October 31, 2016
As we observe Halloween, the holiday of all things scary, it seems like the perfect time to talk about something really frightening: ransomware. Ransomware, one of the most prevalent threats to companies’ cybersecurity, cost companies $24 million last year.
That cost is rising at an unprecedented rate. In the first three months of 2016, costs escalated to $209 million. By year’s end, ransomware damages are expected to hit the $1 billion mark.
Ransomware is an extortion scheme that works by locking up user files through encryption. To obtain the decryption key, users have to pay up. According to Gartner, ransom fees range from $200 to $10,000.
But the costs don’t stop there.
Additional costs incurred can include network mitigation, network countermeasures, loss of productivity, legal fees, information technology services, and/or the purchase of credit monitoring services for employees or customers, according to the Department of Justice. In addition, bad guys will sell your information to other ransom operators on a “They Will Pay” list, which could subject you to additional attacks/demands.
Understanding the Problem
What should companies do? First, acknowledge that all ransomware attempts are different, and try to understand the various forms of the threat as much as possible. Some attempts use encryption that has proven impossible to break. In other cases, the encryption isn’t particularly well written, which makes it possible for security companies to crack it.
It’s also important to understand ransomware doesn’t always go after the same types of files and systems. Early variants looked for vulnerabilities in files such as Microsoft Word documents and Adobe PDF files. The malware has since evolved to compromise wider sections of the computer and, eventually, lock everything to prevent use of a machine.
Some current ransomware is sophisticated enough to spread beyond a single computer into the network, making file shares, storage drives and mapped network drives vulnerable as well. This means parts of the network—and potentially all of it—are susceptible to a ransomware infection, not just individual computers.
Understanding the magnitude of the threat helps you better prepare yourself to defend against it. Ransomware attacks increased three-fold in 2016, with reports of an attack against businesses once every 40 seconds. Security experts predict the number of ransomware attacks will continue to increase in 2017.
Patch management is another effective preventative measure. Ransomware exploits vulnerabilities that already exist in your systems, so the more you update software (and encourage employees to) and implement patches, the less likely you’ll be hit.
Admittedly, this is a challenge for many organizations, especially those with large workforces, because it requires a fair amount of planning and may cause user downtime. But these are mere inconveniences when viewed in the context of how much damage a major ransomware attack can cause.
Limiting user access to resources also helps secure networks and prevents malware infections. Users should be granted only the access they need to do their jobs, and only administrators should have administrator privileges.
Content filtering, threat intelligence and anti-malware programs also help protect against ransomware. Content filters block samples of code that have been deemed as hazardous; this requires updating filters constantly to keep up with new variants. Threat intelligence keeps track of websites that host malware. Any of these security tools can stop threats that might otherwise get through when other systems or processes miss them, as might be the case with outdated patches.
And don’t forget data backups, which are critical to your ability to recover from a successful ransomware attack quickly. Provide your users the ability to easily and consistently backup their critical business data.
Boo! You’re Hit!
As noted earlier, some ransomware encryption isn’t that effective. If you’re hit, check whether the ransomware variant has been cracked. Clues such as file extensions and the wording of the ransom note will help you figure this out.
Investigate commercial ransomware recovery systems or public sources for ransomware recovery keys. Contact your Internet Service Provider (ISP), as they may have a solution for you.
Maybe you’ll get lucky. If not, you’ll have to restore data from a backup. And if your backups are incomplete or nonexistent? Then the spookiest thing of all; you may just have to pay up.
Find out how Level 3 can help you get in front of ransomware and other types of cyber attacks.