AUG 2016 – If we ask organizations what kind of security issues they experienced recently, ransomware is usually mentioned. This is not strange as security reports confirm that ransomware is booming and has become a business model that is constantly optimize and innovated.
We are seeing a growing number ransomware incidents all over the world over the past year. We won’t explain here what ransomware precisely does or which variant exists.
Instead we want to focus on 2 key questions:
- Why do we see a growing number of ransomware incidents?
- What can you do about it?
A ransomware is a type of malicious software that, once it infects a computer, causes encryption of files and asks you for a ransom to decrypt them. Ransomwares are usually distributed via email attachments, often pdf files. The problem is that antivirus software is not blocking ransomware as cyber criminals are creating different variants of the malware and using each of the variants only once. Antivirus works by blacklisting ‘known’ malware, hence not recognizing and blocking new variants of the ransomware.
A ransomware usually starts encrypting files randomly, including network drives or server files. Therefore, the impact on an organization can be significantly. The ransom is usually a few hundred euro’s. Paying the ransom is, however, not always a guarantee that you receive the keys to decrypt the files.
Why Do We See A Growing Number Of Ransomware Incidents?
There are 3 key drivers. Breaking these drivers will result in less incidents.
Hackers are now businessmen: Ransomware is constantly innovated and adapted to be more efficient. Both on a technical level as on it capability to trick humans. Professional developers are selling their ransomware kit to fierce mafia-like businessman that want to make as much money as quickly as possible.
Technology fails to block it: There is not a bulletproof technical solution to completely block ransomware because of the different ransomware variants circulating. However the technology is constantly being improved, but it remains a cat-and-mouse game between the hacker and the defender.
People don’t think before they click: Most people are not properly trained to spot phishing emails like ransomware, let alone to understand what they should do if they ever have their computer infected. We saw multiple cases where someone just handed their computer over to the IT service because ‘it was acting strange’. In one case someone even reported his/her laptop as stolen.
5 Key Best Practices You Should Follow
The following best practices will protect your organisation from getting infected in the first place.
Nr 1: Lookout for end-point innovations: There are several innovative vendors on the market are looking into ransomware protection and easy recovery.
Nr 2: Secure your email flows: Several technical solutions and intelligence sources exists can prevent a set of ransomware variants from getting to the users inbox in the first place, like sandbox-based analysis. But don’t forget to implement the basic best-practices like: SPF verification and enforcement.
Nr 3: Train the human: There will always be ransomware and other malicious email that end-up in the users inbox. The simplest way to block ransomware is not to click on malicious attachments or links. Our conclusion is that keeping ransomware out is everyone’s job. We recommend to train your staff to spot phishing emails.
Today, 80% of all malware can be traced to a phishing email. 95% of the cyber-attacks employ email phishing. Being still thé number 1 human risk of any organization, it should be everyone’s job to be able to spot a phish or ransomware.
There are multiple ways to achieve this: The best approach is to have your staff experience a ransomware through email phishing simulations and measure who falls victim. This should be combined with additional learning channels like online trainings, handing out tips & tricks via email or intranet, or by organizing information security workshops.
Cranium is specialized in organizing cyber awareness campaigns, including email phishing simulations and online trainings. Contact us if you want to get started or need more information on how to get started.
If you do become a victim the following actions can allow you to restore the damage done.
Nr 4: Have backups ready: As explained in one of our previous blog articles, regularly backing up data and making sure they work will help you limit the impact on your business: http://www.krinoscybersecurity.com/how-dropbox-for-business-makes-your-files-ransomware-proof/
Nr 5: Try to decrypt the files yourself: A joint initiative of Europol, the Police and several security vendors has resulted in the following website: https://www.nomoreransom.org/. Here, for some ransomwares you can find decryption tools.
The last resort
Pay: We don’t recommend paying as this will only add to the problem and the success of ransomware. However sometimes organization decide that this is their only option because they don’t have good backups or restoring from a backup just takes too long, and paying the relative low fee is much cheaper for them.