It spreads like a wild fire. “It can never happen to me! I can’t get infected; I am protected. I have taken all the precautions necessary not to get infected.” No, we are not talking about a serious disease. We are talking about ransomware. A virus/malware that encrypts not only the data on your computer, but can reach out to any “drive” on your network that you have access to and encrypts that information as well. This encryption holds the data “hostage” with the sole purpose of extorting money from the victim by requesting payment in exchange for the decryption key that will restore their valuable data.
Chances are that you know of a person or business that has suffered a ransomware attack. The virus does not discriminate, an outbreak can occur in small or large businesses, local municipalities (even police departments), school districts and hospitals. In fact, in February 2016, a California hospital (Hollywood Presbyterian Medical Center) was hit with ransomware, as a result their network was offline for over a week. That means no access to email, patient data and other critical documentation that affected the daily operations of the hospital. What would the impact be if ransomware hit your business and you had little or no access to critical information for over a week? The global spread and impact of ransomware further indicates this is a pandemic!
There are a number of ransomware threats that have become prevalent, including CryptoLocker or CryptoWall. These malwares have been linked to a number of different emails and/or links on websites. No matter how the infection took place, the result is the same, the malware gets downloaded to a PC and will scan all physical and network (logical) drives and encrypt certain file types. The virus can also attack USB thumb drives that are attached to the infected computer along with folders that are mapped to cloud storage solutions (e.g. Dropbox).
Files that get encrypted are typically popular data format files including: Microsoft Office, Adobe programs, iTunes or other music players and photo viewers. The files are compromised using a combination of two different encryption schemes; 256-bit AES and 2048-bit RSA. This basically renders the files useless without the decryption key; brute force or other tools cannot break the encryption on these files. When the ransomware has finished encrypting files on the PC, the virus will typically display a screen regarding a payment program that prompts the user to send a ransom payment to decrypt the files.
A user is then given a limited amount of time to pay the ransom (typically 72 hours) or it will delete the encryption key, making the encrypted files permanently inaccessible. Typically, the ransom must be paid using Bitcoins; an untraceable payment system. Once a payment is made and verified, the victim will then receive the decryption key in order to decrypt the files held for ransom.
Once the ransomware virus has infiltrated a computer and a user takes notice, most of the damage has already been done. If a computer is infected with a ransomware virus, first disconnect the computer immediately from any wireless/wired networks. Although there are software tools that can remove the malware from a computer, once files have been encrypted, they cannot be decrypted without the decryption (private) key. Essentially, three options then exist; 1) pay the ransom, 2) restore any encrypted files from the most recent backup, or 3) assuming a good back-up does not exist, chalk this experience to a cyber-incident and format the hard drive to start from scratch (all too often even if the infected computer was “cleaned” from ransomware, remnants of the malware still exist and may cause problems later).
The key here is having a useable and viable backup. Many times as a result of a ransomware infection, businesses learn that their backup is not effectively working or not backing up all files. In either situation, the user may have to resort to option 1 or 3; pay the ransom or format their computer resulting in lost/not retrievable files.
Although there is no solution to guarantee that a computer will not be infected with ransomware, there are a number of steps to mitigate risk.\
Backup, Backup and Backup – Having a usable and viable backup (not just a copy of files) can substantially mitigate risks and protect your data. Make sure backup is performed daily and that all files are part of this process. Full daily backups will help ensure a smoother process if there is a ransomware attack. Make sure the backup process through a restore is effectively working. Restore files from backup on a monthly or quarterly basis to provide peace of mind.
Don’t Open Emails From Strangers – One of the most common ways ransomware is transmitted is through email. Try to not open emails from people that you are not familiar with. DO NOT open attachments or click on links that are in non-familiar emails.
Minimize Network Access – Perform an assessment to determine the level of access to information each user has on the network. As mentioned previously, ransomware can reach beyond the PC it originally encrypted to the files on the network, affecting the entire company. Limiting access to network files will help mitigate these risks.
Patch, Patch and Patch – Patches to various software (operating systems, firewalls, application software) systems become available on a regular basis. Patches should be applied to the various software solutions your organization uses (weekly or monthly) in order to mitigate risks and give the attackers fewer options for infecting your system(s) with ransomware.
Train Employees – More often than not, ransomware infections are a result of an employee accessing an email, opening an attachment or clicking on a link from an unknown source. Train employees on what to look for and how to avoid infected emails and/or websites. This will help mitigate risks with not only ransomware but other types of cyber-related issues (e.g. phishing attacks).
Maintain An Endpoint Solution – Many of the various virus/malware protection solutions (endpoints) for PCs will detect ransomware and eliminate the threat. Having up-to-date endpoint solutions (similar to patches) is important to ensure that variants of ransomware will be detected and removed. Having different virus/malware solutions on servers, firewalls and PCs can also strengthen the threat detection and removal process.
While we cannot eliminate the threat of ransomware, we can significantly mitigate the risk of an attack, and reduce the potential consequences. Organizations can no longer believe “it can’t happen to me,” because it can and most likely will. Start by understanding where your organization may have some areas of weakness and assessing where improvements can be made in systems, patches, employee training and most importantly in your backup solution.