Ransomware is primarily about money, the ability of the ransomware author to get money from the victim with in a very short period of time.
Phishing is the ability of a person to gain control to your system for the purpose of monetary, data or other information retrieval from your system. Immediate financial gain is of secondary concern, they are looking at the bigger picture of gaining access to your system and the information contained within.
Ransomware may deploy a data retrieval attack on your system and or deploy of software to allow control of your system. Typically it is not just an isolated incident.
The two primary methods (vectors) of Ransomware intrusion into your systems are
- Remote access to your network is active / open
One can lead to the other, typically.
Once ransomware is inside your network, it can spread like wildfire.
How do you know if you’ve been infected without having to wait on a user to report?
The primary method to prevent a Ransomware attack is to be brilliant about the basics
- Keep it simple,
- Have multiple layers of detection/protection,
- Train & educate users
- Have the right technology,
It’s a holistic, segmented approach, training, best technology for your environment
The deployment of malware primary method is by spam, it’s easy, simple and easily targeted.
E.g. message from your ex, last 4 digits of your debit/credit card, selling your something. These provoke a curious thought about the content which you will be tempted to open, depending on the subject line and then the spam is half way there, just a click on the link or the attachment and bang you’re infected.
Spam is the most popular mechanism for propagation for malware/ransomware, and ransomware is the payload.
Malware is the symptom of a successful attack, it monetises a successful attack, ransomware is an indication that information may have been stolen.
To Prevent / Deter Ransomware / Spam
- different entry vectors in layers
- base level, multi-layer security
- good network segmentation,
- containment, is critical, can you contain this
Innovation is an element that hackers have great talent with, they target, revise, review, modify and deploy the change to their attempts.
Generic Antivirus Protection
If you using generic antivirus, malware protection, they are not enough, they hackers target their attempts against these
Ransomware – looks back to see what has happened and what can you prevent it
Segmentation – least user privilege, has the receptionist got admin access to inappropriate data e.g. financial records. You need to check user rights and access controls.
People are the big risk, they do what they want to do, and you can’t control all their actions. It’s down to training, if an issue has occurred for Bob in account’s to have the confidence and trust to call the IT department with the issue. ~You have to train people, educate them what is good and bad behaviour.
Good cyber hygiene habits, work computers are for work only, best practice – but my cat videos, what about them. You need to educate workers that even these may be a point of intrusion in to the network or your computer.
Educate them that if an email is in the spam folder, leave it there, do not click on the attachment and if required to contact the IT dept.
It comes down to CIA basics, if we don’t need to store it, and then get rid of the data from the network, if not needed to be stored.
Confidentiality, Integrity, and Availability.
All information security measures try to address at least one of three goals: Protect the confidentiality of data. Preserve the integrity of data.
If you have been attacked, what do you do?
These are the basic steps to detect, respond and contain a ransomware attack
- Containment of information, lock the system down, determine what is happening
- What is entry point, threat vector, how it arrived to network, was it by phishing,
- Kill quick or multiple people will be affected
A Ransomware attack can cover the ability of its controllers to steal data from the severs, you can’t see what is happening to your data, perhaps all your financial data has been stolen.
It’s a trash can fire, you are attempting to extinguish the fire while your attention is distracted from the bigger picture.
You need to isolate the machine, pull it from the network, power it off, and take steps necessary to keep it safe, secure and remove the ability to interact with other computers. External drives save and isolate.
- Entry Point
Discover the entry point to the network, and the potential to deploy across to other computers/users/email accounts.
- Isolate and Treat Infection
Inform others in the network that an issue has occurred, what the nature and precautions to implement. 40% of machines after ransomware attack and payoff contained malware, they were owned by others.
How did it get in here, if there was a whole, need to patch it?
The worst has happened, ransomware has been deployed and your data is now locked.
Backups are the last line of defence; the best backup scheme is to have 3 backups, 2 places, 1 offsite, 321 Rule.
Remember that backup is the last line of recovery, but you have to understand that the ransomware or other may be waiting to be deployed for days, weeks or longer and how far back can you restore to a good known point without also affecting the operational effectiveness of your organisation.
You may have to erase the effected system / computer and restore if from your backup. Backup is good hygiene, and good practice from ransomware deployment.
Training staff and educating them comes down to a little love and attention. Trained users is very good at spotting items that are wrong
Instil that users are a significant part of the solution; nobody wants to be the person that is always getting IT to help them out with password reset or other administration issue.
If they have clicked on a spam email and launched a payload into the computer or network.
You have to contain the problem initially, but with the user, inform them of what is going on,
Need to deal with them privately, perhaps a word of the serious issue that they have caused and the effect on the organisation.
You have to consider the risk potential to the organisation.
How do you calculate the risk, what is the impact of something happening and the financial / operational impact.
- figure out how to restore back to a good condition, how to resolve the issue
- scenario restart with a single infection then grows across network
- what is effect of loss of productivity,
- how many folks do you have them sitting there while you are trying to restore their systems
- 61% of systems can be detected and takes 1 day or more to restore
Should you make the payment, remember that if you pay you are enabling this circle of attacks, feeding their addiction.
On the flip side, what if backup fails?
If you are a critical care entity – hospitals, sometimes it is appropriate to pay, it is necessary, as humans are in critical danger; this is for the management team / Board to determine. Pay the ransomware? firstly see if the key is out there for free. Sometimes it is not a yes/no effect and or never pay, you have to consider all the ramifications of an attack.
If you pay them, you enable them to continue attacks,
If the difference between closing doors and going out of business, payment is a consideration. It may cost you less in the end, but not something to promote, victims have paid. Government Counties of Florida in USA
You have to think about: faster to restore and pay the money, but remember that there still may be a side effect – malware attack or data loss.
Cost of a Ransomware Attack
The restoration of data post an attack can be the tip of the iceberg. Where may be a larger impact to the organisation post the attack?
GDPR – Regulatory requirement – reporting of the breach and or loss of data
Data Protection Commissioner – similar loss of confidential data, customer records, etc..
Loss of user data may result in legal claims resulting on the data loss and sensitive data in the public arena.
Brand reputation, if you are a trusted company, the loss of customer data, patient records, payment records will have an impact on the trust others have with your company, the good will they have, the brand value to your customers.
The company may have cyber insurance, the liability may not be their fault, they may not always know what is and not covered, things come into play after an attack.
Small business Concerns
For a small or medium business to be protected from a ransomware attack. They need seek out vendor that will give u a managed service that is security, not just operations. Keep their computers with the Windows updates turned on, antivirus software always patched.
Endpoint protection comes from backup and using them. Ransomware brings other stuff, you may have other cyber incidents occurring. Endpoint protection is for multi behavioural analytics and a segmented layered, it’s not just having a database.
It’s a layer approach, humans very good at looking at something to see – something is not right, AI systems in the software to detect if systems actions are not normal. Antivirus, firewall, malware software on the network to give the layered detection and prevention.
Ransomware Prevention is not just people, technology, process, it’s all those things working together, it’s not completely secure, but more resilient environment – a layered approach
You can’t stop all ransomware, containment is key