Protecting Against Ransomware: Mitigating the risk and protecting your company’s data
Ransomware is one of the greatest security threats of our era. Whereas a traditional “virus” might just slow your computer down, ransomware will “lock” your business-critical data and demand a payment for the files to be released. Ransomware is a fast-growing section of cybercrime: according to the FBI, victims lost $24 million to ransomware in 2015. Within the first three months of 2016 that number had risen to $209 million; it is estimated that the total amount of money lost in 2016 exceeded $1 billion. With so much money to be made, ransomware will only become more prevalent in the future.
How does ransomware get on your computer?
While stories of highly-trained cybercriminals compromising multinational organizations make front page news, the everyday reality is that most ransomware infections are the result of massive malware campaigns undertaken by foreign hacker groups. These campaigns aim to indiscriminately infect as many computers as possible using two primary attack vectors:
- Malicious email attachments: spam emails sent out by attackers containing infected attachments. If an unsuspecting employee views the email and opens the attachment, their computer becomes infected.
- Drive-by-download “malvertisements”: a hacker buys ad space on a popular website and runs an advertisement injected with malicious code. Viewing the website causes your computer to execute the code contained within the advertisement, delivering a viral payload and infecting your computer with ransomware.
In both cases, attackers leverage exploits in contemporary browsers, operating systems, and desktop software. Modern computers are complex and keeping them secure is an incredibly difficult task. Ransomware authors are creative and are constantly looking for security holes that they can take advantage of.
What can you do to protect yourself?
Keep your systems maintained
Ransomware authors take advantage of the fact that most people ignore prompts to install software updates. Unpatched computers are much more susceptible to exploit by infected emails or malvertisements. Perform the following actions to keep your computer current with the latest security updates:
- Set your operating system to check for updates automatically, and reboot your computer when requested to finish installing updates.
- Keep common desktop software updated. Examples would be Java, Flash, or Adobe Reader—unpatched versions of these programs are popular attack vectors.
- If you no longer use a program, uninstall it from your computer.
- Make sure your antivirus definitions automatically update on a daily schedule.
Similarly, your networking equipment needs to be updated and monitored routinely. It is not uncommon for security researchers to discover remote exploits in popular networking equipment brands. If vulnerable equipment is left unpatched, an attacker could conceivably bypass your firewall and scan your network for targets of value.
Implement proactive security measures
There are many security measures you can enact that will greatly mitigate your risk to ransomware. Security policies should be tailored to your business—security must be as tight as possible without hampering employee productivity. All of the following policies and procedures should be considered as part of your ransomware defense:
- Do not allow your users to “run as administrator” on their workstations.
- Implement a policy to block macros originating from email attachments.
- Implement an application whitelist such as Microsoft AppLocker so that only approved software can run on employee workstations.
- Utilize a high-quality firewall that can perform packet-level analysis of traffic, and identify and stop exploits before they can reach your computers.
- Have fine-grained access control on your network and shared drives so that the impact of an infected machine is mitigated. Practice “least access”—employees should have access to no more resources than they need to perform their job function. You don’t want an infected computer in the Sales department to spread to the data accessed by Accounting!
Educate your staff
To a ransomware author, your employees are just one more attack vector to take advantage of. Even draconian security measures will not protect your company if a staff member with privileged access opens the wrong email or inserts the wrong flash drive into their computer. Consider the following scenarios:
- Do your employees know how to identify a malicious email? Or do they open anything that comes into their inbox?
- If a “tech support scammer” called your company, would your employees know how to recognize the scam? Or would the scammer be able to trick their way onto one of your computers?
- If one of your computers did get infected, would your employees be able to identify the early warning signs and act to mitigate the damage? Or would your employees ignore anything unusual, thereby allowing the infection to spread?
Employees must be vigilant, but they can only be so if they are equipped with the proper training. We recommend that employees attend security training sessions annually at a minimum. Given the fast pace that the cybersecurity landscape changes, however, biannual or quarterly trainings are encouraged.
Protect your data with a robust backup system
Ransomware is profitable because most victims don’t keep reliable backups of their most critical data. Cut off the criminals’ revenue stream and protect your data with a robust backup system. Even the worst ransomware infection becomes a straightforward wipe-and-recover operation if the encrypted data can be restored from backup.
Practice the “3-2-1” backup scheme: keep 3 backed-up copies of your data, stored on at least 2 different physical mediums, and at least 1 copy stored off-site.
For instance, your company file server might have a built-in tape backup system that gets changed every night. The server supplements the tape backup by duplicating the backups to a large on-site network storage device (NAS). The server also has software installed that backs up data to Amazon’s cloud S3 backup service continuously throughout the day. If this server ever got infected with ransomware, the file data could be restored to any point in time.
An important point to remember is that all backups must be performed as an automated routine. Manual backups are insufficient for protecting against ransomware.