Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/28/2016
11:00 AM
Brian NeSmith
Brian NeSmith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Ransomware Tutorial For SMBs

Small-to-medium-sized businesses are an easy target for ransomware. Here are four tips that will minimize the risk.

The year 2016 will long be remembered as the “year SMBs learned about ransomware.” Major businesses have fallen victim to the crime including MedStar, Hollywood Presbyterian Medical Center, Michigan Utility BWL, and even branches of the government. The name recognition of these organizations landed them in the headlines, but what is less frequently reported is the fact that small businesses are actually some of the most at-risk, targeted organizations for this growing crime.

Small-to-medium sized businesses typically have limited resources to create a dedicated security team, or even hire a single, dedicated security engineer. This leaves them exposed to a number of threats without proper support as an attractive target for cybercriminals. According to a recent report by Ponemon, more than half of small businesses have been breached in the past 12 months. When it comes to ransomware in particular, most SMBs don’t realize that when they are hit, the impact extends far beyond a one-time financial loss. The disruptive incident can bring the business to a halt, hinder a company’s reputation and cause them to lose customers and clients. It can also make them a major target for future attacks as victims willing to pay up.

Similar to most malware, ransomware leverages user error as the entry point, with the attack oftentimes entering through email. However, once the ransomware is installed, the likeness between the two end. While malware is known for being dormant and slowly collecting data over time, ransomware is designed to infect the network rapidly, initiating file encryption in just three seconds. It achieves this by installing itself and then immediately reaching out to a command-and-control server to retrieve a key, which it then uses to disable access to data, leaving an organization without access to business-critical data.

Timeline of a Ransomware Infection: 3 Seconds to Encryption

●     0:00.0 - User clicks on phishing email

●     0:01.0 - User unknowingly downloads ransomware

●     0:01.5 - Ransomware unpacks and executes

●     0:02.0 - Ransomware downloads the encryption keys

●     0:02.5 - Scans computer to identify all attached drives

●     0:03.0 - File encryption begins

●     Encryption Completed - User gets ransomware notification

With user error the main point of entry, ransomware can be nearly impossible to prevent. But giving all employees basic training about how ransomware happens and how to react is a good first step. Beyond that, the best defense is rapid detection, response, and remediation. Due to the rapid pace of infection, employees should take immediate action to turn off their computer to limit the number of files the ransomware has time to encrypt.

When the computer is stabilized, the next step is to wipe it of all programs and files – which is why it’s critical that organizations have a trusted and tested backup and disaster recovery plan in place. Without that backup plan, companies will be left with no other option than to pay the ransom and hope all their files are released back to their control. Paying the ransom also makes the company a huge target moving forward, with cybercriminals well aware that the company is ill equipped for protection and remediation. 

Ransomware shows no signs of slowing down but there are concrete steps that SMBs can take to minimize their risk:

●  Backup your data/files. Perform system backups regularly and often to ensure any data held for ransom can be recovered internally. Without a backup plan, businesses will have no choice but to pay for their stolen files.

●  Monitor your network. It is possible to detect when ransomware dispatches if you’re diligently monitoring your network by analyzing your logs, clearing out your alerts, and processing threat feeds. If the infection is detected quickly and the workstation disabled immediately, you can recover the data within 24 hours, and often in as quickly as five minutes.

●  Regularly train all of your users. User error is the key to ransomware’s success, so educating users on security basics such as not opening emails from unknown senders and downloading attachments is critical. You should also train users on how to spot security threat warnings and deal with them properly.

●  Keep your security defenses up to date. A sound security strategy comes down to discipline. Most organizations make investments in antivirus or email scanning systems, but if these are not updated regularly to ensure the latest signatures and patches are in place, they become less effective at blocking and flagging suspicious activity.  

Related Content:

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Brian brings more than 30 years of experience to Arctic Wolf Networks. In his previous position as CEO of Blue Coat Systems, he led the company's growth from $5M to over $500M per year as the industry's leading web proxy platform. Prior to that, Brian was the CEO of Ipsilon ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.