted from you.
If you bite the proverbial bullet and pay the ransom is the situation over and simply remembered as a painful lesson learned? Maybe……
An increasing number of ransomware variants will leave Trojans on your system; a back door into which the original perpetrator can come and go as he or she pleases. Some ransomware, after being unlocked, has reportedly lain dormant for a few months and then reactivated itself. Even worse, some ransomware operators have actually been caught and jailed and the phone number you call with credit card or Bitcoin in hand will just ring forever.
With estimated losses of over $18 million US dollars and over 1000 cases of a single variant of ransomware (Cryptowall) reported to the FBI’s ‘Internet Crime Complaint Center’ in June of 2015 alone, ransomware is definitely a clear and present danger to any and all firms.
Diligence and mitigation – mitigation and diligence. These are the two concepts that might just prevent a catastrophic ransomware event in your firm. It’s up to both your employees and your IT Staff to take these to heart, though, as it takes both groups to successfully prevent an infection AND to deal with one correctly when it happens.
Precautions your IT Staff can take:
- Patch and Update software: Your firm should have a Threat and Vulnerability Management policy that mandates regular scanning, investigation of vendor-specific security alerts, and appropriate patching guidelines and targets.
- Effective Security Suites: Your IT staff should be deploying a combination of anti-malware software and software firewalls to each and every system in your firm. Definitions should be updated constantly and scans should be a regular and recurring event.
- Backups: The importance of accurate backups cannot be overstated! And this doesn’t necessarily mean a “you have a mapped Z: drive in Windows, copy anything important to it” type of backup either. Because there have been many, many instances of ransomware encrypting those drives as well. Why? Those drives and folders are just another target folder the infected system can see. What’s really bad is when the mapped drive isn’t the user’s personal folder but the actual root layer of the drive. That’s when EVERYONE’s backups get encrypted. So make sure your firm has invested in an official backup framework, with software agents that will regularly make secure copies of important data.
- Log analysis: a good Security Information and Event Management (SIEM) system or similar tool that analyzes log data can help prevent the spread of an infection if the IT Staff is alerted early to log data that would indicate an infection.
- Hardened Email Systems: Does your firm use a hardened email system? Are spam filters current and in place? Do you scan incoming email for questionable attachments and quarantine them appropriately?
Precautions your Users can take:
- Training: Do you have Acceptable Use policies for email, external flash media, and appropriate training for the users? Have they been taught not to open strange emails and do they know how to recognize and not click on questionable email links? Do they know what to do if they find a USB drive on the ground labeled “Company Salary Spreadsheet?” These are all part of a comprehensive policy and training framework your company should have in place.
- Reporting: Employees should be able to recognize the warning signs of a malware infection and know immediately how to (and that they should) contact IT staff. Also, regular IT security training programs are not a luxury any more. They’re not something that only “the big guys” can afford to have. Every firm should have a policy of requiring some form of IT security training for its entire staff at least on an annual basis.
What to do with an infected system:
- Contact the IT Staff: if an employee believes they have fallen victim to or are falling victim to ransomware, the IT Staff should be contacted immediately. The sooner they’re aware of an issue, the more likely it is that some form of damage mitigation or limitation can be performed.
- Disconnect from WiFi or unplug from the network immediately: This is extremely important! If a system has been identified as infected, disconnect from the network as soon as possible. Some ransomware-type malware “calls home” for encryption instructions. This is by no means foolproof, and users who are savvy enough to recognize a ransomware event in action are few and far between, but it could make a difference.
- Realize when “you’re in over your head:” Dealing with ransomware is not an easy task. If your IT Staff appears to be floundering a bit, or unsure of what steps to take, or if ransomware is a regular recurrence at your firm, contact a 3rd party that specializes in network and computer security.
IT Security is a process, not an event. Good security policies and practices, regular scanning and investigation, and a watchful eye will go a long ways to keeping your firm secure. As more of the world becomes more connected every day, diligent firms should be making more of an effort to recognize the importance of IT Security in the workplace. An investment of time, attention, effort, and funding will always pay off.