Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/28/2016
11:00 AM
Brian NeSmith
Brian NeSmith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Ransomware Tutorial For SMBs

Small-to-medium-sized businesses are an easy target for ransomware. Here are four tips that will minimize the risk.

The year 2016 will long be remembered as the “year SMBs learned about ransomware.” Major businesses have fallen victim to the crime including MedStar, Hollywood Presbyterian Medical Center, Michigan Utility BWL, and even branches of the government. The name recognition of these organizations landed them in the headlines, but what is less frequently reported is the fact that small businesses are actually some of the most at-risk, targeted organizations for this growing crime.

Small-to-medium sized businesses typically have limited resources to create a dedicated security team, or even hire a single, dedicated security engineer. This leaves them exposed to a number of threats without proper support as an attractive target for cybercriminals. According to a recent report by Ponemon, more than half of small businesses have been breached in the past 12 months. When it comes to ransomware in particular, most SMBs don’t realize that when they are hit, the impact extends far beyond a one-time financial loss. The disruptive incident can bring the business to a halt, hinder a company’s reputation and cause them to lose customers and clients. It can also make them a major target for future attacks as victims willing to pay up.

Similar to most malware, ransomware leverages user error as the entry point, with the attack oftentimes entering through email. However, once the ransomware is installed, the likeness between the two end. While malware is known for being dormant and slowly collecting data over time, ransomware is designed to infect the network rapidly, initiating file encryption in just three seconds. It achieves this by installing itself and then immediately reaching out to a command-and-control server to retrieve a key, which it then uses to disable access to data, leaving an organization without access to business-critical data.

Timeline of a Ransomware Infection: 3 Seconds to Encryption

●     0:00.0 - User clicks on phishing email

●     0:01.0 - User unknowingly downloads ransomware

●     0:01.5 - Ransomware unpacks and executes

●     0:02.0 - Ransomware downloads the encryption keys

●     0:02.5 - Scans computer to identify all attached drives

●     0:03.0 - File encryption begins

●     Encryption Completed - User gets ransomware notification

With user error the main point of entry, ransomware can be nearly impossible to prevent. But giving all employees basic training about how ransomware happens and how to react is a good first step. Beyond that, the best defense is rapid detection, response, and remediation. Due to the rapid pace of infection, employees should take immediate action to turn off their computer to limit the number of files the ransomware has time to encrypt.

When the computer is stabilized, the next step is to wipe it of all programs and files – which is why it’s critical that organizations have a trusted and tested backup and disaster recovery plan in place. Without that backup plan, companies will be left with no other option than to pay the ransom and hope all their files are released back to their control. Paying the ransom also makes the company a huge target moving forward, with cybercriminals well aware that the company is ill equipped for protection and remediation. 

Ransomware shows no signs of slowing down but there are concrete steps that SMBs can take to minimize their risk:

●  Backup your data/files. Perform system backups regularly and often to ensure any data held for ransom can be recovered internally. Without a backup plan, businesses will have no choice but to pay for their stolen files.

●  Monitor your network. It is possible to detect when ransomware dispatches if you’re diligently monitoring your network by analyzing your logs, clearing out your alerts, and processing threat feeds. If the infection is detected quickly and the workstation disabled immediately, you can recover the data within 24 hours, and often in as quickly as five minutes.

●  Regularly train all of your users. User error is the key to ransomware’s success, so educating users on security basics such as not opening emails from unknown senders and downloading attachments is critical. You should also train users on how to spot security threat warnings and deal with them properly.

●  Keep your security defenses up to date. A sound security strategy comes down to discipline. Most organizations make investments in antivirus or email scanning systems, but if these are not updated regularly to ensure the latest signatures and patches are in place, they become less effective at blocking and flagging suspicious activity.  

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Brian brings more than 30 years of experience to Arctic Wolf Networks. In his previous position as CEO of Blue Coat Systems, he led the company's growth from $5M to over $500M per year as the industry's leading web proxy platform. Prior to that, Brian was the CEO of Ipsilon ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22166
PUBLISHED: 2021-01-15
An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method
CVE-2021-22167
PUBLISHED: 2021-01-15
An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
CVE-2021-22168
PUBLISHED: 2021-01-15
A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
CVE-2021-22171
PUBLISHED: 2021-01-15
Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
CVE-2020-26414
PUBLISHED: 2021-01-15
An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.