Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly.
Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices.
Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack.
The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000.
Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor access its patients’ data.
It is essential to learn how to prevent ransomware attacks and to implement appropriate defenses not only to stop attackers from installing ransomware, but to ensure a system is put in place that will allow data to be recovered without having to resort to paying a ransom.
Recovering from a ransomware attack can be extremely expensive. Ransom payments can be extortionate. Business can be lost while systems are taken out of action. Even applying keys that have been supplied by attackers can be long winded. Each encrypted device has its own key, and those keys must be applied very carefully. A forensic analysis is also important after a ransomware attack to search for backdoors that may have added, as well as to determine if data have been stolen. Additional protections then need to be put in place to prevent future attacks from occurring.
How to Prevent Ransomware Attacks
The first and most important step to take will not prevent ransomware attacks, but it will help you to recover from a ransomware attack promptly without having to resort to paying the ransom. Recovery will depend on you having a viable backup of your data. Total file recovery may not be possible, but it should be possible to recover the vast majority of your files.
For that to be possible, you must ensure that all files on all devices and network drives are backed up. That includes all removable drives such as flash drives. Backup files must be stored on a non-networked drive, in the cloud, or ideally on an air-gapped device – One that is unplugged as soon as the backup is performed. Multiple backups should ideally be made with one copy stored in the cloud and one on a detachable storage device. You should always store backups in multiple files. If one becomes corrupted, you will not lose all of your data.
- Avoid the use of administrator accounts with extensive privileges as far as is possible. If an administrator account is required, use it and then change to a guest account with limited privileges. This will reduce the damage caused if the user’s machine is infected.
- Ensure that all software is kept up to date and your organization employs good patch management practices. In particular, ensure browser and plugin updates are applied promptly. Vulnerabilities can all too easily be exploited and used to download ransomware.
- If plugins are not required, remove them. Adobe Flash in particular, but also Java and Silverlight. If required, they should require activating individually as and when needed.
- Ensure employees’ computers are configured to show file extensions. If full file extensions are displayed, it is easier to identify potentially malicious files with double extensions.
- Ensure macros are disabled on all devices. At the very least, ensure macros do not run automatically.
- Disable Remote Desktop Protocol (RDP) on all devices unless it is absolutely essential.
- A web filter can be used to prevent end users from visiting malicious websites where ransomware can be downloaded. A web filter can also block malicious third party adverts (malversting).
- End users should be instructed never to open files from unknown senders or to click on links contained in emails unless 100% sure that the links are genuine.
- The use of a spam filter is strongly advisable. The spam filter should be configured to aggressively block threats. Executable file attachments should also be automatically quarantined.