Ransomware is a form of malware that targets a user’s critical data and systems for extortion. Typically, ransomware encrypts data with a key known only to the attacker until a ransom (usually in a cryptocurrency such as Bitcoin) is paid. After the ransom is paid, the attacker will sometimes provide a decryption key.
The FBI reports that approximately 4,000 ransomware attacks occur daily and that there has been a 300 percent increase in ransomware attacks since 2015. Ransomware is becoming increasingly sophisticated and dangerous. It’s a critical risk for all types of organizations.
Steps to Defend Against Ransomware
Backup the data. Backups are critical in ransomware recovery and response; if records are infected, backups are often the best way to recover critical data. But in addition to regularly backing up one’s organization’s significant data, one should verify the integrity of the backups and regularly test one’s backup restoration process; it would be unfortunate to find out, in the middle of an incident, that one’s backups aren’t working.
It’s also important to ensure that one’s backups are secured (e.g., physically stored offline) and not permanently connected to the computers and networks they back up. Increasingly, ransomware is designed to infect both computers and attached storage devices, plus cloud backup services that are mapped to infected computers.
Use behavior-based anti-malware software. Businesses should implement behavior-based anti-malware (e.g., CrowdStrike, Cylance) on their organization’s information systems rather than signature-based software. Criminals are continually tweaking their ransomware strains and adding “features” such as encrypted or constantly changing code. Increasingly, signature-based anti-malware software, which just looks for known malicious files, cannot keep up. Behavior-based anti-malware software, which watches for malicious behaviors, is often more likely to detect ransomware.
Whenever possible, it’s best to configure the anti-malware software to block and alert when it detects ransomware rather than just alert. All alerts regarding ransomware should be rapidly responded to.
Have a security incident response plan (SIRP). As unpleasant as it is to think about, businesses should assume their organization will be infected by ransomware — and prepare for it. A well-documented SIRP that is specific to the organization will make it easier to launch a rapid and well-coordinated response. At a high level, the SIRP should include:
- A description of the roles and employees who are on the security incident response team (SIRT).
- Specific guidelines (e.g. when law enforcement should be notified, how backups are secured) and procedures that the SIRT will follow.
- Information about external resources (e.g. computer forensics firm) available to the SIRT.
Businesses would be well-advised to test their SIRP at least annually — rather than be trying out their SIRP for the first time during an incident.
Provide phishing education. Properly trained, employees can be an organization’s front-line defense against ransomware. Cybersecurity is not just an IT issue. Ransomware is frequently delivered via phishing emails, so it’s important to regularly train one’s employees to carefully assess links in emails and to not open unsolicited attachments. To improve employee awareness about phishing, use a tool like Wombat or Phishme to send simulated phishing emails.
Businesses should also encourage employees to rapidly report suspicious activity that may indicate ransomware. Once in an organization, ransomware can spread very quickly via shared or networked drives, so it’s critical that all employees know when and how to report suspicious activity on their information systems.
Steve Weil is security director of Point B Inc., an integrated management consulting, venture investment and property development firm.