Ransomware: As big a threat as the media claims
Ransomware is a very real threat that targets businesses of all sizes and industries. Really any business can be a target. With that being said financial institutions and retail are most at risk given the transactional nature of their business and the number of people that may have access to a terminal or computer at any given point in time.
The first thing that an organization needs to do is recognize that they are a target for ransomware just like any other company. Next, they need to ensure that they have the proper tools anti-virus/anti-malware installed on all computer systems to detect and defend against ransomware attacks. Of course, after this comes ensuring that the anti-virus/anti-malware software is kept up-to-date to ensure that the signature and traffic detection patterns are updated. It is critical that businesses have some sort of ransomware defense plan in place.
The key elements in a ransomware defense plan
- Policies and Procedures: It’s imperative that a company have policies and procedures in place that educate and guide employees on what they should and shouldn’t do when encountering strange links or documents that are unexpected or come in from strange sources. They also need to provide guidance on what the employee should do when they encounter a ransomware infection.
- Training: The training should reemphasize the information that was laid out in the policies and procedures. Training should be conducted on a frequent and recurring basis to ensure that the content stays top of mind with the employee.
- Utilize commercial grade anti-virus and anti-malware to protect systems. Utilize different AV/AM software on different types of systems to ensure that you stand a better chance of an organization having a product that has a signature or behavioral pattern to detect the ransomware.
- Run recurring vulnerability scans to look for systems that are susceptible to attack.
- Have a robust remediation program to ensure that detected vulnerabilities are addressed in a timely, effective manner.
It should be noted that there is no way to ensure that a system is fully bulletproof as new ransomware variants are being released into the wild on a regular basis. What is secure one day may be open to attack the next day. The fastest way an active ransomware attack can be contained is to identify it early. Once a system is being infected, remove or isolate the system as quickly as possible so that other systems on the same network subnet do not become infected as well.
Does it ever make sense to negotiate with a ransomware attacker? Depending upon the criticality of the data that has been encrypted, this may be the only way to obtain access to the information.
However, it should always be remembered that even if you pay or negotiate with the attacker, there is no guarantee that you’ll get access to the encrypted data.
Ransomware will likely evolve to infect other platforms (Linux, MacOS, perhaps even mobile devices). As well, it will evolve to be harder to detect early and will likely disable the existing anti-virus/anti-malware software on the system so that the infection can progress and spread more rapidly. It’s important for everyone to be vigilant, keep software updated, and avoid opening unexpected documents and links.
Tom DeSot is EVP and CIO of Digital Defense, Inc. As CIO he is charged with key industry and market regulator relationships, public speaking initiatives, key integration and service partnerships, and regulatory compliance matters. Additionally, Tom serves as the company’s internal auditor on security-related matters. Prior to Digital Defense, Tom was Vice President of Information Systems for a mid-tier financial institution with responsibilities including information security initiatives, the Y2K program, implementation of home banking and bill pay products, the ATM/debit card program, and all ATM networking.