What is it? How to stop it? What to do if it happens?

Ransomware is a type of malware (malicious software) designed to block access to a victim’s computer files, systems, networks, or entire devices until a ransom is paid to the attacker. Like a hostage, your data is held “hostage” until payment is made

Almost always, the data is encrypted with strong encryption making the affected file unreadable unless a decryption key is provided. After encryption, notification is provided by a text file, a pop-up, desktop wallpaper, etc.) explaining what has transpired and providing payment instructions.

In a recent and more common variant, the attacker will also steal the data and threaten to leak or sell the data if the ransom isn’t paid. This is even more iniquitous as it makes it more difficult to continue doing business after the attack.

In our personal experience, the attack doesn’t happen at once, but happens over time. Once a single node (computer, server, network storage, etc.) is infected, the infections spreads across the network. If the attacker has the advantage of time (over a holiday or 3 day weekend), they will “test the fences” to try hacking passwords of other devices – time clocks, phone systems, etc.

For the attack top be successful, it has to happen quickly. If users start noticing encrypted files, the staff may work to thwart the plan and leave the business minimally damaged.

Estimates are that 75%-90% of ransomware attacks start with email. Everything from notices of inheritance to very convincing bank notifications, fake Amazon delivery notices to emails from known members of your organization can in fact be PHISHING. Much less common ways to get infected – also known as Attack Vectors – are:

• Compromise of remote access such as for a vendor or remote users
• Software vulnerability
• Internal users intentionally infecting the network
• Malicious Websites

HOW TO PREVENT RANSOMWARE

• Most importantly train staff to be more careful in opening and responding to email
• Use email filtering and endpoint protection to prevent phishing attempts from being delivered or malware from infecting endpoints
• Password Security – prevent users from posting passwords on post-its. Use strong passwords and multi-factor authentication. Require password expiration and forbid shared passwords
• Keep all operating systems and software patched. Do not ignore notices from application vendors about updates.
• Use vulnerability management software. Subscribe to CVE Announce or make sure your I.T. partner does.

WHAT TO DO IF IT HAPPENS

Paying the ransom rarely has the desired affect. The attackers may partially decrypt your data while maintaining presence in your environment, make secondary demands, or simply take the money and disappear. Most information security professionals agree that the best solution is to “shoot the hostage” – do not attempt to get the data back and recover as best you can with what you have.

IHS Consulting can help you analyze your environment, provide user training, design and implement a backup regime both on premise and off site and otherwise design a plan to prevent – and respond to – a host of cyber threats to your business.