Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/3/2017
10:30 AM
G. Mark Hardy
G. Mark Hardy
Commentary
Connect Directly
Twitter
LinkedIn
Google+
Facebook
RSS
E-Mail vvv
50%
50%

7 Steps to Fight Ransomware

Perpetrators are shifting to more specific targets. This means companies must strengthen their defenses, and these strategies can help.

Ransomware can be a highly lucrative system for extracting money from a customer. Victims are faced with an unpleasant choice:  either pay the ransom or lose access to the encrypted files forever. Until now, ransomware has appeared to be opportunistic and driven through random phishing campaigns. These campaigns often, but not always, rely on large numbers of emails that are harvested without a singular focus on a company or individual.

As ransomware perpetrators continue to hone their skills, we're seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms.

This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.

The best defensive strategies should include the following:

1. Provide user awareness training and friendly testing. This can reduce the human attack surface.

2. Maintain a comprehensive patch management program to keep all systems up to date and reduce the endpoint attack surface.

3. Limit users' privilege and network drive connectivity to the minimum essential for job requirements.

4. Conduct frequent backups and store them offline because many ransomware variants will spread through drive shares and can even reconnect a disconnected drive share.

5. Use network segmentation that requires authentication. For example, a user must enter a password before traversing the network. This will reduce the network attack surface.

6. Deploy advanced threat intelligence tools. Threat intelligence can be used to identify IP addresses of known command and control sites. Blocking these sites can potentially prevent malware from being able to establish its encryption routine. It's important to note this strategy may not work on some newer versions of ransomware that operate independently and create their own encryption keys without having to communicate with a command and control server.

7. Lastly, as a final fallback, know how to buy Bitcoin (or Monero, which is emerging as an alternative means of payment.) Consider pre-purchasing some in advance in the event a ransom needs to be paid on short notice.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Mitigating Risk
Although the ultimate goal is to avoid falling victim, this isn't always possible. An attack only takes one gullible employee to click on or open something he shouldn't. Then what?

Should you pay the ransom to continue operations, or do you refuse to pay it as a matter of principle? The tie-breaker is the cost of downtime — measured potentially in the range of thousands of dollars per hour. One should establish in advance the financial impact of losing access to critical information or business processes, and work through the decision before facing a crisis.

Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you're vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you're relying upon to prevent an infection is hope — and hope is not a strategy. By implementing the seven defensive actions listed above you can greatly reduce, and potentially eliminate, vulnerabilities. Review the list again, and remember that increased security awareness training with testing can be your most effective defense.

Note: G. Mark Hardy will be giving a talk on this topic at an upcoming SANS event in Denver, Colorado.

Related Content:

G. Mark Hardy is an instructor with SANS and the founder and president of National Security Corporation. He has been providing cybersecurity expertise to government, military, and commercial clients for over 30 years and is an internationally recognized expert who has spoken ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalvinLazer
100%
0%
CalvinLazer,
User Rank: Apprentice
5/4/2017 | 6:56:41 AM
Glad To Find This Site
I found your site on https://secure360.org (5 information security blogs page). I always find something new to read related computer security.

I am glad to find your site.

I also run my own blog Pop-up Removal Guide.
Crypt0L0cker
0%
100%
Crypt0L0cker,
User Rank: Strategist
5/4/2017 | 6:11:26 AM
Re: 7 Steps to Fight Onion Ransomware
You forgot about the basic thing - security software. My antivirus alerts me in the most cases when infected file attached to the email.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15504
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
CVE-2020-8190
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
CVE-2020-8191
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).
CVE-2020-8193
PUBLISHED: 2020-07-10
Improper access control in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows unauthenticated access to certain URL endpoints.
CVE-2020-8194
PUBLISHED: 2020-07-10
Reflected code injection in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows the modification of a file download.