Ransomware Control- Improving Business Security Posture

Posted by Lane Griffing on 02/19/2018

Oklahoma businesses of all sizes and industry types see increasing impacts on productivity from SPAM, including phishing emails.  A few years ago these emails were primarily focused on marketing but in the current environment these emails more commonly carry a threat called ransomware.  Rather than simply steal data, ransomware steals an organization’s access to data by encrypting information that is shared on the network.  Typically the only means to regain access to the data is to restore from backups.

It is important to realize that this threat is quite indiscriminate, and that even well-protected businesses have been successfully attacked.  These are businesses who have the professional resources to secure their data properly.  Even with these resources in place they have had data damaged and in some cases have paid tens of thousands of dollars to regain access.  If there is a lesson in this, it is that ransomware can affect any business regardless of size.  Ransomware is being aggressively improved upon, upgraded and implemented.  This results in an increasing requirement to make periodic security adjustments in order to remain compliant with best practices and reduce ransomware risk. 

The reason why this threat has become so prevalent is because it is highly profitable.  The FBI has estimated that over $1 billion in ransom payments were made in 2016, and Trustwave Global Security Report estimates that ransomware has yielded over 1000% profit for some perpetrators.  According to antivirus vendor Trend Micro, 80 new ransomware families emerged in the same year with over 30,000 variants.   Due to the fact that ransomware development kits are available online it is reasonable to expect the variety of this malware to grow.  Although the techniques used to avoid infection are not necessarily difficult, it does involve both technical solutions and personnel training.

Since the most prevalent means of infection is via phishing emails which fool users into trusting a malicious link or attachment, detailed attention to antispam and email system configuration is required.  Just as important is user training on recognition of typical phishing emails.  Proper configuration and tuning of antivirus systems is necessary to detect ransomware behavior and to halt the infection process.  Having appropriate protection with both onsite and offsite backups can reduce the impact of successful ransomware attacks.

To appreciate the critical importance of backup and disaster recovery, it is necessary to imagine that a ransomware attack has occurred and that most business data has been encrypted and is now unusable.  Paying a ransom does not solve the issue, because receiving a working decryption key is unlikely.  The only feasible option may be to recover data from a backup.  If backups of all business data are run on an hourly basis and the ability to recover is tested and documented then recovery is relatively painless.  If backups are infrequently run, this increases the business risk substantially for downtime.  Businesses should ascertain the location of all critical data, including email, and verify that it is being backed up, and that recovery is being tested.  We also recommend that businesses evaluate their disaster recovery design, and run periodic drills to validate and adjust these procedures.

Having excellent documentation of both existing information systems and of the procedures used to protect them is a key component of successful disaster recovery.  The information required goes much deeper than network maps and procedures, but includes a triage plan with system recovery already prioritized, drivers, spare hardware, network isolation procedures, and a host of other information.  This preparation varies by business and by the business systems in use.  If businesses invest the effort before they experience an attack, the likelihood of a good outcome is substantially improved.

At Dolce Vita IT Solutions, we have experienced that a significant challenge is getting management teams to invest time in recurring user training.  For the past 2 years, we have provided free training to our clients…and this has proven its worth in that only one of well over 40 documented ransomware attacks against our clients was successful.    The only seriously damaging attack occurred with a client who declined training.  This attack resulted in severe damage to two of the client’s servers, resulting in them being restored from backups.  Following this attack the client allowed us to train their users which resulted in the users defeating a later ransomware attack.  Although technology deals with 50-75% of the threat, users continue to be the last line of defense.  We recommend that ownership and senior management teams provide their users with the tools and skills to protect their business.