Ransomware is the worst nightmare for many IT departments and business owners. The impact of a ransomware attack is instant and recovery is incredibly difficult. Within hours, a thriving business can be completely locked out of its sensitive data. In some cases the consequences can be severe. Imagine a hospital being locked out of patient records, for example. Entire cities can even be targets of cybercriminals- In 2019, a high-profile ransomware attack infected most of Baltimore’s government computer systems, holding the city hostage. So how can you mitigate ransomware attacks for your organization?
In this Touchstone Guide, we do a deep dive into understanding ransomware. We will cover:
- What is a Ransomware Attack
- How Ransomware is Distributed
- How to Mitigate Ransomware Attacks
- How to Recover From a Ransomware Attack
What is a Ransomware Attack?
Ransomware attacks abuse encryption by locking legitimate users out of their sensitive data. Typically a user downloads a file, installs a file via USB drive, or falls victim to a phishing email. After the malicious code is installed, the infection begins. The ransomware begins systematically encrypting the hard-drive of the computer that it was installed on. As you might imagine, this can have dramatic consequences for users.
How is Ransomware Distributed by Cybercriminals
So how exactly do malicious actors distribute ransomware? There are four primary methods of distribution.
Phishing emails account for the vast majority of successful cyberattacks. They employ social engineering tactics to scam unsuspecting users and coerce them to click on malicious links. Phishing emails come in many forms and are used by malicious actors to install keyloggers, scam people to wire money, buy gift cards, or download malicious files. Seemingly benign email attachments could result in a cyberattack. Phishing attacks also are the primary way in which ransomware is distributed. Typically users are enticed to download a file containing ransomware, which then auto-executes.
Spear-phishing is essentially a highly targeted phishing campaign. Most phishing emails are mass emailed to hundreds of thousands or even millions of victims. Spear-phishers take the time to investigate the organization they are attacking, which enables them to impersonate key individuals. These attacks can be substantially harder to detect and can range from fairly basic to extremely sophisticated.
Typosquatting attacks occur when malicious individuals register domains that are incredibly similar to commonly frequented ones. Unsuspecting users then visit these domains and accidentally enter sensitive information or download malicious files that can access encrypted data. In many cases, these downloads may be in the form of “drive-by downloads” where the malicious code is downloaded without the user’s knowledge, subsequently auto-executing on their computers. While typosquatting is less common than phishing, it remains a common vector for ransomware.
Due to the prevalence of cyber-threats, many people overlook the physical aspect of information security. Malware attacks and ransomware can easily be distributed via physical media devices such as USB drives. Several high-profile ransomware infections have occurred through this method. In one instance, attackers mailed USB sticks to random households hoping that people would be curious enough to plug them in and see what was on them.
Hopefully you should now have a reasonable understanding of what ransomware is and how it is distributed, so let’s move on to how you can prevent yourself from becoming a victim.
How to Mitigate the Risk of a Ransomware Attack
Ransomware is surprisingly easy to prevent if you are willing to practice basic cyber-hygiene. Here are some easy steps you can take that will substantially lower your risk of being hit with an attack.
Train your Employees
Security awareness training is one of the most cost-effective ways to reduce your chance of suffering a ransomware attack. By training your users to avoid phishing and typosquatting, you can often prevent an attack before it even happens. From an Information Security standpoint, it is far better never to download a malicious file than to hope that an antivirus program catches it. Here are some great free training resources you can use:
DHS End User and Administrator Cybersecurity Training
Cyber Readiness Institute
Keep your Devices Patched
Ransomware has been around for a while (since the early 2000s in fact). However, for many it came to prominence with the advent of WannaCry Ransomware. Hundreds of thousands of computers were infected within hours of the attack, and losses totalled over a billion dollars. WannaCry abused an exploit in Windows that was already patched. Unfortunately, many individuals and companies had never downloaded and installed the patch, which left them vulnerable to attack. Ensure that you are keeping all IT systems and servers up to date with the latest patches. Here are some resources you can use to check for the latest updates:
Windows Latest Updates
Apple Latest Updates
Have Data Backups and Disaster Recovery in Place
Backup and disaster recovery doesn’t prevent ransomware or malicious software. But it can turn what would be a devastating cyber incident into a minor inconvenience. Work with a well-regarded MSSP or MSP to create a backup and disaster recovery plan customized to your organization and ransomware protection plan. Backups and plans should be regularly tested to ensure that you could quickly recover from a potential incident with minimal loss of productivity or data and even encrypted files. It isn’t enough just to have a backup/disaster recovery strategy. In order for it to be effective it has to be continuously monitored and tested to ensure that it works.
