Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/28/2016
11:00 AM
Brian NeSmith
Brian NeSmith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Ransomware Tutorial For SMBs

Small-to-medium-sized businesses are an easy target for ransomware. Here are four tips that will minimize the risk.

The year 2016 will long be remembered as the “year SMBs learned about ransomware.” Major businesses have fallen victim to the crime including MedStar, Hollywood Presbyterian Medical Center, Michigan Utility BWL, and even branches of the government. The name recognition of these organizations landed them in the headlines, but what is less frequently reported is the fact that small businesses are actually some of the most at-risk, targeted organizations for this growing crime.

Small-to-medium sized businesses typically have limited resources to create a dedicated security team, or even hire a single, dedicated security engineer. This leaves them exposed to a number of threats without proper support as an attractive target for cybercriminals. According to a recent report by Ponemon, more than half of small businesses have been breached in the past 12 months. When it comes to ransomware in particular, most SMBs don’t realize that when they are hit, the impact extends far beyond a one-time financial loss. The disruptive incident can bring the business to a halt, hinder a company’s reputation and cause them to lose customers and clients. It can also make them a major target for future attacks as victims willing to pay up.

Similar to most malware, ransomware leverages user error as the entry point, with the attack oftentimes entering through email. However, once the ransomware is installed, the likeness between the two end. While malware is known for being dormant and slowly collecting data over time, ransomware is designed to infect the network rapidly, initiating file encryption in just three seconds. It achieves this by installing itself and then immediately reaching out to a command-and-control server to retrieve a key, which it then uses to disable access to data, leaving an organization without access to business-critical data.

Timeline of a Ransomware Infection: 3 Seconds to Encryption

●     0:00.0 - User clicks on phishing email

●     0:01.0 - User unknowingly downloads ransomware

●     0:01.5 - Ransomware unpacks and executes

●     0:02.0 - Ransomware downloads the encryption keys

●     0:02.5 - Scans computer to identify all attached drives

●     0:03.0 - File encryption begins

●     Encryption Completed - User gets ransomware notification

With user error the main point of entry, ransomware can be nearly impossible to prevent. But giving all employees basic training about how ransomware happens and how to react is a good first step. Beyond that, the best defense is rapid detection, response, and remediation. Due to the rapid pace of infection, employees should take immediate action to turn off their computer to limit the number of files the ransomware has time to encrypt.

When the computer is stabilized, the next step is to wipe it of all programs and files – which is why it’s critical that organizations have a trusted and tested backup and disaster recovery plan in place. Without that backup plan, companies will be left with no other option than to pay the ransom and hope all their files are released back to their control. Paying the ransom also makes the company a huge target moving forward, with cybercriminals well aware that the company is ill equipped for protection and remediation. 

Ransomware shows no signs of slowing down but there are concrete steps that SMBs can take to minimize their risk:

●  Backup your data/files. Perform system backups regularly and often to ensure any data held for ransom can be recovered internally. Without a backup plan, businesses will have no choice but to pay for their stolen files.

●  Monitor your network. It is possible to detect when ransomware dispatches if you’re diligently monitoring your network by analyzing your logs, clearing out your alerts, and processing threat feeds. If the infection is detected quickly and the workstation disabled immediately, you can recover the data within 24 hours, and often in as quickly as five minutes.

●  Regularly train all of your users. User error is the key to ransomware’s success, so educating users on security basics such as not opening emails from unknown senders and downloading attachments is critical. You should also train users on how to spot security threat warnings and deal with them properly.

●  Keep your security defenses up to date. A sound security strategy comes down to discipline. Most organizations make investments in antivirus or email scanning systems, but if these are not updated regularly to ensure the latest signatures and patches are in place, they become less effective at blocking and flagging suspicious activity.  

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Brian brings more than 30 years of experience to Arctic Wolf Networks. In his previous position as CEO of Blue Coat Systems, he led the company's growth from $5M to over $500M per year as the industry's leading web proxy platform. Prior to that, Brian was the CEO of Ipsilon ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.