Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

6/26/2015
10:30 AM
Michelle Drolet
Michelle Drolet
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Simple Steps For Minimizing Ransomware Exposure

If your data is important enough to pay a ransom, why wasn't it important enough to properly backup and protect in the first place?

At the beginning of the year, the FBI put out a warning about ransomware on the rise. As you know, these malware scams encrypt files on infected computers, and then criminals demand payment before they'll provide the key required to decrypt them.

Ransomware has been around for years, but recent scams are reaching a new level of sophistication. Malware kits are widely available to buy off the shelf in underground markets, and we've even seen ransomware-as-a-service. Criminals may pose as legitimate companies, law enforcement, or even the FBI themselves, but ransomware is working so well that they don't always have to disguise themselves. Pressure is applied with a countdown threat to destroy data, increase the ransom, or sell the files on the black market. Demand for payment using Bitcoins enables the criminals to protect their anonymity.

The general consensus from the experts is that you shouldn't pay. After all, there's no guarantee the criminals will provide the key you need after payment, and they might sell your files or expose them regardless. If everyone refuses to pay, ransomware will decline in popularity. But that begs the question: what should you do?

Consider that when the Tewksbury Police Department fell victim to CryptoLocker ransomware it enlisted the Department of Homeland Security, the FBI, and the Massachusetts State Police, as well as some private InfoSec firms. None of them were able to help. In the end, the Tewksbury P.D. paid the ransom, which was reportedly around $500 in Bitcoin.

Similar attacks on the Lincoln County Sheriff's office, the Sheriff's Department in Dickinson County, Tennessee, and Midlothian P.D. in Chicago were all successful. If the police can't fight ransomware, what chance does your business have?  In every case, paying the ransom could have been avoided if a few basic infosec best practices were properly observed:

  • Backup your files. Ideally, you'll have a real-time backup system. If you have a recent backup, then it's a simple matter of wiping the infected device and restoring the backed up files. An important thing to remember here is that you can't take your backup system for granted. Make sure that you test it. Problems with restore functions are, unfortunately, quite common.
  • Educate your staff. Ransomware doesn't spread by itself, it requires user interaction. Most commonly, it is spread through email attachments or links that direct victims to fake or compromised websites. Your employees should be clear on the risks of suspicious emails. In simple terms, don't open attachments and don't click on links.
  • Keep software up to date. Your anti-malware software, and all of the software that you use within your business must be kept up to date. Anti-malware software requires the latest updates in order to recognize malware. Vulnerabilities in the vast majority of software are constantly being patched. 

You might also consider limiting the applications that can run on your network, restricting permissions for users, tightening up firewall settings, and a host of other actions. But if you start with these three suggestions, you can safeguard yourself against the vast majority of ransomware attacks. Even if you can't prevent a successful ransomware infection, it is often possible to prevent the exfiltration of data, and a solid recovery strategy can render it impotent.

On the other hand, if you haven't taken steps to guard against a ransomware attack and you do fall victim, then it's already too late. The stark and uncomfortable truth facing you is that you'll have to wave goodbye to that data, or pay the ransom and hope for the best. Realistically, a payment is often the only way you're going to recover those files. The logic that criminals will only continue to use ransomware if people pay, works both ways – if they don't provide the decryption keys, there's no incentive for anyone to pay. That's why they generally do.

But consider this: if your data is important enough to pay a ransom for, why wasn't it important enough to properly backup and protect?

Michelle Drolet is founder of Towerwall, a full service information security provider with over 20 years of experience exclusively delivering security and risk management services to biotech, financial services, and education. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3243
PUBLISHED: 2021-04-15
Wfilter ICF 5.0.117 contains a cross-site scripting (XSS) vulnerability. An attacker in the same LAN can craft a packet with a malicious User-Agent header to inject a payload in its logs, where an attacker can take over the system by through its plugin-running function.
CVE-2021-29448
PUBLISHED: 2021-04-15
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. The Stored XSS exists in the Pi-hole Admin portal, which can be exploited by the malicious actor with the network access to DNS server. See the referenced GitHub security advisory for patch details.
CVE-2021-30138
PUBLISHED: 2021-04-15
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2021-27112
PUBLISHED: 2021-04-15
LightCMS v1.3.5 contains a remote code execution vulnerability in /app/Http/Controllers/Admin/NEditorController.php during the downloading of external images.
CVE-2021-20288
PUBLISHED: 2021-04-15
An authentication flaw was found in ceph in versions before 14.2.20. When the monitor handles CEPHX_GET_AUTH_SESSION_KEY requests, it doesn't sanitize other_keys, allowing key reuse. An attacker who can request a global_id can exploit the ability of any user to request a global_id previously associa...