Would you or your organization know what to do if your computer were infected with…
Ransomware Holds Your Critical Data Hostage
2016 has been a whirlwind year when it comes to ransomware attacks. Ransomware incidents have exploded and organizations, especially those holding critical information, find themselves helpless to combat the malicious code. The healthcare industry constitutes the perfect example:
- February 2016. The Los Angeles Times reports that the Hollywood Presbyterian Hospital is locked out of users’ files. Access to personal health information is critical to the proper care of users. After a 10-day siege, the hospital agrees to pay a ransom to the cybercriminals, of US17 000$.
- March 2016. The Methodist Hospital of Henderson, Kentucky declares a state of emergency. A message is displayed on their computers, asking for a ransom payment in exchange of data. In this case, the institution mad the painful choice of restoring its data from its back up after a downtime of over 48 critical hours.
- May 2016. Kansas Heart Hospital in Wichita, Kansas found that several critical files had been encrypted and without a solution was forced to make a ransom payment of an undisclosed amount. Unfortunately, the attackers did not decrypt the files, requested additional Bitcoin and at that point hospital refused and no files were ultimately decrypted by the attackers.
And the list goes on as organizations are targeted by increasingly sophisticated malware and at an unprecedented rate.
Prevention and Containment
The first step is to frequently back up and encrypt your data outside of your network. Using backups, potential victims can access their data without paying the ransom. The organization still has to contain the infected systems, wipe them out completely and restore data. The process often takes days (Tech News World). Some victims estimate the cost of paying the ransom as less expensive than such a downtime. As a note, it is important to keep in mind that any payment often funds additional criminal activities including the delivery of more malicious malware in the future.
Also, many organizations are now required to perform backups including health care related organizations who are subject to the HIPAA’s Security Rule.
Early detection can also prevent the malware from spreading across the organization. Detection often occurs through network monitoring, anti-phishing, behavioral analysis and other defensive measures. The infected user would have abnormal spikes in activity as the malware opens and modifies files quickly. For example, if a single user account modifies 100 files within a minute, it’s a good bet something malicious is taking place on that system.
Prevention remains the first line of defense against ransomware.
Criminals want to make a quick buck. They want to be in and out of your system as fast as possible. Protecting your assets will discourage them.
- Limit access and users’ permissions. They should be as restrictive as possible and revised frequently. Use ‘Read-only’ feature whenever possible.
- Update software to patch exploitable vulnerabilities (e.g. web browsers, Flash, Java, etc.).
- Block macros, executable extensions, and autoplay from the Internet.
- Perform frequent vulnerability assessments, penetration tests, and risk assessments to identify areas of improvements. A cybersecurity posture assessment can also help you understand what is your security posture and how to improve it.
Training Employees to Minimize Ransomware
Remember, phishing e-mails are often exploited by criminals for various malicious purposes. Employee training is crucial to cybersecurity. Human error is by far the most cited cause of organizational cyber incidents.
Training is critical for executives and all individuals allowed to assess sensitive information. The HIPAA requires the training of employees so that they can detect and report instances of malicious software threat and therefore block potential attacks. Annual training is compulsory under the Payment Card Industry Data Security Standard. (PCI DSS Rule 12.6.1).
Malware can eventually be cracked by researchers (as was the case with the Petya ransomware), but that code is usually replaced by stronger and more malicious strains.
The only reliable way to stop ransomware is to make certain that it does not make its way to your critical data in the first place. Training employees, contractors and especially executives who may have access to critical data that cannot be replaced solves a part of the problem, however, even your smartest employees may fall victim to a sophisticated phishing scam. Understanding how the threat behaves, for example by opening and modifying files, should trigger both technology and analysts to respond and mitigate the threat quickly. Even organizations who have full backups of their systems and data have found that the alternative of deleting the encrypted data and adding the files back to all of their systems is time-consuming and expensive.
Prepare, protect and defend the right people, processes, and technology to identify and stop the code will give good companies a fighting chance against this new threat.