First of All, Who Are Ransomware’s Prime Targets?
Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for example, could affect the Windows systems that power and water plants use to monitor and configure operations. The slightly relieving news is that ransomware, or at least the variants we know about to date, wouldn’t be able to infect the industrial control systems that actually run critical operations.
Individual users are also at risk of ransomware attacks against home computers, and some of the suggestions below will apply to you as well, if you’re in that category.
1. Back Up
The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.
Some ransomware attackers search out backup systems to encrypt and lock, too, by first gaining entry to desktop systems and then manually working their way through a network to get to servers. So if you don’t back up to the cloud and instead backup to a local storage device or server, these should be offline and not directly connected to desktop systems where the ransomware or attacker can reach them.
The same is true if you do your own machine backups with an external hard drive. Those drives should only be connected to a machine when doing backups, then disconnected because if your backup drive is connected to the device at the time the ransomware runs, then it would also get encrypted.
Backups won’t necessarily make a ransomware attack painless, however, since it can take a week or more to restore data, during which business operations may be impaired or halted.
2. Just Say No—To Suspicious Emails and Links
The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. But ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust. Ad blockers are one way to block malicious ads, patching known browser security holes will also thwart some malvertising.
When it comes to phishing attacks, experts are divided about the effectiveness of user training to educate workers on how to spot such attacks and right-click on email attachments to scan them for malware before opening. But with good training, you can actually truly get a dramatic decrease in click-happy employees.
At CANS we send our clients frequent simulated phishing attacks, we have made it part of our culture and once a month, send a simulated attack to a clients, to keep them on their toes. With this awareness training we have seen the number of workers clicking on phishing attacks drop from 15.9 percent to 1.2 percent in some companies.
3. Patch and Block
But users should never be considered the stop-gap for infections, users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you.
But no security product is infallible otherwise individuals and businesses wouldn’t be getting hit with so much ransomware and other malware. That’s why companies should take other standard security measures to protect themselves, such as patching software security holes to prevent malicious software from exploiting them to infect systems.
In web attacks, vulnerabilities in third-party plug-ins— like Java and Flash—get exploited so obviously keeping those up to date is important.
Whitelisting software applications running on machines is another way you can resist attacks, since the lists won’t let your computer install anything that’s not already approved.
Other methods can use include limiting systems’ permissions to prevent malware from installing on systems without an administrator’s password. Access to critical data should be segmented using redundant servers. Rather than letting thousands of employees access files on a single server, employees should be broke into smaller groups, so that if one server gets locked by ransomware, it won’t affect everyone. This tactic also forces attackers to locate and lock down more servers to make their assault effective.
4. Got an Infection? Disconnect
Administrators should disconnect infected systems from the corporate network, disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.
Once this is complete it should be should determined what strain of ransomware has infected the network. If it’s a known variant, anti-virus companies may have decryptors to help unlock files or bypass the lock without paying a ransom, depending on the quality of encryption method the attackers used.
But if you haven’t backed up your data and can’t find a method to get around the encryption, your only option to get access to your data is to pay the ransom. Unfortunatley ransomware can immediately bring business operations to a halt and in the case of individual victims who can’t access family photos and other personal files when home systems get hit, the pain involved with that is so off the chart.