Ransomware has emerged as one of the biggest threats to companies with any type of reliance on technology. So, pretty much all of them. Ransomware once didn’t even have a name for itself. It was just “espionage” or “holding files for ransom” and “that movie thing”. Now it’s a business model worth billions in revenue that comes with technical support and white label products called Crimeware.
So what is ransomware? It has its roots in spyware, but with a different payload once it’s executed. Spyware wants to trick the user into running something seemingly innocent so it can insert ads into your web browsing or make pop-ups. Fortunately the goal was to be sneaky and not break things so it could stick around as long as possible. At some point someone decided they weren’t happy making a few cents per pop-up and they could make a lot more money a lot and do it faster. Ransomware relies on largely the same methods of spread as spyware. People clicking things in e-mail they shouldn’t, downloading files from the internet with nastiness hidden in them, and unsecured/unpatched systems. Once the code is on the system it’ll do a bunch of different things but generally it’ll stay quiet for a little bit and encrypt all the files that it’s been told are important. Things like DOCs, PDFs, XLSs, XLSXs, DOCXs, and the like. Some versions will try to jump to servers and network drives as well. After encrypting everything it’ll show a window on your screen demanding money in some form of cryptocurrency (Bitcoin probably) in exchange for decrypting your files.
Depending on your company size and business, losing access to your files could be devastating or only extremely annoying. If you’re a one person carpentry shop losing your files could be viewed as just spring cleaning. An architect group losing access to blueprints the day before breaking ground would be extraordinarily bad. What can you do prevent a ransomware attack?
Prevention, Or “Only You Can Prevent Forest Fires”
Everything starts with user education. Almost all ransomware incidents come from someone opening a file they shouldn’t have. There is a growing trend towards targeted attacks through things like unsecured RDP servers but those are comparatively rare and require more effort for the bad guys. Teaching your employees how to identify suspicious e-mails, attachments, and links prevents many attacks. Not just from ransomware. These are the low-risk, low-effort, high-reward targets for the bad guys. The general rule is if you don’t know where it came from then don’t open it. If you do know where it came from and it looks executable (it’ll run like a program), don’t open it without contacting the sender.
Making certain to patch your software and use the current version goes a long way to preventing a very bad day when user education fails. Security in the computer world is a multi-layer approach. Your security should not rely on one layer to catch everything. Software vendors are constantly finding and securing flaws to prevent someone from doing something with their software they shouldn’t be doing. That’s where being vigilant with patches come into play. Using the current version (Office 2019 or Office 365 instead of Office 97) ensures that you actually are receiving patches and the latest security methods. Vendors won’t patch software forever and the “sunset” or “end of life” software fairly regularly.
Anything exposed to the Internet is going to be attacked. The more you expose the more that can be attacked and the more you have to protect. Only the bare minimum should be accessible from the the Internet. Things like web servers and e-mail servers have to be exposed to the Internet to be useful. For these situations stay on top of patches/upgrades, know your configurations, and have a good application firewall. Also consider hiding servers behind a VPN if they only need to be accessed by employees.
In particular, do not expose RDS/RDP (Remote Desktop Server/Remote Desktop Protocol) directly to the Internet. This service is not secure in this configuration and can be compromised fairly easily. Using a RDS Gateway and/or a VPN will go a long way towards keeping your servers safe and happy.
Mitigation, Or “Not Going Out Of Business”
Cyber security is an arms race. The bad guys are incentivized to find new ways to attack you and the good guys are always trying to find means to prevent these attacks. Eventually the bad guys get ahead and find a way in. When this happens you have to mitigate the damage. Sort of like a fire. It’s best to never have a fire but you really want to minimize the damage when it does happen.
The best and most recommended recovery for a ransomware attack is having good backups. Really you should have these anyway in case of accidentally deleted files and server problems. Having good (good meaning the backups are tested regularly and store everything you’ll need to recover from effectively nothing) backups means you’ll have a bit of downtime rather than a massive loss of money from maybe paying the ransom, loss of trust from customers, and never knowing what was lost. Having offline backups is critical. Ransomware attacks are intentionally targeting and deleting any backups that can be reached to prevent you from being able to recover ensuring that you’ll have to pay. Tape backups are making a comeback due to this. It’s hard for an attacker to delete your backups if they’re on a tape sitting in a fireproof safe somewhere.
If everything else fails your last life line is cyber insurance. There are many insurance companies that can advise you on your options for this. TechRUG and HisCox come up a lot in conversations about this. Essentially it’s insurance that helps you pay the ransom and recover so you don’t lose the entire company. This should definitely be the last resort. You’ll still incur loss of money and confidence if this step has to be taken but it’s better than nothing.