Ransomware is devastating, expensive, and on the rise. Protect yourself from infection with our guide, but plan for the worst too. Make sure you can recovery cleanly and quickly if ransomware strikes.
Ransomware on the Rise
Ransomware attacks are increasing in frequency at a frightening rate. According to the Bitdefender 2020 mid-year report, the number of global ransomware reports increased by 715 percent year on year. Ranked by the number of attacks, the United States comes out in first place. The United Kingdom is in second place.
A ransomware attack encrypts your files and data so that you are unable to operate as a business. To return your systems to their normal operational states requires your servers and computer to be wiped and restored from backups, or the use of the decryption key to unlock your files and data. To get the decryption key you need to pay the ransom.
Ransomware causes tremendous impacts that disrupt business operations and can lead to permanent data loss. Ransomware causes:
- Business downtime.
- Productivity loss.
- Revenue loss.
- Reputational loss.
- The loss, destruction, or public release of business-sensitive information.
If you do pay the ransom you have that added cost, and you’re likely to have residual malware infections and disruption following the attack
You may think it won’t happen to you. You may rationalize that belief by telling yourself you’re too small, and the threat actors have bigger and better targets to hit. Why would they bother with a company like yours? Sadly, that’s not how it works.
Everyone is a target. Far and above any other delivery method, email is still the number one delivery mechanism for ransomware. The phishing attacks that deliver malicious emails are sent out by software that uses mailing lists with millions of entries.
All the email addresses from all the data breaches that have happened in the past ten years or so are available on the Dark Web. The Have I been Pwned website lists over 10 billion of them. New email addresses are harvested every day and added to these mailing lists. These are the email addresses that receive phishing emails. The threat actors don’t care who they belong to, nor do they care.
Very few ransomware attacks are selectively targeted. All the other attacks, 99 percent of them, do not stalk their victims and do deep reconnaissance. The bad guys aren’t snipers. They’re machine gunners who don’t even bother aiming. They spray out emails willy-nilly then sit back to see who they’ve managed to hit.
Ransom or Restore?
The cybercriminals—the threat actors—charge a ransom to provide the key. The ransom is paid in a cryptocurrency, typically in Bitcoin, although other cryptocurrencies can be stipulated by the threat actors. At the time of writing, according to CoinMarketCap there are over 7,500 active cryptocurrencies.
Even though getting set up to trade in Bitcoin is relatively straightforward, it can still take days to get e-wallets and everything else in place. And for that whole period, you are unable to operate as a business or, at least, to operate effectively.
And even if you do pay the ransom there is no guarantee that you’re going to get your data back. The decryption side of ransomware is often shoddily written, and it might simply not work for you. Even if it does decrypt your files, you are probably still infected by malware such as rootkits, remote access trojans, and keyloggers.
So, it might take days to be able to pay the ransom—even longer if they ask for payment in a cryptocurrency that can only be purchased using another cryptocurrency—and your system isn’t going to be clean and trustworthy after it has been decrypted. Plainly it’s better to bite the bullet and restore your systems from backups. After all, both in the United Kingdom and in the United States we’re advised against paying the ransom.
Restore from backups it is, then. But not so fast. That’s only possible if you have a robust backup procedure in place, the procedure has been adhered to, and your backups have been tested in dry-runs and simulated incidents.
On top of that, the threat actors behind the most sophisticated ransomware have ways of ensuring that your backups are infected too. As soon as you wipe and restore your servers and computers you are already infected.
Even so, backups are still the answer. But you need to plan and safeguard your backups in a way that protects them and ensures their integrity when you need them.
Prevention is Better Than Cure
Nobody wants accidents at work: injured people, lots of paperwork, possible liability claims. But you still have a first aid kit on the premises. Yes, prevention is better than cure, but you must still assume that sooner or later you’re going to need that first aid kit and trained first aid responders.
The same goes for cybersecurity. Nobody wants to get hit by ransomware, and you do what you can to prevent it. But you need to have an incident response plan in place that you can turn to when malware strikes. You need a team of people who are familiar with the plan, who have rehearsed the plan, and who will actually follow the plan.
It’s too easy for the plan to be discarded in the heat of the moment. That cannot happen—all of your responses to the incident need to be methodical and co-ordinated. That can only be achieved by following your incident response plan.
We all have automobile insurance and we all hope we don’t need to use it. An incident response plan is like that. You need it, but you don’t want to be in a situation where it has to be deployed. Keeping your vehicle maintained and only allowing trained drivers behind the wheel reduces the likelihood you’ll be in an accident.
The following points will reduce the risk that you need to roll out your incident response plan.
Staff Awareness Training
Most ransomware infections are due to someone falling for a phishing attack. Your employees are the ones on the email front line. They are opening and dealing with emails and attachments all day every day. Sometimes hundreds of emails. It only takes one phishing email to sneak through unspotted and you are infected.
Obviously, your staff must have cybersecurity awareness training so that they can identify phishing emails and other email-borne scams and threats. And this must be topped up and reinforced periodically. Ransomware should be on your cybersecurity risk assessment register, and staff awareness training should be one of your mitigating actions.
One way to reduce email volumes is to try to drive down internal email. The less internal email there is the easier it is to focus and pay attention to the external email. It’s the external emails that carry the risks. Business chat applications such as Microsoft Teams and Slack are great at this.
Staff Susceptibility Testing
Training is great, but the icing on the cake is testing. It’s easy to find a security firm or online service that will mount a benign phishing campaign.
