Ransomware: the Threat and How to (and How NOT to) Protect Your Enterprise (Part 1 of 2)

One of your users—maybe even you—tries to open an application or document on a computer at work. Suddenly, something like this appears on the computer’s screen.


It may look like an official notice from law enforcement, but it’s not. It’s ransomware; an attempt to extort money from individuals and companies alike.

Ransomware attacks essentially use legitimate-appearing, but fraudulent, emails attachments and website links to install malware on a victim’s machine. After infecting a computer, malware then encrypts the most valuable files on the victim’s computer. The malware then demands a ransom to restore access, and often threatens to make those hostage files permanently inaccessible if the ransom is not paid within a specific deadline.

In many cases, these extortion attempts often work. In February, Hollywood Presbyterian Medical Center in Los Angeles reportedly had to pay $17,000 to restore its systems after three weeks of operating without crucial computing resources due to  a ransomware attack. In March, MedStar Health, a 10-hospital, $4.6-billion healthcare system in the Baltimore-Washington, D.C. area, was crippled by a ransomware attack that exploited a nine-year-old server flaw, according to published reports.

These are just two recent examples of ransomware attacks, an increasingly popular method used by bad guys to extort money from companies and individual alike. And yes, the ransoms they demand differ based on the victim’s means.

Fortunately, there are several ways to protect your organization against ransomware, some more effective than others. In this post, I have tried to highlight the most common ransomware defense alternatives.

User education: is it really a valid anti-ransomware option?

The short answer is “no.” The slightly longer answer is “it’s useful, but it’s not enough.”

Educating users will most likely reduce ransomware and malware infection rates. However, a key point to remember is that in many cases, malware distribution campaigns are created by professional social engineers. Those professionals implement proven methods which increase the efficiency and effectiveness of each campaign at convincing even educated employees to download an infected attachment or click on an infected link.

The Verizon 2015 Data Breach Investigations Report found that 23 percent of those who receive phishing emails open them, and 11 percent of those recipients click on attachments to those emails. Verizon also found that a phishing campaign of as few as 10 emails was more than 90 percent likely to fool at least one recipient. So by all means, implement a user-education program— but also take at least some basic measures to protects the data on all endpoint devices.

Backup: the first line of defense—but be warned!

Of course, scheduled backups are a critical best practice. In case ransomware infects a computer, that computer can be wiped and restored from its most recent backup. However, not all backups are created equal, and some backup solutions will only make things worse.

Many business users rely upon Box, Dropbox, Google Drive, Microsoft OneDrive, or similar cloud-based “file sync and share” solutions to back up endpoint data. This is an easy and effective approach but introduces a significant risk in the case of a ransomware attack. When a computer is infected with ransomware, the ransomware will encrypt files on this computer. Once encrypted, those encrypted files will sync to the cloud and to all devices connected to the same cloud account. As a result, all instances of the original file—on the local computer, in the cloud, and on all other computers connected to the same cloud account—will be encrypted. No user will be able to restore the original document without paying the demanded ransom, rendering this backup method useless against ransomware.

Some cloud-based file sync and share services provide a “back in time” function, allowing the user to restore a copy of a file that was saved before it was encrypted. In such cases, a file encrypted by ransomware can be restored, albeit without any changes made after the last save before encryption. However, it is important to note that some services do not support a “bulk restore” option, forcing users to restore all needed files individually, a time-consuming and potentially error-prone process.

Also, many ransomware variants encrypt files on drives that are connected to the infected computer, including network drives. In case the backup runs on one of those drives, the ransomware will encrypt and infect all the backup data as well.

To defend against ransomware more effectively, choose a “one-way” backup solution with the ability to bulk restore any versions of backed-up files.

Part 2 of this post will examine the strengths and weaknesses of antivirus software and virtual containers as combatants in your battles against ransomware and other malware. I’ll also highlight the best possible defense against ransomware—a defense you may already have.