By now, you’ve mostly likely heard the news: ransomware is here and it’s a problem.
Businesses of all types and sizes are targeted by criminals in this extortion scam that exploits vulnerabilities within an organization’s staff and technical processes to deliver malicious software. Once installed on a computer or mobile device, the malware can encrypt documents or entire operating systems, rendering them inaccessible or inoperable until a ransom fee is paid by the victim.
The impact can be devastating. Imagine not being able to access your company’s email, customer information or vital records for days or even weeks. Such is the case when the Hollywood Presbyterian Medical Center fell victim to a ransomware attack in March 2016, causing them to remain offline for over a week until the hospital agreed to pay the criminals approximately $17,000 in Bitcoin.
Victims not only face monetary losses associated with the ransom and loss of business during the downtime, but also the additional costs associated with the forensic review of their systems to ensure that the ransomware has, in fact, been removed and no other malware installed. There is also the loss of employee productivity and, most importantly, customer trust.
The Federal Bureau of Investigation (FBI) reports that more than 1,800 complaints were filed in 2014 regarding ransomware with a loss of more than $23 million. In 2015, that number increased more than 30% to more than 2,400 complaints with a reported loss of more than $24 million.
Ransomware is typically delivered through emails targeted to a specific individual within a business. While the email and its contents appear to be legitimate, they often contain malicious attachments or links to websites that host an exploit kit.
The good news is that ransomware can be prevented through implementing and following basic cyber hygiene practices. The bad news is that the best technical defenses can be undone by employees who are often the weak link in these social engineering scams; therefore, educating staff on these types of scams is integral.
Employees should be taught to be cautious when opening emails, links or attachments they don’t expect or recognize, even if the message appears to come from someone on their “safe” contact list. When in doubt, employees should contact the sender to confirm legitimacy. Since ransomware is also present in downloadable games and file-sharing applications, employees should be taught to download software only from sites approved by the company, if at all.
The FBI recommends that businesses take the following steps to protect themselves against infection:
- Patch operating system, software, and firmware on digital devices (i.e. using a centralized patch management system)
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts. No users should be assigned administrative access unless absolutely needed and only use administrator accounts when necessary.
- Configure access controls, including file, directory and network share permissions appropriately.
- Disable macro scripts from office files transmitted over email. Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
- Use virtualized environments to execute operating system environments or specific programs.
THE BEST DEFENSE IS A GOOD OFFENSE
While training staff and implementing appropriate technical measures to avoid the delivery of ransomware to your systems is your first line of defense, these scams will evolve and become more difficult to detect. Businesses must proactively prepare to protect and recover their data and systems in the event they become infected with ransomware.
The FBI recommends having a robust data backup and recovery plan for resuming and continuing operations, including:
- Systematically backing up data and verifying the integrity of those backups.
- Securing backups and ensuring that they are not connected to the computers and networks they are backing up.
- Maintaining copies of files, particularly sensitive or proprietary data, in a separate secure location.
- Categorizing data based on organizational value and implement physical/logical separation of networks and data for different organization units.
The FBI does not advocate paying the ransom as this does not necessarily guarantee receipt of a decryption key from the criminals; however, the FBI acknowledges that executives must evaluate all options to protect their customers, employees and shareholders. Contact your local FBI Cyber Task Force for assistance and report all instances of ransomware and other criminal cyber activity to the FBI’s Internet Crime Complaint Center.
As Vice President of Payments and Cybersecurity at the American Bankers Association, Heather mentors and advises financial institutions on cybersecurity best practices. Heather can be reach at firstname.lastname@example.org or 800-BANKERS. The American Bankers Association provides additional cyber-related information and tools specifically for financial institutions at aba.com/cybersecurity.