Ransomware can be a highly lucrative system for extracting money from a customer. Victims are faced with an unpleasant choice: either pay the ransom or lose access to the encrypted files forever. Until now, ransomware has appeared to be opportunistic and driven through random phishing campaigns. These campaigns often, but not always, rely on large numbers of emails that are harvested without a singular focus on a company or individual.
As ransomware perpetrators continue to hone their skills, we're seeing a shift to more specific targets. The driver of this shift is the realization that companies, especially larger ones, are much higher-value targets than an average individual and are thus able to pay significantly higher ransoms.
This change has elevated the need for companies to strengthen their defensive strategies. Executives must allocate resources and ensure strategies are active against ransomware intent on paralyzing their organization.
The best defensive strategies should include the following:
1. Provide user awareness training and friendly testing. This can reduce the human attack surface.
2. Maintain a comprehensive patch management program to keep all systems up to date and reduce the endpoint attack surface.
3. Limit users' privilege and network drive connectivity to the minimum essential for job requirements.
4. Conduct frequent backups and store them offline because many ransomware variants will spread through drive shares and can even reconnect a disconnected drive share.
5. Use network segmentation that requires authentication. For example, a user must enter a password before traversing the network. This will reduce the network attack surface.
6. Deploy advanced threat intelligence tools. Threat intelligence can be used to identify IP addresses of known command and control sites. Blocking these sites can potentially prevent malware from being able to establish its encryption routine. It's important to note this strategy may not work on some newer versions of ransomware that operate independently and create their own encryption keys without having to communicate with a command and control server.
7. Lastly, as a final fallback, know how to buy Bitcoin (or Monero, which is emerging as an alternative means of payment.) Consider pre-purchasing some in advance in the event a ransom needs to be paid on short notice.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
Although the ultimate goal is to avoid falling victim, this isn't always possible. An attack only takes one gullible employee to click on or open something he shouldn't. Then what?
Should you pay the ransom to continue operations, or do you refuse to pay it as a matter of principle? The tie-breaker is the cost of downtime — measured potentially in the range of thousands of dollars per hour. One should establish in advance the financial impact of losing access to critical information or business processes, and work through the decision before facing a crisis.
Ransomware is a clear and present danger. Companies can no longer afford to take a wait-and-see attitude. If you're vulnerable to ransomware and take no precautions to mitigate those vulnerabilities, then the only thing you're relying upon to prevent an infection is hope — and hope is not a strategy. By implementing the seven defensive actions listed above you can greatly reduce, and potentially eliminate, vulnerabilities. Review the list again, and remember that increased security awareness training with testing can be your most effective defense.
Note: G. Mark Hardy will be giving a talk on this topic at an upcoming SANS event in Denver, Colorado.