This document is designed as a tool for nontechnical business and government leaders to better understand ransomware. Items that are highlighted are Technical Terms which are defined to give the reader more information about this topic.
Ransomware, a type of computer-based attack that blackmails victims with data denied access or disclosure, is a growing threat to organizations of all sizes. The development of cryptocurrencies like Bitcoin, a virtual currency, has enabled these attackers to more easily be anonymously paid. In this article, we explore exactly what this dangerous phenomenon is and what you need to do to protect your organization.
There are two main approaches to Ransomware: one is to deny you access to your data; and another is to threaten to disclose your data to the public. These attackers are becoming increasingly sophisticated in pricing the ransom amount and in the technologies, they utilize. The same approach can be taken to mitigate your exposure to these attacks. Let’s look at the history of Ransomware.
While Ransomware has been around for quite some time, the first example of a wide spread attack that used a specific type of encryption was Cryptolocker, an exploit that was active on the internet during 2013 and 2014. This malware demanded payment in either bitcoin or a prepaid voucher, and experts generally believed that the cryptography used could be impenetrable. Later in 2014, an online tool that allowed free key recovery was used to effectively thwart the attack based on the discovery of the attacker files and protocols.
In 2017, an attack called WannaCry was able to infect and encrypt several hundred thousand systems globally. Using Bitcoin as a means of ransom payment, approximately $100,000 was transferred in the heaviest stages of the exploit, without any empirical evidence that access to the ransomed data was restored. Several published reports suggested that the damages to the thousands of impacted organizations could have exceeded $1 billion.
While aggregate data on attacks is generally unreliable, the number of attacks since 2014 has substantially increased. It appears that a large percentage of companies in the US have paid ransoms with as many as half of those not getting their data back. The percentage outside the US is likely higher in both instances.
This is not going away. This type of attack will remain a growing component of malware going forward. Ransomware is growing more sophisticated in its technical approach, the targeting of organizations and in the pricing for the ransom.
There are steps you can take. You can take a series of relatively inexpensive and painless steps to significantly mitigate your risk of falling prey to successful ransomware attacks.
There are benefits to being proactive. These steps are things you should already be doing and will provide you will additional benefits.
The beginning of almost every story of a damaging intrusion involves some element of ignorance or naivety. If it looks suspicious then it probably is dangerous. The only way to prevent this type of problem is to build an educated workforce. There are a lot of resources available to help with this. User education needs to be someone’s responsibility and your progress can be easily measured. Keep in mind that this is a process, not an event or a destination.
The best way to think about backups is to develop a system where the expectation is that the backup should always work, and that the data can always be recovered. Also, with the Cloud available, having multiple backups is really not too expensive. If your data was backed up yesterday and you can restore that copy of your data, then it is really hard for someone to blackmail you over access. Having a business resumption strategy that includes a backup component is not a passive activity. Someone needs to be responsible for this process and it should be frequently and rigorously tested. Your auditors care about your ability to recover your systems because those systems are increasingly being depended on for your organization to continue as a “going concern”.
Most ransomware attacks are targeting known vulnerabilities that should have already been patched. Frequently, organizations are duped into running operating system software on computers and servers that are no longer being patched for security purposes. The usual excuse is that some application won’t run on the new version of the software or that there just isn’t enough time to test a new patch. Do not fall into this trap. You should never operate your enterprise on unpatched software.
It has been repeatedly proven that layered and multi-tiered security protections makes your computing environment safer. This can be done on-site, in the Cloud, or you can purchase it as a service. If you have sensitive data, particularly including personal identity information for customers, patients or employees, then you have an obligation to protect their data. Ransomware that discloses sensitive data to the public can only be prevented by layered security and patched software. Tools that prevent sensitive data from being transmitted in an insecure method are excellent investments.
You really can’t do the things suggested here unless you know where you are. What data do you have and how sensitive is it? How many servers and related operating systems do you have and what is their update status and policy? What is your patching policy and how closely is it being followed? Also, it is always best to have another set of eyes periodically looking at what you are doing.
At BWA we believe that ransomware is one of the more preventable types of malware attacks. While there are always exceptions, everything suggested in this document is something you should be doing anyway. Computer security is an area that everyone should take seriously but is unfortunately sometimes underfunded, misunderstood or overlooked. Just like everything else in the Information Technology realm, it must be actively managed in order to achieve positive results. If you have questions abut malware attacks and how to reduce your risk, contact Brunson White Advisors.