Employees who fail to recognize the faux-malicious email are obvious contenders for a refresher session in the training. As well as measuring the susceptibility of your staff to fall for phishing emails, it is also a measure of the effectiveness of your staff awareness training.
Principle of Least Privilege
Make sure that processes and users are given the minimum access rights to perform their role-defined functions. The principle of least privilege limits the damage a piece of malware can do if a user account is compromised.
Restrict who has access to administrator accounts and ensure those accounts are never used for anything other than administration. Control access to shares and servers so that people with no role-specific need to access sensitive areas cannot do so.
Spam filters won’t trap every malicious email but they will catch some which is a great benefit. They will detect and quarantine the majority of regular, safe-but-annoying spam. This will further drive down the volume of email that needs to be dealt with by your workforce. Reducing the size of the haystack makes it easier to spot the needle.
Of course, anti-virus and anti-malware packages, or a combined end-point protection package should be deployed, should be centrally managed and should be configured to update the signatures regularly. Users must not be able to refuse nor defer the updates.
Patch, Patch, Patch
Operating systems, firmware, and applications should be within the manufacturer’s support cycle and not end of life. They must be patched up to date with security and bug fix patches. If patches are no longer available, stop using it.
For all but the simplest of network designs, segment your networks to isolate critical computers, departments, and teams. They don’t build submarines as long, open-plan tubes. They incorporate bulkheads with watertight bulkhead doors so they can seal off sections that have a leak.
Use a network topology with segregated regions to similarly constrain the spread of malware. An infected segment is a lot easier to manage compared to an entire network.
Backups are core to a robust business continuity plan. You should back up your data using a scheme that can cope with any foreseeable crisis, whether cyber-based or not. The old backup mantra was the 3-2-1 rule.
- You should have three copies of your data: the live system and two backups.
- Your two backups should be on different media.
- One of those backups should be held off-premise.
To be clear, just having another copy of your data isn’t a backup. It’s better than nothing, but backups are so important that they should be the best you can do on whatever budget you have. A real backup will be created by backup software and will have versioning capabilities. Versioning lets you restore a file from a point in time. So you could restore a file in the state it was in at one o’clock yesterday. Or from sometime last week, or last month. Your retention period and the capacity of your backup storage will dictate how far back in time you can go, and with what granularity.
Backups should be encrypted.
Image-based backups take an image of the entire hard drive including the operating. Changes to the live system can be drip-fed to the backup image every couple of minutes so the backup is very close to a real-time snapshot of the live system. All of the top-tier backup solutions can convert a backup image to a virtual machine image. The virtual machine can be spun up on new hardware in the event of a catastrophe. This lets you deploy new server hardware or overcome whatever issue has brought the live system down, while your backup runs as a stop-gap live system and your company remains operational.
And of course, there are off-site backup solutions that allow you to backup to a location safely removed from your premises. So the 3-2-1 rule can be rewritten using any numbers you like. Have as many copies of your backups as it takes for you to feel comfortable, distributed across different locations, and stored on different hardware devices.
However, none of that is going to save your bacon if the threat actors manage to infect your backups. Let’s say the ransomware is set to delay for 28 days before it triggers. You’ll have backed it up many times, to all of your backups.
To combat this, immutable backups can be used. These are backups that cannot be written to once they have been made. This means they cannot be infected by ransomware or any other malware. A robust backup solution uses a layered and varied approach.
- You may implement versioned backups to local network-attached storage (NAS) devices for the fast recovery of accidentally deleted files.
- Your second layer could be image-based backups to local and off-premise storage. You could quickly restore a failed server in the event of a total server crash or hardware failure.
- If you round out your backup regime out with immutable backups that can never be tainted by malware you’ll have a solid and comprehensive backup system.
According to the size and complexity of your network, that can quickly become expensive. But compared to the price of failure, it’s cheap. Don’t think of it as paying for backups. Think of it as investing in business continuity.
Incident Response Plan
Not only is an incident response plan a vital tool in ensuring coordinated and effective responses to cyber incidents, depending on your business activities they may be mandatory. If you take credit card payments it’s likely you must comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS standard has several requirements regarding incident response plans.
A typical incident response plan will contain these sections, each of which should be detailed and precise.
- Preparation. All of the points mentioned above, together with any other defenses that your circumstances merit. Rehearsing the plan with dry-run incidents will familiarise your response team with the plan and will identify shortfalls or problems, allowing the plan to be refined. The more prepared your response team is, the better they will perform when needed.
- Identification. The process of recognizing that an incident is underway, and identifying what type of incident it is. What is happening, who and what is affected, what is the scope of the issue, has data been leaked?
- Containment. Contain the infection and stop it from spreading. Quarantine infected systems.
- Eradication. Wipe the infected systems. Ensure the malware has been removed from all compromised machines. Apply any patches or security hardening steps that your organization has adopted.
- Recovery. Which systems are a priority and should be returned to service first? Restore these from backups, and change the authentication credentials for all accounts. Restore from immutable backups if you have them. If not, verify that the backups are malware-free before restoring them.
- Lessons Learned. How did the infection happen, and what would have stopped it? Was it an exploited vulnerability or a human error? What steps will plug the gap in your security?
Don’t forget to report ransomware as a crime. You may also need to report the incident to your regional or national data protection authority. In Europe—because you lost control of the data while it was encrypted—a ransomware attack is considered a data breach under the General Data Protection Regulations even if no data was actually stolen or lost. You may have legislation that governs you that upholds this concept, such as the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA).