In 2014, death reached a man through the Internet. A 36-year-old Romanian, who had been surfing porn sites, committed suicide after a notice from a computer virus threatened him with prison unless he paid a “fine” of thousands of dollars. The virus was IcePol ransomware.
This devastating breed of malware is getting ever-more dangerous, reaching new levels of complexity as it hits smartphones and tablets that store crucial personal and enterprise-level documents. Unfortunately, encrypted communications between attackers and elusive infection workflows make it difficult for traditional detection-based security solutions to detect and block ransomware.
Ransomware has become a growing menace for companies, targeting employees with ingeniously crafted messages and techniques. More than once, employees have proven to be companies’ weakest links, especially since companies have embraced the BYOD/BYOA trend. As we’ve seen with previous incidents, a successful intrusion can cause tremendous damage: destruction of sensitive or proprietary information, disruption of operations, and huge financial and reputation losses. Attackers usually aim at targeted files, databases, CAD files, and financial data. For example, the infamous CryptoLocker was used to encrypt more than 70 different file extensions, including .doc, .img, .av, .src, and .cad.
Where should businesses intervene to prevent becoming vulnerable to ransomware? Here are eight essential recommendations for companies looking to bolster their defenses:
- Educate employees in good computer practices and in identifying social engineering attempts and spear-phishing emails. Downloading attachments from unsolicited emails and accessing compromised sites after clicking pop-up ads are two of the most frequent vectors of infection with ransomware. Newer variants of ransomware have also been seen to spread through removable USB drives or IM clients, with the payload disguised as an image.
- Install, configure, and maintain an advanced endpoint security solution. A multilayered security solution will include an intrusion-detection system with behavior-blocking components that monitor devices and look for actions typically initiated by malware.
- Enable software restriction policies to allow only specifically identified applications to run. These measures will reduce the risk of infection by restricting scripts and other untrusted apps from running.
- Use a firewall to block all incoming connections. An advanced firewall solution includes security capabilities such as intrusion prevention, content/URL filtering, and encrypted traffic inspection. This helps prevent attacks and unauthorized network traffic and, ultimately, protects an organization’s most critical assets.
- Make sure programs and users have the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application
- Enable system restore to recover the previous versions of encrypted files. System restore allows you to boot your system and to restore your computer to a known clean state. Bear in mind that it might not work with all types of malware.
- Deploy and maintain a comprehensive backup solution. Cloud-based disaster recovery can be an efficient option for data storage, helping organizations to remain agile regardless of the catastrophe – human error, malware infection, or natural disaster.
- Make sure all systems and software are up to date with relevant patches. Needless to say, ransomware takes advantage of vulnerabilities in outdated software – such as browser plugins like Flash Player, Java, and Adobe Reader – to corrupt systems.
Ransomware is a powerful and sophisticated threat that can be re-engineered in ways that thwart traditional layers of defense. That is why businesses, financial institutions, government agencies, academic institutions, and other organizations carrying highly sensitive data should make use of all the security measures available to enforce their borders.