Attacks/Breaches

5/3/2017
10:30 AM
G. Mark Hardy
G. Mark Hardy
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

7 Steps to Fight Ransomware

Perpetrators are shifting to more specific targets. This means companies must strengthen their defenses, and these strategies can help.

Ransomware can be a highly lucrative system for extracting money from a customer. Victims are faced with an unpleasant choice:  either pay the ransom or lose access to the encrypted files forever. Until now, ransomware has appeared to be opportunistic and driven through random phishing campaigns. These campaigns often, but not always, rely on large numbers of emails that are harvested without a singular focus on a company or individual.

As ransomware perpetrators continue to hone their skills, we're seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms.

This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.

The best defensive strategies should include the following:

1. Provide user awareness training and friendly testing. This can reduce the human attack surface.

2. Maintain a comprehensive patch management program to keep all systems up to date and reduce the endpoint attack surface.

3. Limit users' privilege and network drive connectivity to the minimum essential for job requirements.

4. Conduct frequent backups and store them offline because many ransomware variants will spread through drive shares and can even reconnect a disconnected drive share.

5. Use network segmentation that requires authentication. For example, a user must enter a password before traversing the network. This will reduce the network attack surface.

6. Deploy advanced threat intelligence tools. Threat intelligence can be used to identify IP addresses of known command and control sites. Blocking these sites can potentially prevent malware from being able to establish its encryption routine. It's important to note this strategy may not work on some newer versions of ransomware that operate independently and create their own encryption keys without having to communicate with a command and control server.

7. Lastly, as a final fallback, know how to buy Bitcoin (or Monero, which is emerging as an alternative means of payment.) Consider pre-purchasing some in advance in the event a ransom needs to be paid on short notice.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Mitigating Risk
Although the ultimate goal is to avoid falling victim, this isn't always possible. An attack only takes one gullible employee to click on or open something he shouldn't. Then what?

Should you pay the ransom to continue operations, or do you refuse to pay it as a matter of principle? The tie-breaker is the cost of downtime — measured potentially in the range of thousands of dollars per hour. One should establish in advance the financial impact of losing access to critical information or business processes, and work through the decision before facing a crisis.

Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you're vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you're relying upon to prevent an infection is hope — and hope is not a strategy. By implementing the seven defensive actions listed above you can greatly reduce, and potentially eliminate, vulnerabilities. Review the list again, and remember that increased security awareness training with testing can be your most effective defense.

Note: G. Mark Hardy will be giving a talk on this topic at an upcoming SANS event in Denver, Colorado.

Related Content:

G. Mark Hardy is an instructor with SANS and the founder and president of National Security Corporation. He has been providing cybersecurity expertise to government, military, and commercial clients for over 30 years and is an internationally recognized expert who has spoken ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalvinLazer
100%
0%
CalvinLazer,
User Rank: Apprentice
5/4/2017 | 6:56:41 AM
Glad To Find This Site
I found your site on https://secure360.org (5 information security blogs page). I always find something new to read related computer security.

I am glad to find your site.

I also run my own blog Pop-up Removal Guide.
Crypt0L0cker
0%
100%
Crypt0L0cker,
User Rank: Strategist
5/4/2017 | 6:11:26 AM
Re: 7 Steps to Fight Onion Ransomware
You forgot about the basic thing - security software. My antivirus alerts me in the most cases when infected file attached to the email.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.