Use Endpoint Security
Antivirus software is not perfect in preventing malicious software. If you have not already, you should strongly consider switching to an advanced endpoint security solution. Advanced endpoint security uses Machine Learning and Artificial Intelligence to catch attacks that traditional anti-virus software can mix. We highly recommend investing in additional next generation endpoint protection.
Ensure Your Email Server Has Content Filtering
Most email providers filter content by default. Gmail and other email providers have invested millions of dollars in automatically sorting spam and phishing emails out of users’ primary inboxes. However, depending on the email provider you may want to add additional layers of protection by using content filter software.
Use Two-Factor Authentication
Two-Factor Authentication (2FA) can reduce the risk that an employee’s email account or work-related mobile devices are hacked and used to access personal information and distribute ransomware throughout the organization. Enabling 2FA on email accounts and mobile devices is free, easy, and can save you thousands of dollars in lost revenue. 2FA is one of the easiest and most cost effective ways to mitigate the chances of a ransomware attack.
Utilize Regular Penetration Testing
Penetration testing involves having an outside party attempt to breach your network to check for any vulnerabilities. By engaging a third party to conduct a regular pen-test, you can identify weaknesses before a malicious actor does. Regular pen-tests also provide valuable lessons on where your organizational cybersecurity needs to improve.
Implement Security Policies and Procedures
Many organizations see policies and procedures as wasted paperwork. However, when security policies and procedures are both used and enforced, they can make all the difference. Plans should include preventing employees from engaging in personal business on laptops and desktops, a list of approved software vendors, and requiring the reporting of any real or suspected incident. Establishing clear guidelines and expectations for cybersecurity early on makes a huge difference.
Encourage Incident Reporting
Many employees may be afraid to report potential security incidents, fearing that they may lose their jobs. You need to make it clear that you encourage a policy of openly reporting any potential incidents. Employees should feel comfortable alerting their managers that there may be an issue. This simple step can save hours, or even days, allowing you to isolate the ransomware infection and prevent it from spreading to other servers and computers.
Engage an MSSP
Managed Security Service Providers can help you craft a security plan that includes a disaster recovery plan that fits your business. An MSSP can help identify areas where your organization has weak security. MSSPs also offer far more robust security services, including network monitoring, intrusion prevention systems, simulated phishing attacks, and other tools and techniques to lower your risk profile.
Touchstone Security offers a free ransomware Risk Assessment to ascertain the level of risk your company faces. This assessment allows you to accurately gauge what you need to decrease organizational risk and improve your security.
How Do You Recover From Ransomware?
Unfortunately, you can have done everything possible to mitigate the risk of a ransomware attack and still have one. Perhaps a third-party contractor accidentally exposed you, maybe an employee missed their training, or your IT department forgot to push a Microsoft Security update. In any case, you’ve been compromised, so what should you do now?
Isolate Infected Systems Quickly
The first and most important thing you need to do is isolate the infected systems from your network. Immediately disconnect from the network and consider powering the machine off. The last thing you want is for the ransomware to spread to other devices, causing more damage and chaos with any type of malware.
Get Cyber Insurance
No matter how good your cybersecurity program is you can still be compromised. Purchasing a high-quality cyber insurance plan that includes coverage for instances of ransomware can save you vast amounts of money later on. The quality of cyber insurance varies dramatically so ask around and get some quotes, make sure to read the fine print of what’s covered and how much is covered.
Contact Incident Response Professionals
Ransomware grows more sophisticated every year. If you become the victim of a ransomware attack, even if you isolate the affected systems, you are still at risk. We highly encourage you to contact cybersecurity incident response professionals who can help remove the malware from your IT infrastructure and ensure that all IT systems are safe to use again. You don’t want to run the risk of only partially removing the malware, which could result in even more data loss. Touchstone Security can help if you have been the victim of a ransomware attack. Please click the contact us button at the bottom of the page to get in touch if you have experienced an attack so we can get you in touch with our security experts. We have experience responding to incidents with various types of malware.
Incorporate Lessons Learned
After any cyberattack or security incident has been resolved, you should incorporate lessons learned to ensure that you can respond even more effectively. Sit down with your internal team and the external company who responded to the incident. Work together to develop a plan of action to prevent future malware incidents. When the next security event occurs, you will be that much more prepared to deal with it.
Still unsure about ransomware? Contact Touchstone Security for a free Ransomware Risk Assessment to find out how vulnerable you may be. We will work with you to test your systems and ensure that you are adequately protected.