Enterprise security and IT executives who are not concerned about ransomware threats today are probably in the midst of some sort of denial.
These types of incidents—in which an insidious type of malware encrypts or locks digital files and demands a ransom to release them—have been on the rise. And they present serious threats for organizations in a variety of industries.
Last year United States and Canadian government organizations issued a joint cyber alert regarding the rise in ransomware attacks.
The U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), released the alert to describe the various types of ransomware, stating, “the authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users’ systems can become infected with additional malware.”
Malware infections from ransomware “can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist,” the alert said.
The U.S. Federal Bureau of Investigations (FBI) noted in its own alert on ransomware in 2016 that large enterprises, small businesses, hospitals, school districts, state and local governments and law enforcement agencies were among the entities that had recently experienced ransomware attacks.
The potential results of a ransomware attack include the inability to access important business data and applications, loss of sensitive or proprietary information, disruption of operations, financial cost to restore systems, and harm to an organization’s reputation.
As the FBI noted, ransomware has been around for several years, but during 2015 law enforcement began to see a rise in these types of cyber attacks. In a ransomware attack, the bureau said, victims typically open an e-mail addressed to them and click on an attachment that appears legitimate, such as an invoice or electronic fax. But it actually contains the malicious ransomware code.
In other cases the e-mail might contain a legitimate-looking URL that actually directs the user to a Web site that infects their computer with malicious software. Once the infection is present, the malware can start encrypting files on local drives, attached drives, backup drives and other systems on the network.
“Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key,” the FBI said. The messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity the virtual currency provides.
Ransomware attacks aren’t just proliferating, the FBI report said, they are becoming more sophisticated. Years ago ransomware was usually delivered through spam e-mails. But because e-mail systems got better at filtering out spam, cyber criminals began leveraging spear phishing e-mails aimed at specific individuals.
In newer instances of ransomware, some attackers aren’t using e-mails at all and are bypassing the need for a user to click on a link. They do this by seeding legitimate Web sites with malicious code, taking advantage of unpatched software on end-user computers, the bureau said.
The FBI doesn’t support paying ransoms in response to these attacks, because paying them doesn’t guarantee organizations will get their data back. It recommends that organizations focus on two key areas: prevention efforts such as awareness training for employees and robust technical prevention controls; and the creation of a solid business continuity plan in the event of a ransomware attack.
Here are some tips the bureau provided for dealing with ransomware:
- Make sure employees are aware of ransomware and of their roles in protecting the organization’s data; patch operating system, software, and firmware on digital devices.
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts and only use administrator accounts when necessary.
- Configure access controls, including file, directory, and network share permissions appropriately.
- Disable macro scripts from office files transmitted over e-mail.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations.
In addition, as part of their business continuity efforts enterprises should back up data regularly and verify the integrity of those backups regularly.
Some security products on the market are designed to protect against ransomware attacks. For example, Bitdefender features a module in all of its classic line products (Antivirus Plus, Internet Security and Total Security) that is designed to protect certain folders from ransomware malware that infects client’s PCs and encrypts personal files.