This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
You know it's bad when a cyber crime wave makes victims out of U.S. police departments. Law enforcement agencies in at least seven states have been blackmailed by cyber attackers using ransomware. Data on departmental computers has been encrypted by malware and held hostage, with the demand that a ransom be paid in bitcoins. Unaccustomed to giving in to criminals, many of the agencies refused to pay and subsequently lost access to their information forever.
Cyber criminals also have been targeting U.S. hospitals. In one high profile case, a California hospital lost access to its critical patient records for a week until a ransom worth about $17,000 was paid. Experts estimate this particular facility was losing as much as $100,000 a day in just one department because it wasn't able to perform CT scans without access to its data.
Ransomware is running rampart around the world, and it's taking a tremendous toll on individuals and businesses alike. The ransom money, if paid out, is just the tip of the iceberg when it comes to the cost of the attack. The real costs can be tallied in terms of lost productivity and business opportunities, the resources to respond to the attack, and repairing or replacing affected systems.
Large foreign crime syndicates that operate on a global scale are responsible for the majority of attacks. Many of the campaigns behind ransomware attacks are industrial in nature. For example, McAfee Labs researchers saw more than 4 million samples of ransomware in the second quarter of 2015 alone. Symantec reports detecting just one ransomware variant 500,000 times in a span of 18 days. The attacks are quite profitable for the criminals. McAfee estimates the perpetrators are collecting between $10 million and $50 million a month from victims all over the world.
There are ways to protect your systems to prevent becoming the next victim, or at least to mitigate the effects of the attack, but you need to act before an attack strikes. Researchers say it can take less than 5 minutes from the time the malware gets on a system to the time when primary files are encrypted, backup files are deleted, and the demand for ransom is presented.
That said, here are some steps for surviving a ransomware attack:
Plan your response now – For most types of ransomware attacks, minutes and seconds count, so the time to plan how to respond is well before an attack happens. Experts recommend developing an incident response plan that is specific for this type of attack. The plan should detail roles, responsibilities and actions to take as soon as the organization becomes aware of an active attack.
Backup your data – Ransomware attacks are known for encrypting current data and also deleting backup data wherever it can be reached. Cryptolocker encrypts files on all drives that are mapped. This includes external devices such as USB thumb drives, backup services like Carbonite, and cloud file stores where a drive letter has been assigned. Make sure backups aren't accessible from endpoints through disk mounts because they will be encrypted also.
Gary Warner, chief threat scientist at PhishMe, recommends keeping multiple serialized backups in case newer ones become corrupted or get encrypted. If you are able to restore your data from recent backups, the attack really becomes a non-issue. What's more, having good backups is practically the only way to recover from an attack if you don't want to take your chances with paying the ransom and hoping the attacker will provide the decryption key. (Keep in mind that paying the ransom is no guarantee that you'll get the decryption key, or that it will work.)
Keep your anti-virus software current – All of the major anti-virus software vendors are doing research on ransomware so they can try to keep up with the threats that are continually changing. By their very nature, AV signatures will always be a step behind the latest variants, but they should be good enough to stop a high percentage of attack attempts.
Screen emails for phishing/malware – The 2016 Verizon Data Breach Incident Report says that email messages with malicious attachments or links are a major avenue for installation of ransomware. FireEye confirms that most ransomware is delivered via email. This makes it important to screen incoming emails and filter out what appears to be phishing messages or malicious attachments. It's especially important to filter on executable files. Some phishing messages use deception by making executable files appear to be regular PDF files.
Teach people not to fall for phish attempts – Humans are the weak link. We are gullible and trusting, and we fall for social engineering tricks that get us to open and click on the phishes that come our way. Teach your workers to be cognizant of their actions and help them to recognize suspected phishing messages so they don't open the ransomware in the first place.
Authenticate the sources of email – Beyond scanning incoming emails for threats, you can gain more confidence in the mail your users receive by authenticating the senders of messages using technologies like Domain Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Email (DKIM) and Sender Policy Framework (SPF). (See DMARC is having a positive impact on reducing spoofed mail and How to implement DMARC in your organization.)
Prime your defensive systems – Security researchers have come up with a lot of indicators that you can enter into your defensive systems so they can block or quarantine activity pertaining to ransomware. There are numerous sources of intelligence feeds, including security vendors, industry ISACs (information sharing and analysis centers), and government security agencies. Various lists of intelligence feed sources can be found at http://thecyberthreat.com/cyber-threat-intelligence-feeds/ and http://thecyberthreat.com/government-cyber-intelligence-sources/.
Use endpoint protection solutions – Ransomware usually lands on end user devices, so protect them with endpoint protection applications. Numerous solutions in this area do everything from sandboxing suspicious software to running all applications in a virtual machine so they can't spread their actions beyond a single device. From a network standpoint, if an endpoint is found to be compromised, it should be quarantined as quickly as possible. This can help prevent the malware from affecting shared files.
Have a ransomware disaster recovery plan – In the event that an attack does get through and is successful in encrypting, deleting or damaging files, you need a plan on how to recover from the attack. Since you don't know if the attack dropped hidden latent software on your systems, it's best to replace rather than repair systems if possible. Also consider the impact to your business if you have to restore data from an older backup, or you can't recover the data at all.
In the case of ransomware, the old adage "An ounce of prevention is worth a pound of cure" is quite appropriate. The best way to survive an attack is to be thoroughly ready for it in the first place.