Six Effective Ransomware Risk Reduction Strategies
- Sep 12, 2016
- Guest Author
Businesses, governments, and consumers alike need to be aware of ransomware – a type of malware that can inflict serious damage on your finances and productivity in a very short span of time. Today, we explain this category of malware: how it works, the risks it poses to your organization, and strategies for preventing an attack.
Ransomware is a type of malware that deliberately interferes with the standard operation of a computer until a ransom is paid.
In earlier days, ransomware programs would simply lock a computer’s screen and prevent programs and files from being opened. While these types of ransomware were effective at disrupting targeted organizations, it was possible to recover files by booting the system onto an unaffected live CD and then copying it onto an unaffected storage medium.
Most ransomware today is crypto-ransomware, a more malevolent form of the malware. Crypto-ransomware systematically encrypts files that are stored locally or on accessible network file shares, using strong cryptographic algorithms. The ransomware determines what files to encrypt by their file type, with office documents – .docx, .xlsx, .pptx, photographs, and video files – almost always targeted. Once the files have been encrypted, the ransomware will typically upload the private key to a remote server and delete the local copy. The victim will then see a demand for payment in order to get the files back.
Often, there is a time limit on the ransom payment. If the user fails to pay before the clock runs out, the remote server will delete the private key, rendering the files permanently irretrievable.
Payment of a ransom is typically done in one of two ways: Either 1.) Through a cryptocurrency like Bitcoin or LiteCoin, or 2.) Through a prepaid debit card or gift card. The amount demanded differs between variants. CryptoLocker (one of the most widely-known variants that was active from 2013 to 2014) demanded $300.00. Others have demanded significantly more.
While paying the ransom does not guarantee the safe return of encrypted files, in most cases, criminals understand that much like a traditional business, reputation is important. In order to maintain credibility in the marketplace and continue to reap rewards, it is in their interest to restore files upon receipt of payment.
According to the IBM Security Services 2014 Cyber Security Intelligence Index, human error is responsible for almost 95% of all security incidents. Ransomware is no different. The first thing to understand in order to prevent an attack is that there is a human element to ransomware that makes it a problem not easily solved with technology alone.
Spam emails are a common attack vector for ransomware, and many of these emails are crafted to be genuine and believable – written by a native speaker of the recipient’s language, and often adopting the marques and stylings of established and trusted brands, such as Royal Mail, the IRS, and the Australian Tax Office.
Since email is the most common attack vector for ransomware, these are the most effective risk reduction strategies:
1. Disable Macros: The most important step you can take is to disable macros. Although macros do not run by default, some ransomware variants trick users into enabling them. If you are running Microsoft Office 2016, there is a policy option that allows an administrator to disallow Word from enabling macros on Office files downloaded from the Internet.
2. Install Viewers: If your organization has yet to migrate to Office 2016, we recommend installing Microsoft Office Viewers, which allow a user to view a document without having to enable macros.
3. User Awareness: Train users on the threats posed by ransomware and the risks of opening email attachments from unrecognized senders.
4. Least Privilege: In order to prevent ransomware from infecting a system, keep account permissions to the lowest possible setting.
5. System Updates: As ransomware often takes advantage of security vulnerabilities in Microsoft Office and other applications, ensure that all systems are regularly patched and updated. To this end, having a well-oiled vulnerability management practice within the organization is vital.
6. Back up: Above all, ensure that all files are backed up, versioned, and kept off-site.
Ransomware comes in different guises, operating in different ways. As such, a single point product is rarely sufficient in preventing it. Rather, a set of tools is required.
1. A Unified Approach: A unified approach is the most efficient and comprehensive way to prevent ransomware from infecting and spreading in your environment. By automating many manual tasks involved with vulnerability risk management, NopSec Unified VRM reduces the risk of an infection occurring as a result of a lapse in procedure in the security team. The Unified VRM Security Configuration tool lets an administrator or security professional assess the security of an operating system by comparing it against industry-standard or compliance checklists. Meanwhile, the Unified VRM Network can scan a network to see how prepared it is to face an external, Internet-based threat. Tying this all together is a centralized reporting system that allows management to assess all aspects of the incident response process.
2. Social engineering: Social engineering testing is an effective tool to complement user awareness by exposing human flaws in processes that can subsequently be addressed. When considering engaging a social engineering exercise, it is important to remember that the objective is not to shame employees. Rather, the goal is to identify where processes can be improved.
3. Penetration testing: Penetration testing simulates attacks against Internet-facing web applications, external, and internal networks in order to identify holes that could potentially allow a ransomware infection so that IT and security personnel can quickly remediate them.
4. Detection: In the event that prevention controls fail or are bypassed, detection controls on both the network and host can help quickly identify when ransomware has infected your organization. A SIEM can be effective in correlating logs from disparate systems and alerting on particular events.
5. Threat intelligence: The use of paid, open, vendor-provided, and peer-driven threat intelligence can keep you up to date with the latest ransomware threats and their evolution. Knowing the attack paths, command and control servers, and encryption methods can help you quickly identify and prevent ransomware from spreading through your network.
Learn more to keep your organization safe from this threat. Download NopSec’s white paper, “The 2016 NopSec State of Ransomware Report: The Threat, the Impact, and Mitigation Strategies.” Learn how ransomware spreads quickly; ransomware variants; commonly targeted industries; and other trends that will help you better understand ransomware, its reach, and how to defend your organization.