Imagine your business has no access to electronic information on computers or a network. No file shares, Word documents, email, databases, or Excel spreadsheets. No PDFs. No applications. No access to Windows. How much would your organization be willing to pay to regain access and control over its information and systems? Cyber criminals are counting on this readiness to pay when they unleash ransomware on an organization.
Cyber criminals attack a wide variety of businesses of all sizes. They even prey on individual home computer users. Organizations most often hit rely on computers to perform critical functions. In 2015, the FBI received 2,453 reports of ransomware extortion, costing victims $24 million. These are only the reported cases, since many organizations choose to pay the ransom without notifying law enforcement.
Organizations, including insurance agencies, must learn to handle the threat of ransomware. Among the questions that should be asked are the following:
- What is ransomware?
- What can an organization do if it falls victim to ransomware?
- How can a business avoid ransomware infection?
What is ransomware?
Ransomware is a type of malware, or malicious software, that takes control of an organization’s data files or computer network. The underlying purpose of ransomware is extortion that, in some ways, is similar to kidnapping. But instead of taking a person and threatening to injure him or her if not paid, the cyber thief takes control of an organization’s computer and network systems and threatens to delete data, applications or systems if not receiving money. Once the malware has taken hold, the organization will receive the ransom note, most likely in the form of a message on the computer screen with the amount of money required and a countdown clock. If that amount is not paid within the time limit, the cyber criminal will delete the organization’s information.
The installation of ransomware onto a computer may occur through human interaction or with the use of an exploit kit to discover the vulnerabilities and security issues within a system. There are a few ways this can occur.
A cyber thief may set up a phishing scam—a legitimate and trustworthy-looking email with an attachment. They will send this email to one or more of an organization’s employees. PDF and Microsoft Word documents are most often used as the attachment. When an employee opens the email and clicks on the attachment, the ransomware loads onto the computer.
Or a cyber criminal may compromise a website and place a deceptive pop-up ad containing malware on the site. When employees go to this website and click the ad, ransomware is loaded onto the system.
The newest generation of ransomware is insidious since it no longer requires a mistake by a human to infect an organization’s computer network. Instead, the cyber criminal uses an exploit kit—tools used to take advantage of vulnerabilities or security holes in an organizations’ network. Once discovered, the criminal will exploit those weaknesses to enter the computer network and instruct it to download and execute malware.
Once ransomware is active, the malware begins locking down the organization’s data files or computer systems and applications. Some ransomware uses encryption to lock down files. Encryption scrambles electronic data into an unreadable format using an algorithm. A key or password, held by the cyber criminal, is required to unscramble the encryption. Another type of ransomware prevents an organization from running certain applications or accessing Windows. Either way, an organization is no longer in control of its systems and files.
What can an organization do if it falls victim to ransomware?
If an organization is hit with ransomware, there are two options—pay the ransom or don’t. In 2015, the FBI recommended paying the ransom. Interestingly, in 2016 the FBI changed its position and now recommends not paying. But it is up to the organization on whether or not to cough up the cash. Here are some things to consider in making that decision:
Back up: A good, well-tested backup process may avert disaster. Backups may be used to recover much of the data encrypted by the attackers without paying a ransom. These files should not be connected to the computers and networks that they back up, otherwise they may become encrypted or infected with malware, too. Your organization may need to go back several months to find untampered data.
Before deciding not to pay the ransom, consider:
• Were the available backups hit by the attack as well?
• Is losing a month or two of data feasible?
• Can the backup be restored successfully?
If possible, try to restore the backups before the timeframe for destruction ends. That way, if the restoration is unsuccessful, paying the ransom is still a viable option.
Availability of decryption solutions: For older versions of malware, security companies have cracked the ransomware, and now have the ability to decrypt the files. If possible, a company should determine what kind of ransomware has infected its network and see whether it can be unlocked.
Paying the ransom: Some companies determine that paying the ransom is less expensive overall and make a business decision to pay. But paying the ransom doesn’t guarantee that control of the data or network will be restored. In most cases, it is. However, there have been a few instances where after receiving the money, the cyber criminal still deleted the information. Also, since the ransom was paid, other cyber criminals may attack in hopes of receiving payment as well.
How can a business avoid a ransomware infection?
Your organization must employ both technical and nontechnical methods to prevent ransomware attacks.
Technical preventions include:
- Updated patches: Patches are software that update or fix a computer program. Without proper timing of patches, a network can be vulnerable to cyber attack. It is imperative to manage patches to determine what should be applied and when.
- Up-to-date anti-virus protection: This is designed to detect and destroy computer viruses. Ransomware may enter an organization’s systems or files through malware or viruses. New threats appear constantly, so be sure to have anti-virus software and that the subscription is up to date and updates are automatic.
- Vulnerability/penetration tests: Testing is available to determine vulnerabilities within a network, website or applications. Through these tests, an organization can learn about and fix any vulnerabilities or security issues before the attacker knows about them.
- Pop-up ad blocker: Cyber criminals often compromise legitimate websites and add malware-tainted ads. When such a pop-up ad is clicked, it loads ransomware. These ads will appear legitimate and often are on valid websites. Using a pop-up ad blocker is a good way to avoid malware-infected ads while employees are on the internet.
- Limit administrative access rights: A limited number of trusted employees should have administrative rights to an organization’s computer systems. These elevated accounts should only be used when necessary and not for daily work. If an employee works on a standard account, the files associated with that account might be affected. However, when using an elevated account, all of the company’s file systems are vulnerable.
Nontechnical prevention includes:
- Training: Some ransomware requires human interaction, such as a button click for the ransomware to unleash on an organization. Most often, this attack comes in the form of social engineering. Social engineering is an attempt to trick an employee into believing that the email attachment or website ad is legitimate and safe. To deter this type of attack, security and privacy training for employees is paramount.
- Testing: Once employees have been trained, test them. Send them phishing emails to see if they click the links or attachments. If they do, re-educate them on the dangers.
- Awareness programs: Training one day a year is not enough. Create an awareness program to send out reminders about cyber security and privacy issues throughout the year.
Ransomware is on the loose in 2017. Protect your organization’s systems and files by minimizing vulnerabilities and by training your employees about ransomware. Before you are a victim of ransomware, have a plan to recover. Test your backups and confirm that a copy is not connected to your network.
If you need to report a cyber crime, go to http://www.ic3.gov/complaint.