Ransomware: The Threat and How to Protect Your Enterprise
One of your users—maybe even you—tries to open an application or document on a computer at work. Suddenly, something suspicious appears on the computer’s screen.
It may look like an official note from law enforcement, but it’s not. It’s ransomware: an attempt to extort money from individuals and companies alike.
Ransomware attacks essentially use legitimate-appearing, but fraudulent, email attachments and website links to install malware on a victim’s machine. After infecting a computer, malware then encrypts the most valuable files on the victim’s computer. The malware then demands a ransom to restore access, and often threatens to make those hostage files permanently inaccessible unless the ransom is paid within a specific deadline.
In many cases, these extortion attempts work. Earlier this year, a hospital in California reportedly had to pay $17,000 to restore its systems after three weeks of operating without crucial computing resources due to a ransomware attack.
In March, MedStar Health was crippled by a ransomware attack that exploited a nine-year-old server flaw, according to published reports.
These are just two recent examples of ransomware attacks, an increasingly popular method used by cybercriminals to extort money from companies and individual alike. And yes, the ransoms they demand differ based on the victim’s means.
Ransomware defenses
Fortunately, there are several ways to protect your organization against ransomware, some more effective than others. Here I will highlight the most common ransomware defense alternatives.
User education
Is user education really a valid anti-ransomware option? The short answer is no. The slightly longer answer is that it’s useful, but it’s not enough.
Educating users will most likely reduce ransomware and malware infection rates. However, a key point to remember is that in many cases, malware distribution campaigns are created by professional social engineers. Those professionals implement proven methods which increase the efficiency and effectiveness of each campaign to convince even educated employees to download an infected attachment or click on an infected link.
The Verizon 2015 Data Breach Investigations Report found that 23 percent of those who receive phishing emails open them, and 11 percent of those recipients click on attachments to those emails. Verizon also found that a phishing campaign of as few as ten emails was more than 90 percent likely to fool at least one recipient. So by all means, implement a user-education program—but also take at least some basic measures to protects the data on all endpoint devices.
Backup
Scheduled backups are a critical best practice. In case ransomware infects a computer, that computer can be wiped and restored from its most recent backup. However, not all backups are created equal, and some backup solutions will only make things worse.
Many business users rely upon Box, Dropbox, Google Drive, Microsoft OneDrive, or similar cloud-based “file sync and share” solutions to back up endpoint data. This is an easy and effective approach, but it introduces a significant risk in the case of a ransomware attack.
When a computer is infected with ransomware, the ransomware will encrypt files on this computer. Once encrypted, those encrypted files will sync to the cloud and to all devices connected to the same cloud account. As a result, all instances of the original file—on the local computer, in the cloud, and on all other computers connected to the same cloud account—will be encrypted. No user will be able to restore the original document without paying the demanded ransom, rendering this backup method useless against ransomware.
Some cloud-based file sync and share services provide a “back in time” function, allowing the user to restore a copy of a file that was saved before it was encrypted. In such cases, a file encrypted by ransomware can be restored, albeit without any changes made after the last save before encryption. However, it is important to note that some services do not support a “bulk restore” option, forcing users to restore all needed files individually, a time-consuming and potentially error-prone process.
Also, many ransomware variants encrypt files on drives that are connected to the infected computer, including network drives. In case the backup runs on one of those drives, the ransomware will encrypt and infect all the backup data as well.
To defend against ransomware more effectively, choose a one-way backup solution with the ability to bulk restore any versions of backed-up files.
Traditional antivirus software
Many organizations rely upon traditional antivirus software to protect against malware, including ransomware. This is an effective method to protect against ransomware instances already detected by an organization’s chosen antivirus vendor or vendors.
However, today’s malware world is highly dynamic, allowing ransomware to change itself before or after each attack. The Verizon 2015 Data Breach Investigations Report found that 70 to 90 percent of malware samples are unique to a single organization.
This dynamism makes it highly likely that antivirus software alone will not be able to detect and block the ransomware that attacks your organization.
Advanced antivirus software
Newer antivirus solutions use so-called heuristic techniques—based on decision rules or weighting criteria—to analyze and defend previously unknown instances and variants of malware, including ransomware.
Numerous startups and younger vendors, such as SentinelOne, provide offerings based on powerful algorithms that can detect and block users from invoking ransomware and other malware. However, not even these advanced antivirus alternatives are entirely bulletproof, as developers of ransomware and other malware can determine and bypass specific heuristic techniques.
Can containers contain malware?
So-called container solutions ensure that applications running on network endpoints are isolated from the rest of the OS and corporate network. If a user succumbs to a ransomware attack, the ransomware will only run inside the application’s designated container, infecting it but leaving the rest of the system unharmed.
The container can then be wiped and restored so the user can continue to work with only minimal interruption. Bufferzone, a leading provider of container solutions, is both a LANDESK One technology partner and Shavlik partner.
Encryption prevention
The main purpose of every type of ransomware is to encrypt files, especially Microsoft Office documents. (Ransomware is often designed to target specific file types.) A good method to protect against ransomware is, therefore, to protect those documents from been encrypted in the first place.
Solutions such as LANDESK Security Suite (LDSS) enable IT and security admins to ensure that designated documents or file types simply cannot be encrypted, whether by ransomware or even by legitimate encryption tools.
For example, a simple rule can be defined within LDSS to allow only Microsoft Word to modify.doc or .docx files. Even if ransomware infects a user endpoint, the ransomware will not be able to encrypt those Word documents. The most recent versions of the user’s Word documents remain unharmed. The user remains productive, since she can continue to work on her latest versions of her Word documents, without the need to restore an older version from backup.
Whitelisting
The best method to protect against any malware—and specifically ransomware—is to embrace a whitelisting solution. With whitelisting, users can only run authorized applications that are on the list. This eliminates the possibility of running any executable ransomware, since no ransomware will appear on a list of authorized applications.
Creating the list of authorized applications may be time-consuming, but the right tools can make the task easier and faster to complete. With LANDESK Security Suite, for example, IT or security administrators can create whitelists automatically by using the included application reputation database, or by using so-called gold images of legitimate applications.
But even if you must create your whitelists manually, the protections they can provide are worth the effort.
Whatever you do, do it now!
Ransomware is growing in popularity and increasingly infecting organizations large and small. It is not a question of if ransomware will infect your organization; it is a question of when.
The sooner you and your colleagues take effective steps to defend against this potent threat, the less likely your organization will become a ransomware victim. Start today by evaluating the protection tools you already have and activating as much protection as possible, using the selections above as a guide.