Capping IT Off

Capping IT Off

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

What is the Best Strategy for Dealing with Ransomware?

Category : Security

Ransomware is the fastest growing type of malware: 2015 saw the number of cryptolocker attacks double[1]. The malware programs encrypt parts of a computer system and the user is asked to pay a fee (ransom) before files on the computer can be decrypted and made accessible again.

The nightmare scenario

It’s difficult to imagine the sense of shock and horror that people experience when they have been targeted with ransomware, but every one of us is at risk of attack.

You sit down to start work one morning. You switch on you computer and find that you can’t open any of your files – they have been encrypted and can’t be opened. Suddenly a polite message appears, demanding money for the files to be unlocked. A deadline is indicated, after which the files will be destroyed, and every day you delay in paying, the price will go up.

Is this really happening? How can it be happening to you? What did you do wrong?

Every type of business, from sole traders to global corporations, are at risk. The attacks are usually well planned, with time taken to find the right channels and vulnerabilities in order to attack at the weakest point. Computers often become infected when unsuspecting users are prompted to open a malicious email attachment.

In June this year, the University of Calgary became the latest organization to succumb to this crime and pay out to hackers: “The University of Calgary transferred 20,000 Canadian dollars-worth of bitcoins ($15,780) after it was unable to unwind damage caused by a type of attack known as ransomware.”[2]

There are two main types of ransomware:

•       Locker ransomware – access is denied to certain drives, but data is not encrypted. Therefore, upon removal, there is less chance of damage or destruction of the data itself.

•       Crypto ransomware – data such as emails, documents, and pictures are encrypted and can’t be opened by the victim.

Government organizations are equally at risk from attack, with hospitals, schools, police departments, and local government organizations all being hit. Unfortunately, because encryptions are almost impossible to break (without the key), the ransom money is often paid, thus proliferating the problem by providing the hacker with funding and motivation to find the next victim.

The most successful hackers use principles of good customer service to make the payment process smoother for the victim, including an FAQ section, a guide to making bitcoin payments, and even helplines in the ransom note. This illustrates how confident the hackers have become and how well-developed their systems of extortion are.

A lack of planning is a lack of defense

Due to the constantly evolving nature of this crime, and the sophistication of the malicious applications, decrypting data is not normally feasible. In this case the most effective action is prevention rather than treatment. In some cases decryption is possible, but this should not be relied upon as a strategy.

Awareness and planning are areas that companies will be investing more money in the coming years. Awareness affects every end user and planning involves the backing up of data on unconnected drives.

Endpoint malware has become increasingly sophisticated, ranging from mass malware loaded with ransomware (as in the case of the Trojan “CryptoLocker”) to targeted in-memory attacks used in conjunction with zero-day application and OS exploits. With these threats in mind, 32% of North American and European security decision-makers are expecting to increase their endpoint security spending in 2016 by at least 5%[3].

This extra investment shows just how seriously companies are taking this risk. Hackers recognize that they can charge higher ransoms to companies, and companies are more likely to pay because the encrypted data might be crucial to the functioning of the business.

The role of the IT partner

To combat the threat from ransomware, companies need to take proactive, preventative steps to reduce risk and to increase their defense of the latest threats. The basic principles of security in IT networks are: training, establishing robust security processes, and making use of new layers of protection to reduce the risk of your network being compromised.

To reduce the threat of ransomware, companies should use protection against exploits and ensure that their security solutions include behavioral detection methods. These are all things that an IT service provider should have built into the cybersecurity strategy of their services. Effective disaster recovery plans and business continuity plans must also be in place in case the worse does happen, however.

Four practical steps to reducing the risk posed by ransomware

Below, there are four practical steps to reduce your exposure to ransomware:

•       Improve awareness:

The first step in preventing infection with ransomware is to make users aware of the risks when opening attachments and hyperlinks to web pages. Increase awareness of online safety for both consumers and businesses

•       Set up governance:

For companies it is important that users can only access the files they need for their jobs. This can help prevent contamination of data from other departments. Both the risk of contamination and their effects should be limited in this way. It is therefore important to achieve governance compliance in respect to the access and processing of data.

•       Drafting procedures:

To minimize the damage from infection, it is also important to establish policies and procedures to maintain up-to-date computers and software, and to make regular backups of information for restoring data in the event of an incident.

•       Backup:

To prevent data loss, you should, of course, ensure regular backups of valuable files are made and store these in an isolated, safe place. This type of storage policy also ensures that the backups are safe from a fire or burglary. Restore on a safe, clean system with no CryptoLocker to avoid an infinite loop of backup and restore. When an infection is detected, systems (either automatic or manual) should be in place to turn off the computer and disconnect network cables as well as peripherals to prevent further spread. Good antivirus software must be installed and kept up-to-date. Finally, learn from any CryptoLocker incident and apply an appropriate defense.

In an ideal world, nobody would pay the ransom. You should always, however, report the crime to the police. This provides more insight into the extent of the problem and helps in the fight against it.

The best form defense is to avoid being the weakest target. By using the advice above and an expert IT partner, I sincerely hope that you do not become a victim of ransomware.

 

About the author

Jerome Desbonnet
Jerome Desbonnet

Leave a comment

Your email address will not be published. Required fields are marked *.