Ransomware incidents are on the rise. Within the past three months, several hospitals, such as Kentucky based Methodist Hospital and California Desert Valley Hospital, have fallen victim to this type of malware. Ransomware attacks encrypt all the data on the infected computers and in most cases, the only way to retrieve the data is by paying a ransom to the perpetrators, who then following payment, decrypt the data and remove the malware. This type of attack can be devastating to an organization’s brand as well as bottom line.
There are many different defenses to this type of attack. A comprehensive approach should be used to mitigate risk. Many may not know where to start so I share three ways organizations can improve their information security programs to protect themselves.
Security Awareness Training
The majority of ransomware cases are initiated by way of phishing attacks against the users (employees). The attacker includes a link or an attachment within the email and if the user follows the link or opens the attachment, and if their system is vulnerable to the given attack, the ransomware malware installs itself within the user’s system. Further, if that system has access to other parts of the information network, the ransomware may spread like wildfire. One way to protect the network is by conducting ongoing training to your employees regarding the dangers of clicking on links and opening attachments within emails. An industry recognized security awareness training program, raises employee security awareness throughout an organization and dramatically reduces the likelihood of ransomware infection.
Patch Adobe and Windows Vulnerabilities
Ransomware can only infect your organization if one or more of your network computers have security vulnerabilities which are specifically at risk to this kind of attack. A recent study by Recorded Future shows that most recent ransomware cases take advantage of one of the following 4 vulnerabilities, all of which have available patches: Adobe Flash Players’ CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and Microsoft Silverlight’s CVE-2016-0034. With this in mind, organizations should employ an ongoing vulnerability management program which includes assessing for these vulnerabilities on the employee base users’ systems (laptops, desktops), as well as patching these vulnerabilities. Because these applications do not open ports and connect to the internet, in order to assess for these, the vulnerability management technology must have the ability to assess either by way of authenticated scanning (credentialed based) or agent based technology.
Organizations that have fallen victim and who had no choice but to pay the ransom, did not have a system backup strategy, or had one in place but it was not immune to ransomware and where the ransomware, in addition to encrypting their data, also encrypted their backups.
Backing up workstations and servers is an important component of any recovery effort associated with ransomware. Companies should complete full backups at least weekly and then do incremental / differential backups on a daily basis to ensure that any files that are created or modified on the system are backed up. It is important to note that these backups should be “air gapped”. In other words, do not back up to a file share that may also be attacked.
Although there are additional ways to protect versus ransomware, the above three protection mechanisms should be part of all organizations’ information security program. For additional information on how to protect your organization, we invite you to learn more about the DDI Ransomware Defense Bundle that bolsters security in the four keys ways:
- Vulnerability Scanning Solutions
- Security Awareness Training
- Social Engineering Assessments
- Exclusive Intelligence and Best Practices