Finding yourself in a situation where your data is held hostage can be an intensely frustrating experience for individuals and businesses.
Perhaps no other malware has gained as much notoriety as ransomware. Usually disguised as other applications, most Ransomware encrypts your files, deletes the originals, and leaves a note with instructions to pay by the ransom by bitcoin… “Or else!”
It’s easy to become a Ransomware victim
I’m a recent ransomware survivor. My laptop was infected when I clicked on a link to download a whitepaper that turned out to be hosted on a compromised Ad-Server. Ironically, the whitepaper ad was from a well-known security solutions company with the title ‘Preventing Ransomware’!
I later learned that the Ad-Server Brent Media’s domain had just expired, and was picked up immediately by the individuals behind this particular Ransomware attack.
After clicking the link, it was clear to me that something unusual was happening as a small window opened and closed in the blink of an eye and the ransomware went to work on my files. Amazingly, of all the security controls I had on my computer, none of them worked – no data loss prevention alert, no ‘active defense’, nothing.
In my case, on attempting to access my files, I was met with a message explaining that they were encrypted and required a specific code to unlock. You read many stories about the levels of “customer service” offered to victims by cybercriminals behind ransomware, but here the level of “service” offered wasn’t detailed, and would have been difficult for a non-technical person to follow; showing that this perhaps wasn’t a cutting edge scam.
Other clues that this wasn’t the latest in ransomware were to follow. Although I backup regularly, I chose to attempt to restore some original files. Running widely available software from BitDefender, I was able to recover a number of my files relatively easily. I was also able to run some code developed by White Hats to further restore some folders – it turns out that the majority of the encryption key code was poorly hidden within the ransomware itself.
By viewing details of the Bitcoin Vault in which it was suggested I pay my ransom, I also worked out that the ransomware strain at work here was a derivative of Locky – a well-known version of ransomware.
So, it seems that I was lucky, and the fact that I wasn’t worse off has a lot to do with my knowledge of cybersecurity. I was able to mitigate the effect of the virus by immediately isolating my laptop from any networks, confining the ransomware to a single device. I was also lucky in that I knew I had backups, and didn’t feel the need to pay the ransom – a surefire way of opening yourself to further attacks from criminals who are likely to leave an easy backdoor once they “release” your files.
With a few precautions, you can minimize the damage
The risk of ransomware attacks can be reduced by following good security hygiene. Having frequent data backup and recovery in place will help quickly restore the systems. However, the cyber-criminals behind these ransomware attacks have begun targeting backups and archives as well. A simple fix is to keep the back-up system offline after each back-up cycle.
A good strategy is to isolate high value data and other ‘defense in depth’ techniques. Here are four solutions for preventing Ransomware attacks in the workplace:
1. Educate users. For example, using a ‘show, not tell’ technique by running a mock ‘ransomware drill’ that temporarily locks out a user’s device – that is likely to drive home the point!
2. Make users understand the organization’s acceptable use policies and security policies in an interactive, fun manner (perhaps using digital marketing techniques to target the most risk-prone users) rather than the current mile-long ‘legalese’ that only serve the purpose of compliance but do a poor job in making users aware of the risks.
3. Conduct a vulnerability assessment designed to identify weak spots, then running penetration tests to assess the extent to weakness. However, there are always trade-offs between business risk and the cost of implementing such security controls.
4. Restrict access to a limited white-listed set of core applications on the organization’s IT systems, while employing a liberal BYOD policy encouraging people to use their own devices to access websites and other non-work related systems. This way, the damage, if any, is contained on the user’s device connected to a sandboxed network segment.
Malware and other cyber-attacks are the new normal
As threatening as it sounds, ransomware is just another malware, and can be avoided with increased user awareness, along with the right security practices such as network segmentation, endpoint detection and response systems, and application whitelisting with a user-friendly BYOD policy. Businesses and individuals need to be aware of the risks, take adequate precautions and follow security hygiene to minimize the impact in case they fall prey to these attacks.