At the beginning of the year, the FBI put out a warning about ransomware on the rise. As you know, these malware scams encrypt files on infected computers, and then criminals demand payment before they'll provide the key required to decrypt them.
Ransomware has been around for years, but recent scams are reaching a new level of sophistication. Malware kits are widely available to buy off the shelf in underground markets, and we've even seen ransomware-as-a-service. Criminals may pose as legitimate companies, law enforcement, or even the FBI themselves, but ransomware is working so well that they don't always have to disguise themselves. Pressure is applied with a countdown threat to destroy data, increase the ransom, or sell the files on the black market. Demand for payment using Bitcoins enables the criminals to protect their anonymity.
The general consensus from the experts is that you shouldn't pay. After all, there's no guarantee the criminals will provide the key you need after payment, and they might sell your files or expose them regardless. If everyone refuses to pay, ransomware will decline in popularity. But that begs the question: what should you do?
Consider that when the Tewksbury Police Department fell victim to CryptoLocker ransomware it enlisted the Department of Homeland Security, the FBI, and the Massachusetts State Police, as well as some private InfoSec firms. None of them were able to help. In the end, the Tewksbury P.D. paid the ransom, which was reportedly around $500 in Bitcoin.
Similar attacks on the Lincoln County Sheriff's office, the Sheriff's Department in Dickinson County, Tennessee, and Midlothian P.D. in Chicago were all successful. If the police can't fight ransomware, what chance does your business have? In every case, paying the ransom could have been avoided if a few basic infosec best practices were properly observed:
- Backup your files. Ideally, you'll have a real-time backup system. If you have a recent backup, then it's a simple matter of wiping the infected device and restoring the backed up files. An important thing to remember here is that you can't take your backup system for granted. Make sure that you test it. Problems with restore functions are, unfortunately, quite common.
- Educate your staff. Ransomware doesn't spread by itself, it requires user interaction. Most commonly, it is spread through email attachments or links that direct victims to fake or compromised websites. Your employees should be clear on the risks of suspicious emails. In simple terms, don't open attachments and don't click on links.
- Keep software up to date. Your anti-malware software, and all of the software that you use within your business must be kept up to date. Anti-malware software requires the latest updates in order to recognize malware. Vulnerabilities in the vast majority of software are constantly being patched.
You might also consider limiting the applications that can run on your network, restricting permissions for users, tightening up firewall settings, and a host of other actions. But if you start with these three suggestions, you can safeguard yourself against the vast majority of ransomware attacks. Even if you can't prevent a successful ransomware infection, it is often possible to prevent the exfiltration of data, and a solid recovery strategy can render it impotent.
On the other hand, if you haven't taken steps to guard against a ransomware attack and you do fall victim, then it's already too late. The stark and uncomfortable truth facing you is that you'll have to wave goodbye to that data, or pay the ransom and hope for the best. Realistically, a payment is often the only way you're going to recover those files. The logic that criminals will only continue to use ransomware if people pay, works both ways – if they don't provide the decryption keys, there's no incentive for anyone to pay. That's why they generally do.
But consider this: if your data is important enough to pay a ransom for, why wasn't it important enough to properly backup and protect?