Your business has been infected by ransomware. Now what? Follow these five steps to recovery and staying safe.
The US is bracing for the full impact of a global ransomware epidemic based on the Wanna Decryptor malware strain. It’s important to protect your business and data from this fast-spreading threat, but once we’re past it, you need to remember that Wanna Decryptor is only the noisiest example of the ransomware problem.
There are three things to know about ransomware: it’s scary, it’s growing fast, and it’s big business. According to the FBI’s Internet Crime Complaint Center (IC3) , more than 992 CryptoWall-related complaints were received between April 2014 and June 2015, resulting in more than $18 million in losses. That malignant success is reflected in ransomware’s growth rate with the Infoblox DNS Threat Index, reporting a 35-fold increase in new domains created for ransomware in the first quarter of 2016 (as compared to the fourth quarter of 2015) .
In general, ransomware drops an encrypted wall between a business and the internal data and applications that business needs to operate. But these attacks can be far more serious than simply the inaccessibility of the data. If you’re not prepared, then your business could grind to a halt.
Just ask Hollywood Presbyterian Medical Center. Long before Wanna Decryptor, the hospital learned a painful lesson when staff lost access to their PCs during a ransomware outbreak early in 2016. The hospital paid the $17,000 ransom after employees spent 10 days relying on fax machines and paper charts. Or ask the Tewksbury Police Department. In April of 2015, they paid the ransom to regain access to encrypted arrest and incident records.
If there’s a silver lining to Wanna Decryptor at any level, then it’s that it serves to prove, without a doubt, that the threat presented by ransomware is real. No business or employee is immune from a potential ransomware attack. It’s important to understand how ransomware infects computers before discussing how to protect your business from it or how to respond if you’re compromised. Understanding the origin and mode of infection provides insights into staying safe.
Ransomware typically comes from one of two sources: compromised websites and email attachments. A legitimate website that has been compromised can host an exploit kit that infects your machine, typically through a browser exploit. The same methodology can be used by a phishing website. A drive-by download installs ransomware and it begins encrypting your files.
In the case of a malicious email attachment, users are tricked into opening the attachment, which then installs ransomware. This can be as simple as a fake email message with an executable attachment, an infected Microsoft Word file that tricks you into enabling macros, or a file with a renamed extension such as a file that ends in „PDF“ but is really an EXE file (an executable) .
„In both of these cases, some kind of social engineering is used to lure the user into infecting themselves, “ says Luis Corrons, PandaLabs Technical Director at Panda Security . „This provides businesses with a great opportunity to educate their users to avoid these risks but, unfortunately, most small businesses neglect this and miss out on the chance to save themselves a big headache.“
Currently, there’s no silver bullet to ensure your organization’s safety from ransomware. But there are five steps every business should take that can drastically reduce their chances of infection—and also ease the pain should an attack succeed.
A key component to prepare for a ransomware attack is developing a robust backup strategy and making regular backups. „Robust backups are a key component of an anti-ransomware strategy, “ said Philip Casesa, Product Development Strategist at ISC2, a global not-for-profit organization that certifies security professionals. „Once your files are encrypted, your only viable option is to restore the backup. Your other options are to pay the ransom or lose the data.“
„You have to have some sort of backup, a real backup solution of the assets you’ve determined are essential to your business, “ continued Casesa. „Real-time backup or file synch will just back up your encrypted files. You need a robust backup process where you can roll back a few days [to before the ransomware infection] , and restore local and server apps and data.“
Panda Security’s Corrons offers a further caution: backups „are critical in case your defenses fail but be sure to have removed the ransomware completely before restoring backups. At PandaLabs, we’ve seen ransomware encrypt backup files.“
A good strategy to consider is a tiered or distributed backup solution that keeps several copies of backup files in different locations and on different media (so an infected node doesn’t immediately have access to both current file repositories and backup archives) . Such solutions are available from several small to midsize business (SMB) online backup vendors as well as most Disaster-Recovery-as-a-Service (DRaaS) vendors.
As previously mentioned, user education is a powerful yet frequently overlooked weapon in your arsenal against ransomware. Train users to recognize social engineering techniques, avoid clickbait, and never open an attachment from someone they don’t know. Attachments from people they know should be viewed and opened with caution.
„Understanding how ransomware spreads identifies the user behaviors that need to be modified in order to protect your business, “ said Casesa. „Email attachments are the number one risk for infection, drive-by downloads are number two, and malicious links in email are number three. Humans play a significant factor in getting infected with ransomware.“
Training users to consider the ransomware threat is easier than you think, especially for SMBs. Sure, it can take the traditional form of a lengthy in-house seminar, but it can also simply be a series of group lunches at which IT gets the chance to inform users via interactive discussion—for the low price of a few pizzas. You might even consider hiring an outside security consultant to deliver the training, with some supplementary video or real-world examples.
The best place to start protecting your SMB from ransomware is with these Top Four Mitigation Strategies: app whitelisting, patching apps, patching operating systems (OSes) , and minimizing administrative privileges. Casesa was quick to point out that „these four controls take care of 85 percent or more of malware threats.“
For SMBs that still rely on individual PC antivirus (AV) for security, moving to a managed endpoint security solution lets IT centralize security for the entire organization and take full control of these measures. That can drastically increase AV and anti-malware effectiveness.
Whichever solution you choose, make sure that it includes behavior-based protections. All three of our experts agreed that signature-based anti-malware isn’t effective against modern software threats.
By paying criminals, you’re giving them an incentive and the means to develop better ransomware. „If you pay, you make it that much worse for everyone else, “ says Casesa. „The bad guys use your money to develop nastier malware and infect others.“
Protecting future victims may not be top-of-mind when you’re trying to run a business with its data held hostage, but just look at it from this perspective: that next victim could be you all over again, this time fighting even more effective malware that you helped pay to develop.
