Late last year, Symantec Corporation released a survey on ransomware: malicious software that attempts to encrypt everything it can access, and demands money (usually in difficult-to-trace remuneration such as Bitcoin). One of the most disturbing trends of this report was that ransomware has grown from less than 20% of all new malware types in 2014, to over 90% of all newly discovered malware types today. Why is this? Well, put simply, because it works. When an organization’s critical business data is directly compromised – with the promise of possibly regaining access and restoring business as usual – the temptation to simply pay $500-$1,000 in Bitcoin or gift cards is strong. However, there’s always one nagging question in the background: what if the attacker doesn’t actually give us the key to decrypt the files?
For this reason, ransomware has become one of the most pervasive and successful methods used by attackers to monetize digital threats. And while the slight majority of victims today are individuals, the Symantec report points out that businesses are a growing target for ransomware attacks due to the fact that, unlike individual consumers, they can afford a larger ransom to access their data again.
So what can we do about the pervasive threat of ransomware? As is often the case, it’s the fundamentals of information security that are best at mitigating this kind of threat:
- Backup your data – frequently. This one may seem obvious, but it’s the most effective way to mitigate a successful ransomware attack. Backups aren’t the most sexy part of information security, but they’re one of the most critical. And with so many options available today – real-time file mirroring, cloud backup options, and high-density on-premise backup solutions like LTO – there’s no rational reason for not having a full and incremental backup plan in place (with users who don’t have real-time access to the backup data, of course).
- Make sure your employees are aware of security threats. Ransomware’s most common entry point into the enterprise is either through phishing emails, or through “drive-by” websites that exploit browser vulnerabilities. Employees should be trained regularly on how to discern legitimate emails from those attempting to get them to connect to malware-inducing sites or open infected attachments. Similarly, users should be encouraged to understand the risks involved in accessing untrusted websites. As a stopgap measure, organizations should also consider automated threat mitigation technologies such as inbound email filtering and outbound web proxies that prevent access to known blacklisted sites.
- Employ the principle of least privilege. Ransomware will usually attempt to encrypt everything it can find that’s writable within the context of the compromised user. That means if your employees have local administrator rights on their workstation, or have over-permissive access on network shares, your data is at risk. Make sure that employees only have write access to folders and network locations that are absolutely necessary. The halcyon days of “shared network drives” are gone; utilize a web-based system (think Microsoft SharePoint, Citrix Sharefile, Egnyte, or Dropbox) to share files between users, as ransomware is not intelligent enough (yet…) to attack files and data that are shared using these methods.
- Get visibility into abnormal behavior. Continuous security monitoring is the most effective way to determine when something potentially bad – like a ransomware incursion – is occurring, to shut it down quickly. That means monitoring for abnormal behavior such as a large number of open files in a user’s context, and large numbers of file changes over a short period of time. Of course, continuous monitoring also means that someone is available to take action, 24x7x365.
- Patch your systems. Ransomware is very often injected into the environment by exploiting unpatched software, including both web browsers as well as applications that handle certain types of files (such as PDF viewers and embedded media players). By ensuring that all user workstations are patched to the latest versions of these components, the attack vectors that ransomware can successfully use to get into your environment are constricted.
While the trend of ransomware incursions continues to grow, the good news is that these long-standing principles of “block-and-tackle” security basics can reduce the likelihood that your organization will be the next one to receive the dreaded request for $10,000 in Bitcoin.