Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/3/2017
10:30 AM
G. Mark Hardy
G. Mark Hardy
Commentary
Connect Directly
Facebook
LinkedIn
Google+
Twitter
RSS
E-Mail vvv
50%
50%

7 Steps to Fight Ransomware

Perpetrators are shifting to more specific targets. This means companies must strengthen their defenses, and these strategies can help.

Ransomware can be a highly lucrative system for extracting money from a customer. Victims are faced with an unpleasant choice:  either pay the ransom or lose access to the encrypted files forever. Until now, ransomware has appeared to be opportunistic and driven through random phishing campaigns. These campaigns often, but not always, rely on large numbers of emails that are harvested without a singular focus on a company or individual.

As ransomware perpetrators continue to hone their skills, we're seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms.

This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.

The best defensive strategies should include the following:

1. Provide user awareness training and friendly testing. This can reduce the human attack surface.

2. Maintain a comprehensive patch management program to keep all systems up to date and reduce the endpoint attack surface.

3. Limit users' privilege and network drive connectivity to the minimum essential for job requirements.

4. Conduct frequent backups and store them offline because many ransomware variants will spread through drive shares and can even reconnect a disconnected drive share.

5. Use network segmentation that requires authentication. For example, a user must enter a password before traversing the network. This will reduce the network attack surface.

6. Deploy advanced threat intelligence tools. Threat intelligence can be used to identify IP addresses of known command and control sites. Blocking these sites can potentially prevent malware from being able to establish its encryption routine. It's important to note this strategy may not work on some newer versions of ransomware that operate independently and create their own encryption keys without having to communicate with a command and control server.

7. Lastly, as a final fallback, know how to buy Bitcoin (or Monero, which is emerging as an alternative means of payment.) Consider pre-purchasing some in advance in the event a ransom needs to be paid on short notice.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Mitigating Risk
Although the ultimate goal is to avoid falling victim, this isn't always possible. An attack only takes one gullible employee to click on or open something he shouldn't. Then what?

Should you pay the ransom to continue operations, or do you refuse to pay it as a matter of principle? The tie-breaker is the cost of downtime — measured potentially in the range of thousands of dollars per hour. One should establish in advance the financial impact of losing access to critical information or business processes, and work through the decision before facing a crisis.

Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you're vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you're relying upon to prevent an infection is hope — and hope is not a strategy. By implementing the seven defensive actions listed above you can greatly reduce, and potentially eliminate, vulnerabilities. Review the list again, and remember that increased security awareness training with testing can be your most effective defense.

Note: G. Mark Hardy will be giving a talk on this topic at an upcoming SANS event in Denver, Colorado.

Related Content:

G. Mark Hardy is an instructor with SANS and the founder and president of National Security Corporation. He has been providing cybersecurity expertise to government, military, and commercial clients for over 30 years and is an internationally recognized expert who has spoken ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
CalvinLazer
100%
0%
CalvinLazer,
User Rank: Apprentice
5/4/2017 | 6:56:41 AM
Glad To Find This Site
I found your site on https://secure360.org (5 information security blogs page). I always find something new to read related computer security.

I am glad to find your site.

I also run my own blog Pop-up Removal Guide.
Crypt0L0cker
0%
100%
Crypt0L0cker,
User Rank: Strategist
5/4/2017 | 6:11:26 AM
Re: 7 Steps to Fight Onion Ransomware
You forgot about the basic thing - security software. My antivirus alerts me in the most cases when infected file attached to the email.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-2729
PUBLISHED: 2019-06-19
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise ...
CVE-2019-3737
PUBLISHED: 2019-06-19
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.
CVE-2019-3787
PUBLISHED: 2019-06-19
Cloud Foundry UAA, versions prior to 73.0.0, falls back to appending ?unknown.org? to a user's email address when one is not provided and the user name does not contain an @ character. This domain is held by a private company, which leads to attack vectors including password recovery emails sent to ...
CVE-2019-12900
PUBLISHED: 2019-06-19
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2019-12893
PUBLISHED: 2019-06-19
Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewer!PerfgrapFinalize+0x00000000000a8868.