Endpoint

10/28/2016
11:00 AM
Brian NeSmith
Brian NeSmith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Ransomware Tutorial For SMBs

Small-to-medium-sized businesses are an easy target for ransomware. Here are four tips that will minimize the risk.

The year 2016 will long be remembered as the “year SMBs learned about ransomware.” Major businesses have fallen victim to the crime including MedStar, Hollywood Presbyterian Medical Center, Michigan Utility BWL, and even branches of the government. The name recognition of these organizations landed them in the headlines, but what is less frequently reported is the fact that small businesses are actually some of the most at-risk, targeted organizations for this growing crime.

Small-to-medium sized businesses typically have limited resources to create a dedicated security team, or even hire a single, dedicated security engineer. This leaves them exposed to a number of threats without proper support as an attractive target for cybercriminals. According to a recent report by Ponemon, more than half of small businesses have been breached in the past 12 months. When it comes to ransomware in particular, most SMBs don’t realize that when they are hit, the impact extends far beyond a one-time financial loss. The disruptive incident can bring the business to a halt, hinder a company’s reputation and cause them to lose customers and clients. It can also make them a major target for future attacks as victims willing to pay up.

Similar to most malware, ransomware leverages user error as the entry point, with the attack oftentimes entering through email. However, once the ransomware is installed, the likeness between the two end. While malware is known for being dormant and slowly collecting data over time, ransomware is designed to infect the network rapidly, initiating file encryption in just three seconds. It achieves this by installing itself and then immediately reaching out to a command-and-control server to retrieve a key, which it then uses to disable access to data, leaving an organization without access to business-critical data.

Timeline of a Ransomware Infection: 3 Seconds to Encryption

●     0:00.0 - User clicks on phishing email

●     0:01.0 - User unknowingly downloads ransomware

●     0:01.5 - Ransomware unpacks and executes

●     0:02.0 - Ransomware downloads the encryption keys

●     0:02.5 - Scans computer to identify all attached drives

●     0:03.0 - File encryption begins

●     Encryption Completed - User gets ransomware notification

With user error the main point of entry, ransomware can be nearly impossible to prevent. But giving all employees basic training about how ransomware happens and how to react is a good first step. Beyond that, the best defense is rapid detection, response, and remediation. Due to the rapid pace of infection, employees should take immediate action to turn off their computer to limit the number of files the ransomware has time to encrypt.

When the computer is stabilized, the next step is to wipe it of all programs and files – which is why it’s critical that organizations have a trusted and tested backup and disaster recovery plan in place. Without that backup plan, companies will be left with no other option than to pay the ransom and hope all their files are released back to their control. Paying the ransom also makes the company a huge target moving forward, with cybercriminals well aware that the company is ill equipped for protection and remediation. 

Ransomware shows no signs of slowing down but there are concrete steps that SMBs can take to minimize their risk:

●  Backup your data/files. Perform system backups regularly and often to ensure any data held for ransom can be recovered internally. Without a backup plan, businesses will have no choice but to pay for their stolen files.

●  Monitor your network. It is possible to detect when ransomware dispatches if you’re diligently monitoring your network by analyzing your logs, clearing out your alerts, and processing threat feeds. If the infection is detected quickly and the workstation disabled immediately, you can recover the data within 24 hours, and often in as quickly as five minutes.

●  Regularly train all of your users. User error is the key to ransomware’s success, so educating users on security basics such as not opening emails from unknown senders and downloading attachments is critical. You should also train users on how to spot security threat warnings and deal with them properly.

●  Keep your security defenses up to date. A sound security strategy comes down to discipline. Most organizations make investments in antivirus or email scanning systems, but if these are not updated regularly to ensure the latest signatures and patches are in place, they become less effective at blocking and flagging suspicious activity.  

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Brian brings more than 30 years of experience to Arctic Wolf Networks. In his previous position as CEO of Blue Coat Systems, he led the company's growth from $5M to over $500M per year as the industry's leading web proxy platform. Prior to that, Brian was the CEO of Ipsilon ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.