I know what you’re thinking…not another ransomware publication. It has certainly been the hottest IT security topic of summer 2016 and shows no signs of slowing. On LinkedIn alone there has been over 5,000 posts in past six months regarding the subject. The publicity is warranted and there are enough publications with explanations and scary statistics to test the resolve of even the hardiest of IT administrators. However, what is distinctly lacking is a sensible and comprehensive step-by-step plan to deal with these threats.
When I was filmed for the Business Reporter in August on the subject of ransomware, I was asked how organisations should prepare for the threat of ransomware. For the sake of keeping the video to a palatable length, I responded with a brief four-step plan, part proactive and part reactive, which all organisations can follow with little change to their existing networks.
As article readers are generally a little more patient than video watchers, I can expand on these steps:
1. Proactive: System Defence
Ransomware has been observed in almost all cases to be delivered in file-based Trojan format, put simply: email attachments, web downloads and removable media. It stands to reason that in that case, egress, ingress and storage points for files should be monitored and scanned. In addition to this, patching applications and operating systems shrinks your attack surface making it harder to exploit. In fact, it is reported that 44% of all breaches involve vulnerabilities which were patched up to four years ago (HP, 2015).
2. Proactive: User Defence
File based malware is reliant on user interaction to become active, and so relies on the power of persuasion to attempt to fool a user into executing it. Emails purporting to be from suppliers, CVs and offers of job promotion are all examples of social engineering witnessed in ransomware attacks. However, your users with training can become your best form of defence. No one is better at spotting out of the ordinary behaviour in a job role than the person who occupies that job role. Leveraging that power may not just be the best form of defence but also the last.
3. Reactive: Backup Critical Systems
Despite some older and less sophisticated ransomware strains being reversible, the more modern versions have evolved to be more resilient. By far the best response to a ransomware infection is to restore the endpoint to a point prior to infection. This of course begs two questions: are you backing up your critical systems? And are those backups on a location which is also not susceptible to infection?
4. Reactive: Payment
I cannot stress how important it is that you should never pay. It has been reported that ransomware has become the most profitable malware for cyber-criminals with the projection that by the end of 2016, we would have spent nearly one billion dollars on ransoms (Herjavec Group, 2016). Every time someone pays, we make this form of attack more attractive to the cyber-criminals. We encourage them and even fund the development of the next strain of ransomware. Never pay and we use what we know about business against them: supply and demand.
This is not a definitive cure, regardless of what you may have been told, there isn't one. But these four steps go a long way to reducing your overall risk of ransomware infection. Risk management, that crucial cornerstone of IT security which always has and always will be the best form of defence.
