As antivirus vendors and cybersecurity professionals make headway against global malware and cyberattacks, hackers have evolved and become more advanced in order to profit from their exploits.
This has resulted in the use of innovative, ever evolving malware such as Crytolocker, Cryptowall, and more recently Telascrypt to name a few. All of these fall under the ‘Ransomware’ family. According to an FBI report released in April 2016, these attacks increased significantly in 2015 and 2016.
Here are some examples of recent attacks:
- In February, Hollywood Presbyterian Medical Center, a hospital in Los Angeles, paid an approximate $17,000 ransom in bitcoin after the hospital’s computer systems were infected with ransomware and rendered inaccessible for a week.
- Medfield, Massachusetts municipal computers were shut down for an entire week due to ransomware until a $300 ransom was paid to hackers in order to resume operations.
- After a ransomware infection took control of school servers, Horry County school district in South Carolina paid attackers $8,500.
Ransomware is a form of malware used by an attacker to limit or prevent a victim from accessing their computing resources until a ‘ransom’ is paid. There are two main types: Lockscreen and Encryption ransomware. Lockscreen delivers a message to the user’s screen preventing them from accessing anything on the computer. Encryption operates by changing computer files so users aren’t able to access them by encrypting them. They can’t be unlocked without encryption keys maintained by the attacker.
Older forms of ransomware include the use of ‘scare’ tactics. The hackers claim that you need to pay a ‘fine’ to the police or government agency as a result of having committed some form of illegal activity on your computer. This is known as Scareware.
Ransomware has become so profitable that the FBI projects such attacks will yield more than $1B in 2016. It affects everyone from home users, businesses and public agencies and can affect pcs, servers, and even mobile devices. Therefore, you need a robust set of controls to protect yourself.
- Backup Data Regularly – Ensure that you regularly backup, encrypt and securely store your data in an offsite location. Hard drives and network drives connected to your computer may also be infected during a ransomware attack, so be sure to have a ‘disconnected’ copy. Timely backups are generally the most important way to ensure that you can recover from an attack.
- Limited Access Privileges – Limit users with administrative privileges and use an account with limited access when performing tasks that do not require administrative access to potentially reduce the spread of an infection.
- User Awareness and Training – These attacks involve many different elements of traditional malware. It is important that users receive the required training and are informed of the risks, including the methods by which malware is spread. Be sure to incorporate steps users should take if they ever become a victim to limit any potential damage early on.
- Regular Vulnerability Scans and Penetration Tests – This will assist you with identifying and mitigating vulnerabilities on your network. You want to close backdoors to your systems before hackers find them.
- Keep Software up to Date – Exploits rely on security flaws in popular applications so keep operating systems, applications, anti-virus definitions and email filters updated and patched regularly to reduce vulnerabilities proactively.
- Disable Macros – While macros are a powerful and efficient business tools they can do almost anything a regular program can do, including install malware. It is important to ensure that macros are always disabled by default, especially when sent over email.
- Popup Blockers – Enable your browser’s popup blocker to stop potential malicious code from automatically executing on your device.
- Business Continuity Planning – Given the impact and high cost of downtime, it is essential that you are prepared for outages caused by attacks. Not only should your organization maintain a Business Continuity Plan, but they should consider conducting collaborative tabletop exercises on a recurring basis to ensure that business areas are adequately prepared for a disaster.
If you are ever infected, hopefully you have already made the necessary backups and have adequate plans to overcome the problem. If not, there are a few things you can do to try to recover your files or limit the damage.
- Disconnect Everything – As soon as you suspect your computer is infected, disconnect your devices from the Internet as well as any removable media to limit the spread of the infection.
- Utilize Ransomware Recovery Tools – Sometimes ransomware may have weaknesses in implementation and there are tools to help users remove it.
- Involve Relevant Authorities – Paying ransoms only encourages even more criminal behavior and there is no guarantee that you will receive your data back. Be sure to involve the authorities early on.
Cybercrime is a scary thought; it is important to take the necessary precautions to prevent infections as well as have a solid business continuity plan in the event of a ransomware attack.