Ransomware is becoming much more widely available and easier to deploy with the rise of ransomware-as-a-service – and the corresponding threat to business is increasing.
Cyber attackers are targeting large companies because they have more to lose and hackers perceive them as more likely to pay a ransom if malware threatens to cripple their operations.
But ransomware is not rocket science and there are several steps any business can take to successfully protect itself against this threat. Defending a business against ransomware effectively requires a three-pronged approach, as follows.
1. Increase user awareness
Malware is, first and foremost, a user-awareness problem. The most common method of infiltrating a business is through phishing attacks – emails intended to dupe employees into opening malicious attachments or links and inadvertently downloading an encryption programme onto their companies’ networks.
Therefore, the first priority to protect businesses from ransomware is to continuously work on increasing security awareness among employees through awareness programmes. Businesses should teach staff basic internet hygiene and safe data-handling practices, just as commercial kitchens teach and enforce food-processing hygiene to all food prep staff.
This should include training staff to spot the tell-tale signs of a malicious email, such as spelling mistakes in the purported sender’s address.
Organisations can complement awareness training with cyber drills that simulate phishing attacks to test how employees would behave in the event of a real attack. This provides an opportunity to spot areas for improvement.
2. Isolate and contain
Even with awareness programmes in place, there will always be some successful attacks. The key here is to quickly identify the ‘patient zero’, or the infected computer, and then use network access controls to isolate and contain the malware, preventing it from spreading and causing more damage.
Solutions are available to enable companies to detect and intercept rogue traffic on their networks – from advanced sandboxing to simple application white-listing.
Advanced threat-detection technology can also enable organisations to monitor applications for suspicious behaviour that bears the hallmarks of malware, for example when an app, server or PC starts communicating with a server in a foreign country that the company has never done business with, or when too many Windows Registry changes are suddenly made.
Companies should ensure all business-critical data is backed up to segregated enterprise storage or to the cloud, so that if it is lost from one location (maliciously encrypted by ransomware, for example), the data could be recovered from another.
Critically, any affected business should never pay a ransom, because this will encourage further attacks and more ransom demands.
3. Forensic investigation
Infected computers should be subjected to forensic analysis. The organisation should also analyse network access and application access logs to identify the attack vector(s) and discover whether the ransomware attack succeeded because of employee error, attack sophistication or a deliberate violation of company security policy.
Businesses should use the findings to review their policies, procedures and corporate training and to help prevent future issues.
Every successful attack can be an opportunity to learn and to grow stronger and more resilient against the next one.
Ionut Ionescu is an (ISC)² member and security architect at Serinomics
This was first published in February 2016