Ransomware Basics – Improving Security Posture

A quick guide to some ransomware basics for your practice!
By:  Hart Johnson, MSCSIA, CEH, CHFI

You have probably heard of it by now, but ransomware isn’t going anywhere! Ransomware is gaining popularity and steam around the world, and organizations big and small can fall victim to it. In this blog, we will build upon some of the other Security and Technology Blogs we have written to touch on this very scary, but important topic.

First, what is ransomware?

Ransomware is a type of malware. This particular type of malware typically encrypts (basically scrambles) your files on your machine, so that you have to pay a ransom to decrypt (unscramble) the files. This payment is typically due in the form of cryptocurrency such as Bitcoin. Typically, once infected, you are presented with instructions on your device of how to pay the ransom and decrypt your files. The costs can vary, depending on the size, ranging from hundreds for individuals to millions of dollars for large organizations. There are newer types of ransomware attacks as well, where the attackers care less about encrypting your files, and more about exfiltrating (removing/copying) the data so that they can hold it hostage for ransom in order to not release them to the public. Either way, ransomware is scary, BUT with some good security measures in place, you can protect yourself and your organization. Please note, this blog is not meant to provide you with a full security solution and does not guarantee that by implementing some of the recommendations that you will be immune from ransomware, this is just some tips to help you think about ways to help protect your assets.

How does ransomware actually work?

First, the attacker has to infect its target. This can be done from a variety of sources, but one of the main sources is through phishing. You can read up about phishing in our Phishing Blog Post.

Essentially, once infected, the ransomware can either trick a user into installing it or use a security hole in the machine to infect it automatically. At this point, the ransomware malware will typically begin encrypting some or all of the files on the machine, might spread to other networked computers with the same vulnerabilities, and even potentially shut down your entire IT infrastructure. 

At this point, your files are encrypted and you are losing valuable time, data, and more from this attack. Part of the reason we are seeing a rise in high profile ransomware attacks is because they are not very technologically difficult to pull off and these large organizations are more willing to pay to gain access to their systems again, as they are losing revenue quickly.

There is also the potential for the ransomware to be a decoy, in order to put something even more malicious onto your machines, that can cause even more issues down the road. Gaining a foothold in your network could lead to more breaches.

What are some of the impacts of Ransomware?

Ransomware can have a wide-variety of different consequences. It can be as simple as losing access temporarily to information you need to even more malicious breaches like personal and secret information becoming published. Imagine for example, that you have downloaded some patient records to print out or send, and you are hit with ransomware that takes, and publishes that sensitive information. You now have a major breach of health information on your hands! What if the attackers install a key-logger on your machine, and get access to your passwords for all of your sensitive data? That could lead towards a large-scale breach of PHI!

Billions of dollars are lost each year to ransomware in the US alone due to:

• Burden of restoring systems to their original state
• Lawsuits from data breaches
• Payment to the ransomware attackers
• Harm to your organizations or personal reputation
• Disruption to the flow of regular operations, resulting in loss of revenue.

The other issue is that there is no promise that your files will actually be decrypted and no promise that the malware is actually removed from your system after paying the ransom. You have to remember, we are dealing with criminals here, who do not have your best interest in mind. 

So what can you do to help protect and minimize the risk of ransomware?

1. Build out your security awareness training (read our blog on this topic here). The more your employees know how to spot something fishy, the less likely they are to install ransomware. Make sure your employees do not click on pop-ups, ads, links in emails that seem fishy, attachments, or anything else out of the ordinary. Phishing attacks are becoming more common and sophisticated, so be vigilant.
2. Put a backup strategy in place! This cannot be understated. Having a backup, can reduce the impact of ransomware and reduce the time to recovery. If your data is backed up, you will be less concerned about factory resetting your computer to get rid of the infection. Remember, network attached backups can also be infected with ransomware, so it is best to keep critical backups off the network. You should consult with a cybersecurity and/or IT specialist to assist in building your backup strategy.
3. Keep your systems and software up to date! Most infections happen because the operating system is out of date and there is a vulnerability that is being exploited. By keeping your systems up to date, that threat is minimized.
4. Get a good anti-virus/anti-malware application and make sure it stays up to date in order to help protect against ransomware.
5. Don’t click or download random things. This goes back to your security training, but it is important to restate. 
6. Make sure your user permissions are as limited as possible to perform job duties. We should always be employing a principle of “least privilege” in order to only provide the tools/information one needs to do their job, in order to minimize risk of further infection.
7. Use a password manager! While ransomware may not directly affect or be related to your passwords, after a breach, you should assume your passwords are compromised. It would be best practice to change all of your passwords as soon as possible after an attack, to ensure the attacker cannot gain more information. With a password manager, you know exactly what accounts you have and can quickly change all the relevant passwords.
8. Use multi-factor authentication, wherever possible. This will again, help limit the impact if an attacker was able to gain access to your systems, where they may not be able to get past the multi-factor authentication where it is being used.

While this is not an exhaustive list by any means, these are some good first steps. It is always best to consult with a cybersecurity specialist, to ensure you are taking the most appropriate precautions based on your organization’s individual risk factors.

What do I do if I am infected?

Great question! Immediately, unplug your computer from any ethernet cables and turn off your Wi-Fi at the router. Essentially, shut down your network immediately to help prevent spread. Put your device in airplane mode if possible and turn off Wi-Fi and Bluetooth if you can.

Immediately disconnect everything from your computer. Hard drives, USB sticks, anything else that can be compromised, get it off immediately!

Report the incident up your normal chain of command and consult a cybersecurity specialist to talk through remediation steps.

We hope this blog is helpful and will continue this series with more information in the future.

Additional Resources and Links:

https://csrc.nist.gov/CSRC/media/Publications/nistir/draft/documents/NIST.IR.8374-preliminary-draft.pdf

OptimisPT.com