Addressing the continually shifting threats posed by ransomware is top of mind for everyone these days. In this two part blog series, our team breaks down the current state of ransomware activity, how to best prepare your organization to deflect it, and in the next post, we’ll dig deeper into the first response strategies. If you would prefer, the entire content is also available as a download in our free eGuide: Ransomware Readiness & Recovery Strategies.
The Cost Potential in Ransomware
Today, ransomware is a business – yes, business. Driven mostly through ransomware-as-a-service platforms run by organized crime gangs, it is the fastest growing threat to business continuity today. A single ransomware attack campaign can net the criminals millions of dollars, in return for very little risk, expenditure or chances of being caught.
Ransomware by the numbers:
- Annual Revenue: $1 Billion+
- Infections: 4,000+ per day
Source: FBI, 2019
Ransomware: Today’s Threat Reality
Ransomware now impacts organizations of every size, geography, and industry. Some data-centric industries, or those with very valuable data are particularly targeted; but don’t think it won’t happen to you. It has become the greatest threat to most organizations’ operations. So take comfort that you are not the only one facing this menace. Most organizations are struggling to keep up with the shifting threat vectors and non-stop efforts of cybercriminals. It can feel like a game of “whack-a-mole”. Once one threat is addressed, another more sophisticated one shows up.
Because ransomware is constantly evolving with intelligence; its success is hardly surprising. It sneaks past traditional defenses like secure email gateways and anti-virus software with ease. Users trigger the attack by clicking links or attachments that look all too legitimate. Most employees handle a flood of email each day that includes related threats from phishing, email account compromise and plain old spam. It’s very easy to trigger a ransomware payload. As such, ransomware tests data security strategies and preparedness like nothing else. The frustration of those affected by ransomware is palpable.
Today, organizations are having to take a more holistic approach to their data security to protect and prepare themselves. Unfortunately, there is no one-stop security solution. The days of a firewall and antivirus software combination providing adequate coverage are gone. Security software vendors and cyber criminals are racing to out-innovate each other. The hackers are proving themselves to be formidable adversaries.
How Ransomware Works
Ransomware needs a means of entry, some method of delivery, and an ability to execute. Each is a carefully planned component of a ransomware attack. Here’s how it works:
Phase 1: Hide in Plain Sight.
Like most malware, ransomware finds its way in either via email or maliciously coded websites. The code used at this point is a “trojan” – like the original Trojan horse. Like a wolf in sheep’s clothing, it looks credible to end user and applications alike. There’s typically nothing about the delivery method that raises suspicion. It looks valid. Even the operating system and virus scanner sees it as a valid type of code that is not out of place.
Phase 2: Just One Click.
Once the trojan escorts the ransomware payload in, its job is complete. There may be many trojans sent to an organization. They are carefully crafted to maximize the chance that someone will click. All it takes is one click to activate the ransomware across a network. Like an army of ninjas, the ransomware code spreads across a network. The faster it moves, the more data it can ransom.
Phase 3: Game Over.
Ransomware accelerates its viral behavior via software macros. Macros are a script of linked activities that enable one to automate a series of activities. When used in installation files, Word and Excel, macros can be very helpful. When used by ransomware, they spread chaos fast to take control of systems and data. Other kinds of otherwise normal code used in Java, Flash, web browsers, and browser plugins can also be exploited.
Once the ransomware payload is delivered, your machines will stop working, all data is now inaccessible. All you will see is the ransom demand on screen with instructions on how much and how to pay. Payment is via bitcoin to preserve anonymity of the cyber criminal. You can pay and hope you get your data or, or if you are prepared, you can take control and respond.
Preparing for Ransomware Threats
Assuming it’s a when, and not an if, ransomware will strike; it’s critical to prepare. Your situation will vary, but best practices include:
1. Patch Everything, Patch Often.
The average time to develop a vulnerability exploit is just 30 days*. Ransomware attacks are successfully leveraging vulnerabilities that are often YEARS old. That means patches exist to plug the vulnerability, but they only work when installed. It’s evident that patch management is an issue for organizations of all sizes.
2. Implement Multi-Factor Authentication
Multi-factor authentication is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. Implementing this strategy and ensuring consistent usage can cut Ransomware success by over 90%.
3. Identify Key Assets & Mission Critical Systems
Take the time to locate your critical data. Where exactly is it located? Who is responsible for it? How is it protected? What are the minimum processes and systems necessary to continue operation through a crisis? This is often a patchwork of systems and data that may not even reside within your organization’s facilities. Know all you can about your data, including key stakeholders. They, more than anyone, will know the priorities.
4. Protect Your Data With 3-2-1 Protection Strategies
Today, a backup is just not enough. Gone are the days when backups were copied to tape and rotated off to a bank vault. A good rule of thumb for today’s data protection is: 3 copies of your data on 2 different media types, with 1 of them offsite.
An important consideration is also how quickly you can access and restore that data from remote locations. Often times people purchase “cold storage” that is very cheap – until you have to pull data out. Then it gets very expensive, particularly if you are pulling the entire data set. Another mistake is to underestimate how long it will take to restore your data. Not all cloud providers can expedite your data restoration, which can take days or even weeks. Our FLxStore Data Protection service provides an ideal solution for your 3-2-1 backup strategy. Our FLxStoreDR IT Recovery Readiness cloud service provides operational readiness to ensure business continuity.
For critical data, a secure cloud-based archive solution provides even better IT recovery. Archives save your data in real time rather than a single point during the day, so on the day of a breach or outage, the amount of critical data lost prior to that day’s backup is significantly reduced. We recommend and implement Donoma OneVault as it is a cloud archiving platform that can manage many different data types at once.
5. Proactively Monitor for Ransomware Threats.
There’s a wide range of services and tools to help you monitor the security of your IT infrastructure that is no longer neatly contained inside a limited number of office locations. It is critical to understand that IT security is layered and must be adaptable. The “hard candy shell” approach that relied on security only at the perimeter is no longer acceptable
6. Create a Culture of Security Awareness.
The number one threat vector are staff members themselves. While most would never want to cause harm to their employer, they all need to be educated and made part of your security strategy. Teach employees about phishing and security challenges, Make sure they are set up with multi-factor authentication when accessing services on your network. Help them recognize threats and ensure they know how to respond in the moment. An educated workforce is a powerful asset in your security plan.
7. Build & Test Your Emergency Response Plan.
If you knew the chances were good that you might experience a fire in your office, you’d make sure you ran fire drills. You post instructions to help people during an emergency and you practice ahead of time. The same is true for a data security emergency. Plan ahead and the stress and very real disruption can be made more manageable when a tested plan is in place.
Unless you Have the Resources, Don’t go it Alone.
Cyber security is a fast changing field of very specialized capabilities. Unless you already have a team of people on staff with this expertise and you are committed to a continual upgrade of systems, tools and training, your best bet is to engage some professional help. Just as you engage lawyers and CPAs to handle specialized areas of expertise for your business, the same is true for Cyber-Security. Our FLxSecure proactive SECOPS monitoring & response service provide you proactive monitoring and a fully staffed threat response team in the event of a a problem.
Want to learn more? Schedule a no obligation discussion with us today.