Ransomware attacks are becoming more rampant now that criminals have learned they are an effective way to make money in a short amount of time. Attackers do not even need any programming skills to launch an attack because they can obtain code that is shared among the many hacker communities. There are even services that will collect the ransom via Bitcoin on behalf of the attackers and just require them to pay a commission. This all makes it more difficult for the authorities to identify an attacker.
Many small and medium-sized businesses pay ransoms because they do not backup their data and do not have any other options available to recover their data. They sometimes face the decision of either paying the ransom or being forced out of business. Also, hospitals that do not back up all their critical patient data and are not able to retrieve it in a timely manner will immediately pay the ransom because it is critical to access records of patients who require immediate care. It can become a life-or-death situation for someone in intensive care.
According to SonicWall, there were around 638 million attempted ransomware attacks in 2016 vs. 3.8 million in 2015. Companies give millions of dollars to attackers each year, and that number continues to increase.
To prevent from becoming a ransomware victim, organizations need to protect their network now and prioritize resources. These attacks will only continue to grow, and no organization wants to be displayed by the media as being forced to pay a ransom. If you are forced to pay, customers can lose trust in your organization’s ability to secure their personal data and the company can see decreases in revenue and profit.
7-step plan to prevent ransomware attacks
To protect your organization from a ransomware attack, it is critical to have an officially documented plan that details what must be done to prevent attacks. Be sure to include these six strategies:
1. Employee training: Your ransomware prevention plan should include training employees on what ransomware is and the method attackers primarily use to initiate attacks – phishing. This training should be conducted regularly.
2. Patch servers, devices and apps: Organizations must have a process for patching servers, network devices and applications. Many organizations do not stay up to date on patching their applications. Attackers know this, and they primarily target them. Patching progress, procedures and policies should be reviewed for effectiveness monthly or quarterly.
3. Antivirus tools on end points: You should also have a plan to use antivirus on your end points. Focus on using tools that can track suspicious behavior because many ransomware attacks are specifically designed to avoid being detected by signature-based antivirus programs. Also, make sure to have some type of web filter that can prevent drive-by infections. These types of infections are becoming more popular and are simple – all a user needs to do is browse to a specific website that has the malicious code, and they can become infected.
4. Back up your data: Many organizations that have paid a ransom did so because they did not properly back up their data. Your backup process must be documented. Include your recovery point objective (RPO) and recovery time objective (RTO) in your disaster recovery plan, and test it each year to verify the objectives can be met. It is essential for business leaders and stakeholders to provide input into what an acceptable RPO and RTO is. Without their input, the possibility of having to pay a ransom increases.
5. Test your backups: You should test your backups regularly to verify all critical data is backed up. Also, it is important to make sure your backup data is protected from ransomware attacks. With the popularity of network-based backups, many organizations run their backup devices on the same network or VLAN as their standard production network. This should be avoided to prevent your backup data from being a victim of a ransomware attack.
6. Conduct vulnerability assessments: Vulnerability assessments that holistically review the security posture of an organization are beneficial in preventing a ransomware attack. The assessor should be made aware of the concern of a ransomware attack and should consider vulnerabilities in not just applications or servers but also organizational procedures and policies. These assessments should verify that the appropriate procedures to prevent ransomware attacks are being followed consistently. Vulnerability assessments should be done on an annual basis.
7. Monitor and alert for suspicious activity: Any plan to prevent a ransomware attack must include procedures for monitoring and alerting for suspicious activity. Monitoring a network is an ongoing process and must be done daily. Many organizations have very expensive security tools in their environment, but their logs or events are not monitored, making these tools ineffective. A process for having security staff review is important for detecting or preventing a ransomware attack.
What to do if you detect a ransomware attack
You should document the precise steps that should be taken if a ransomware attack is detected. All steps should be documented in detail, and the goal should be to prevent the spread of the ransomware and recover any lost data. The plan should also include a process for notifying authorities.
You may want to include in your ransomware response plan the need to gracefully shut down a device that is suspected of being infected by ransomware. That’s because many variants of ransomware do not encrypt the data until the device has been rebooted via an attacker’s script. If you gracefully shut down your machine, you can attempt to recover the data before it has been encrypted.
After your ransomware response plan is documented, perform a tabletop exercise to confirm it is being followed. This will assure stakeholders that the organization is prepared to respond appropriately in the event of a breach.
If you do not have a plan for protecting your network from ransomware, you must create one now. If you don’t have a plan, a successful attack will likely lead to lost customers and decreased revenue.
It is easier than ever for attackers to launch ransomware attacks, and it is up to each organization to document and test their plans to prevent them.