Click to learn more about author Charles Burger.
Of all the cybersecurity threats out there, being attacked by ransomware is among the most devastating. It spreads quickly throughout the network, is a nightmare to remove, and makes any encrypted files inaccessible until the ransom is paid to a “darknet” site before the decryption key is provided. If payment isn’t made, the cybercriminals threaten to delete the decryption key, meaning all encrypted data will be lost forever.
Unless the victim has protected copies of those infected files and is absolutely confident they are untouched by the ransomware, they will find themselves backed into a corner. Of course, many have learned the hard way that conventional backup solutions simply cannot assure data can be safely and completely recovered as they are also targets of the malware. And similarly, paying the ransom doesn’t guarantee that files can be recovered either. The criminals might just take the cash and not provide the key, though this currently appears uncommon. Because the payment process is deliberately convoluted, there are many opportunities for breakdowns in communication where the payment doesn’t go through, or the key doesn’t reach the victim.
More common, however, is that some or all of the files will be damaged during the victim’s well-meaning but misguided troubleshooting and repair attempts in the initial confusion of the attack, leading to problems with their decryption attempts after paying the ransom.
Because ransomware gets into the network using the familiar paths taken by previous generations of malware, many of the same preventative measures used to fight those earlier threats can also help reduce risk today:
1. Teach users not to visit unapproved websites or click on links within emails unless they were specifically expecting those email links and have no other way to get to the site (for instance, a password reset link). The best way to do this is to offer a live demonstration for users showing them how the URL behind a link may be very different from what they think it is.
2. Regularly patch and update the management tools on all networked devices, local and remote, including switches, servers, and BYODs. New malware exploits are now published within days of patches being available, so, unfortunately, the window of relative safety is getting shorter and shorter.
3. Find ways to establish non-native rendering of PDF and Microsoft Office documents so that a browser or a custom app sees a sandboxed, safe view. Note that many exploits hide inside rich document formats.
4. Make sure that users — and especially administrators — run in the least privileged mode possible while still being able to maintain reasonable productivity. Of course, this is not foolproof as malware has proven very adept at escalating to root or admin privilege levels.
5. Disable Remote Desktop Protocol (RDP) unless used in carefully controlled maintenance procedures.
6. Enable firewalls and deploy all the latest patches as soon as they are available, and as quickly as you/your team are able. Note that some of the newest firewalls can help block traffic from known ransomware, though the jury is still out on their real-world effectiveness.
7. Ensure your last line of defense is continuously updated and ready to go — which is an immutable copy that can’t be altered and replicated to a remote location. The remote data should be aggressively locked down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere, and at any time.
Even with all these precautions, many organizations will still fall victim to ransomware and other malware attacks. The key is not to prevent the attack (nearly impossible) but to ensure you can recover from it. A recent example is that of a large and well-known hospital with a meticulously careful IT department, which suffered a massive ransomware attack that encrypted all of its patients’ radiology studies. The potential medical ramifications of this data loss were immeasurable. And, no hospital wants to be on the news for losing its patient records and being down for days while it attempts to recover files from backups. In this particular case, the hospital’s downtime was only a matter of minutes because it had previously deployed a hardened active archive solution from which it could quickly and completely restore all data.
It’s a simple fact that ransomware threats are becoming more devious and damaging while coming faster and faster. But, by diligently following these preventive steps, it’s possible to significantly reduce the risk of a successful attack. In other words, given today’s increasingly sophisticated ransomware driven by deviously clever cybercriminals, your best defense is a bulletproof offense backed by a storage solution that is capable of recognizing and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error — or a new threat that hasn’t even been invented yet.