Endpoint

10/28/2016
11:00 AM
Brian NeSmith
Brian NeSmith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Ransomware Tutorial For SMBs

Small-to-medium-sized businesses are an easy target for ransomware. Here are four tips that will minimize the risk.

The year 2016 will long be remembered as the “year SMBs learned about ransomware.” Major businesses have fallen victim to the crime including MedStar, Hollywood Presbyterian Medical Center, Michigan Utility BWL, and even branches of the government. The name recognition of these organizations landed them in the headlines, but what is less frequently reported is the fact that small businesses are actually some of the most at-risk, targeted organizations for this growing crime.

Small-to-medium sized businesses typically have limited resources to create a dedicated security team, or even hire a single, dedicated security engineer. This leaves them exposed to a number of threats without proper support as an attractive target for cybercriminals. According to a recent report by Ponemon, more than half of small businesses have been breached in the past 12 months. When it comes to ransomware in particular, most SMBs don’t realize that when they are hit, the impact extends far beyond a one-time financial loss. The disruptive incident can bring the business to a halt, hinder a company’s reputation and cause them to lose customers and clients. It can also make them a major target for future attacks as victims willing to pay up.

Similar to most malware, ransomware leverages user error as the entry point, with the attack oftentimes entering through email. However, once the ransomware is installed, the likeness between the two end. While malware is known for being dormant and slowly collecting data over time, ransomware is designed to infect the network rapidly, initiating file encryption in just three seconds. It achieves this by installing itself and then immediately reaching out to a command-and-control server to retrieve a key, which it then uses to disable access to data, leaving an organization without access to business-critical data.

Timeline of a Ransomware Infection: 3 Seconds to Encryption

●     0:00.0 - User clicks on phishing email

●     0:01.0 - User unknowingly downloads ransomware

●     0:01.5 - Ransomware unpacks and executes

●     0:02.0 - Ransomware downloads the encryption keys

●     0:02.5 - Scans computer to identify all attached drives

●     0:03.0 - File encryption begins

●     Encryption Completed - User gets ransomware notification

With user error the main point of entry, ransomware can be nearly impossible to prevent. But giving all employees basic training about how ransomware happens and how to react is a good first step. Beyond that, the best defense is rapid detection, response, and remediation. Due to the rapid pace of infection, employees should take immediate action to turn off their computer to limit the number of files the ransomware has time to encrypt.

When the computer is stabilized, the next step is to wipe it of all programs and files – which is why it’s critical that organizations have a trusted and tested backup and disaster recovery plan in place. Without that backup plan, companies will be left with no other option than to pay the ransom and hope all their files are released back to their control. Paying the ransom also makes the company a huge target moving forward, with cybercriminals well aware that the company is ill equipped for protection and remediation. 

Ransomware shows no signs of slowing down but there are concrete steps that SMBs can take to minimize their risk:

●  Backup your data/files. Perform system backups regularly and often to ensure any data held for ransom can be recovered internally. Without a backup plan, businesses will have no choice but to pay for their stolen files.

●  Monitor your network. It is possible to detect when ransomware dispatches if you’re diligently monitoring your network by analyzing your logs, clearing out your alerts, and processing threat feeds. If the infection is detected quickly and the workstation disabled immediately, you can recover the data within 24 hours, and often in as quickly as five minutes.

●  Regularly train all of your users. User error is the key to ransomware’s success, so educating users on security basics such as not opening emails from unknown senders and downloading attachments is critical. You should also train users on how to spot security threat warnings and deal with them properly.

●  Keep your security defenses up to date. A sound security strategy comes down to discipline. Most organizations make investments in antivirus or email scanning systems, but if these are not updated regularly to ensure the latest signatures and patches are in place, they become less effective at blocking and flagging suspicious activity.  

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Brian brings more than 30 years of experience to Arctic Wolf Networks. In his previous position as CEO of Blue Coat Systems, he led the company's growth from $5M to over $500M per year as the industry's leading web proxy platform. Prior to that, Brian was the CEO of Ipsilon ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17437
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
CVE-2018-17438
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
CVE-2018-17439
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.
CVE-2018-17432
PUBLISHED: 2018-09-24
A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file.
CVE-2018-17433
PUBLISHED: 2018-09-24
A heap-based buffer overflow in ReadGifImageDesc() in gifread.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service via a crafted HDF5 file. This issue was triggered while converting a GIF file to an HDF file.