It’s been almost a year since a zero-day ransomware attack called WannaCry infected hundreds of thousands of machines all over the world. Hackers encrypted files on infected computers and attempted to extort a ransom from their victims. Those infected with WannaCry were initially demanded to pay $300 in Bitcoin. Those affected were exploited by unpatched vulnerabilities in the Windows SMB service. Microsoft knew of the potential threat months before however, several businesses do not keep up on their patches which caused them to be an easy target for a WannaCry attack.
Every year, hackers become more sophisticated with the way they attack our digital infrastructure. In 2015, nearly 2,500 ransomware cases were reported to the Department of Justice’s Internet Crime Center (IC3), and $24 million were paid in damages. The monetization of malware is becoming a billion dollar industry. In today’s environment, malware needs to produce revenue, not just be disruptive. It you IT admin’s duty to stay ahead of these attackers to keep your information safe and not succumb to millions of dollars in losses.
[You may also be interested to read "Ransomware: From Rags to Riches"]
How to stay a step ahead from ransomware groups
Just like any war, the war on our cybersecurity is no different. Creating a plan is the first step to staying secure in this ever-changing digital space.
1. Be Aware - Ransomware attacks continue to occur at an alarming rate, and they can happen to you. With government agencies also being attacked this is not just a business or private user matter. Over 321 reports of ransomware-activities affected 29 different organizations since 2015. We are not invincible from these kinds of attacks. Knowing they exist and informing our staff of the potential threat gives us the upper hand in preventing our data from being at risk.
2. Get patching - According to the Department of Homeland Security’s United States Computer Emergency Readiness Team, as many as 85 percent of all targeted attacks can be prevented by applying a security patch. Consistently keeping up to date with patch updates will significantly reduce the chance of a malware infection.
3. Managing and backing up your files - It is not enough that you backup your files in one location, you need to keep your data backed up in two to three places at the very least. Ransomware professionals will know to compromise your ghost files. It is your job as the IT authority in your organization to keep your offline and online data up to date. Create a schedule and a log for you and your staff to keep track of when your files are backed up and where.
Having both an online and offline backup keeps your information safe and easy to recover in the event you find data compromised. Ransomware attackers will not have the capability to access your online files, however, before reinstating the information, be sure that there is no longer any malware on your servers.
4. Train your employees for potential attacks - Teach your staff about the importance of not opening emails that could potentially house malware. Also, employing anti-spam and anti-phishing blockers protects against any infection to your devices. All of the computers within your organization are connected so one download by any employee could cost your organization thousands or even millions of dollars.
Restricting any download of software to the computers within your organization is highly recommended. We recommend that there are policies in place regarding the personal use of your computers. A simple game downloaded could have hidden malware. Your employee’s happiness to listen to their favorite downloaded station is not worth the hours and money spent fixing infrastructure issues.
[You may also be interested to read "December 2017: The Month in Ransomware"]
What if I do fall victim to ransomware?
Hopefully, setting preventative measures in place will prepare you if your system is compromised by ransomware. The first few hours of the attack are critical and need your attention immediately.
- First, an IT professional. They are the experts in what steps to take to quarantine the area that is affected and have it removed from your system. Make sure to report your incident to IC3 so that you have a record that the incident did take place.
- Disconnect the infected device from your infrastructure immediately. Ransomware has a funny way of infiltrating everything within your organization in a matter of minutes. The longer the infected device is connected, the more information is lost.
- Do your best not to remit any payment. Some ransomware attackers do stick to their promise, however, if you can quarantine the infected device and you have your data backed up in another location, there might be no reason why you would need to pay the ransomware attackers. The only time you should succumb to paying their ransom is if you have no other choice.
Ransomware is a real threat. With a good prevention plan in place and the know how to fix your infrastructure in the event of attack will save your company time and money.
(This blog post originally appeared on TechTalk by GFI Software)