Any discussion of ransomware should begin by reminding ourselves that the term denotes malware. The “ransom” element is a matter of impact, not a root cause. As a result, many of the strategies applied when protecting against common malware should also be applied to ransomware.
Having said this, ransomware is one of the most common types of attack, given that it is easy to generate and distribute. A recent piece of research from Isaca shows that the threat is set to continue, with 20% of global IT security experts placing this type of attack in their top three threats for 2016.
Once in the wild, a typical ransomware script will infect numerous environments very quickly, with the command and control structure designed to harvest small sums of money through anonymised payment mechanisms such as Bitcoin.
Ransomware attackers rely on broad and indiscriminate dissemination of malware, without necessarily targeting any specific group of people or companies.
Specimens such as TeslaCrypt, CryptoWall and TorrentLocker reveal a wide variety of ransomware, ranging from unsophisticated varieties embedded in Microsoft Word documents to fairly complex script-based infiltration.
In this aspect, security managers should be conscious of the fact that ransomware often utilises channels that were thought to be extinct, such as macro virus infection.
Steps to protect against ransomware
There are a number of steps that organisations and individuals can take to increase their security and strengthen their defences:
Promote awareness by communicating defensive capabilities against generic malware to users. It should be noted how phishing, social engineering attacks and suspicious websites can all pave the way for infection.
Strengthen scan-and-detect defensive capabilities across the organisation. There are many tools that will identify, repel and neutralise malware, including ransomware. However, it is important not to rely on a single anti-virus or anti-malware system, but a wide range dedicated to different types of attack.
Update and adjust target platforms such as Microsoft Office to include blocking mechanisms. All too often, infected Office-based documents and spreadsheets can slip through because defences have been disabled in favour of user convenience.
Both organisations and individuals should consider where their data resides. Ransomware is usually restricted to local hard drives or locally available shares. Information assets should therefore be held in at least two air gapped locations, such as a portable hard disk for daily backups of important data, and an additional network-attached storage (NAS) for larger backup jobs. Even after ransomware infection, important files can then be recovered. For personal data, DVD or BluRay backups retain the advantage of read-only access.
A fuller list of associated controls is available in the complimentary Threats & Controls tool from Isaca’s Cybersecurity Nexus (CSX).
Attacks may lead to greater costs
There is some considerable effort required to protect against ransomware, especially in complex enterprise environments. However, given the current level of helplessness – up to the point where official authorities have recommended giving in and paying the ransom – this extra work is a vital step towards saving time and money.
To help your thinking as a business leader on how important it is to protect yourself against this form of attack, it is worth remembering that even one successful ransomware attack on your organisation or private IT environment is likely to be much more expensive than taking preventive measures.
Rolf von Roessing is a past international vice-president of Isaca and president of Forfa.
This was first published in February 2016