Ransomware: The Threat and How to Protect Your Enterprise Part 1

One of your users—maybe even you—tries to open an application or document on a computer at work. Suddenly, something like this appears on the computer’s screen:ransomware

It may look like an official note from law enforcement, but it’s not. It’s ransomware: an attempt to extort money from individuals and companies alike.

Ransomware attacks essentially use legitimate-appearing, but fraudulent, email attachments and website links to install malware on a victim’s machine. After infecting a computer, malware then encrypts the most valuable files on the victim’s computer. The malware then demands a ransom to restore access, and often threatens to make those hostage files permanently inaccessible unless the ransom is paid within a specific deadline.

In many cases, these extortion attempts work. Earlier this year, a hospital in California reportedly had to pay $17,000 to restore its systems after three weeks of operating without crucial computing resources due to a ransomware attack.

In March, MedStar Health was crippled by a ransomware attack that exploited a nine-year-old server flaw, according to published reports.

These are just two recent examples of ransomware attacks, an increasingly popular method used by cybercriminals to extort money from companies and individual alike. And yes, the ransoms they demand differ based on the victim’s means.

Ransomware defenses

Fortunately, there are several ways to protect your organization against ransomware, some more effective than others. Here I will highlight the most common ransomware defense alternatives.

User education

Is user education really a valid anti-ransomware option? The short answer is no. The slightly longer answer is that it’s useful, but it’s not enough.

Educating users will most likely reduce ransomware and malware infection rates. However, a key point to remember is that in many cases, malware distribution campaigns are created by professional social engineers. Those professionals implement proven methods which increase the efficiency and effectiveness of each campaign to convince even educated employees to download an infected attachment or click on an infected link.

The Verizon 2015 Data Breach Investigations Report found that 23 percent of those who receive phishing emails open them, and 11 percent of those recipients click on attachments to those emails. Verizon also found that a phishing campaign of as few as ten emails was more than 90 percent likely to fool at least one recipient. So by all means, implement a user-education program—but also take at least some basic measures to protects the data on all endpoint devices.

Backup

Scheduled backups are a critical best practice. In case ransomware infects a computer, that computer can be wiped and restored from its most recent backup. However, not all backups are created equal, and some backup solutions will only make things worse.

Many business users rely upon Box, Dropbox, Google Drive, Microsoft OneDrive, or similar cloud-based “file sync and share” solutions to back up endpoint data. This is an easy and effective approach, but it introduces a significant risk in the case of a ransomware attack.

When a computer is infected with ransomware, the ransomware will encrypt files on this computer. Once encrypted, those encrypted files will sync to the cloud and to all devices connected to the same cloud account. As a result, all instances of the original file—on the local computer, in the cloud, and on all other computers connected to the same cloud account—will be encrypted. No user will be able to restore the original document without paying the demanded ransom, rendering this backup method useless against ransomware.

Some cloud-based file sync and share services provide a “back in time” function, allowing the user to restore a copy of a file that was saved before it was encrypted. In such cases, a file encrypted by ransomware can be restored, albeit without any changes made after the last save before encryption. However, it is important to note that some services do not support a “bulk restore” option, forcing users to restore all needed files individually, a time-consuming and potentially error-prone process.

Also, many ransomware variants encrypt files on drives that are connected to the infected computer, including network drives. In case the backup runs on one of those drives, the ransomware will encrypt and infect all the backup data as well.

To defend against ransomware more effectively, choose a one-way backup solution with the ability to bulk restore any versions of backed-up files.

Stay tuned for part two of this series where I’ll discuss the strengths and weaknesses of antivirus software and virtual containers as combatants in your battles against ransomware and other malware. I’ll also highlight the best possible defense against ransomware—a defense you may already have.

Be sure to check out how LANDESK Security Suite (LDSS) can help you thwart potential threats that want to weasel their way into your systems.

ransomware