Is ransomware just another cry wolf, or something Norwegian organizations should take seriously? Basefarm considers ransomware to be the number one IT threat today. The company’s best advice is to protect yourself before the threat affects you.
No empty threat
– Companies and other organizations have become accustomed to warnings of computer threats without being affected by them. Therefore, it is tempting to ignore the ransomware threat. You should not do that. In return, the remedies for ransomware also works preventively against many other threats, Fredrik Svantes, leader of Basefarm SIRT (Security Incident Response Team) says.
Basefarm supplies complex IT solutions for mission-critical software. The company’s reference list comprises large businesses, including public administration, transport companies and financial businesses. All depend on their IT systems running without interruptions. Being responsible for this, Basefarm follows the IT threat level closely.
– We have seen attempted attacks. Slightly larger companies with a healthy economy are particularly vulnerable, Svantes confirms.
Loss of time and revenue
The attack stories keep coming. Here are two of them: A hospital in California was infiltrated. In order to access their own patient journals, they paid 20,000 dollars. In January last year, ransomware took over more than 20 million files at the Swedish National Agency for Education.
The story of the National Agency for Education is the most typical of all. According to dn.se (Dagens Nyheter, the Daily News) an employee opened a file which ended up in the mailbox. Thus the person’s computer and the document server of the entire organization were infected. On the server were most of the documents that the employees had, including business decisions reports and other support material. It took nearly a week to reset the server from a backup taken the day before.
– One week without access is a long time, and will entail delays and losses. Even if you are advised not to pay the ransom, many are tempted in order to regain access to their files. After all, not getting the files back could mean a total disaster. The tendency is for the size of the ransom to rise along with the willingness to pay, Svantes says.
The infection may also come from infected websites. Many who hears this intuitively thinks that this means someone has visited websites they should not have visited.
However, ransomware is distributed through ad networks in ads that can be found at most completely normal websites, including online newspapers and blogs. In other words, if you want to distribute a virus you can buy ad space and for example upload a file with flash animation. Users without updated flash software/clients on their computers are exposed to risk of infection.
– The crooks earn money doing this, and therefore they have no problems paying for the ads.
The problem with ransomware and other malware is going to grow due to the prevalence of the Internet of Things (IoT). These things are connected to the internet in one way or another. Many of them are cheap compared to, for example, a server or a PC. They may be secure when purchased, but the manufacturer or you may not be very interested in taking the costs of keeping them up to date. The first TVs have already been taken by discount ransomware. For a few hundred you can get the unit back up and running. The fact that life-critical, medical equipment may be open to this type of attack is even more serious.
The good thing about methods of protecting yourself against ransomware is that they also work against other malware and other types of attack.
Tip 1: Ensure the organization has the right knowledge and culture
Considering that antivirus systems and firewalls routinely are updated and blocks regular mass attacks, the crooks are forced to find new, clever paths. A phenomenon that is rapidly spreading is that the attacks are directed towards individuals. By searching Facebook, LinkedIn or other social channels they find information about persons and their networks. Then they send e-mails to the victims, who feel safe on the basis of the personal character of the information.
The consequence of this is that businesses must establish a culture with sufficient knowledge of this type of approach, and therefore be extra attentive towards what might happen. A vigilant mindset towards e-mail and memory sticks must be part of such a culture. Firstly, not all e-mails should be opened. Secondly, not all attachments should be opened. Thirdly, do not reply to everything. And do not insert any unknown memory stick into the computer!
Tip 2: Establish routines for handling attacks and ensure that everybody knows them
Someone takes the chance of opening an e-mail because they do not want to be a nuisance or expose their “stupidity”. Clearly not a good idea. People need to know who to contact, and that they will be met in a friendly and professional manner.
If something occurs, the notification procedures must be crystal clear, the distribution of responsibility indisputable and the measures immediate. The organization must keep surveillance equipment and control this equipment, including making sure there are subscribers to security updates.
Part of the contingency is practicing. Practice may be done at different levels: from within the IT department to the entire organization.
Tip 3: Have a backup and make sure it works
You have heard this advice before: backup. But if your backup is reasonably new, and you have restore processes that work, you will be relatively fine even if you are affected by ransomware.
You cannot backup database-based systems (CRM, ERP, financial systems etc.) that are running. Such systems must therefore be set to backup their own data, and then you backup these backups. No backups are safe before you have tested that they can be used (restore). Cloud backups may be good, but remember that transferring large amounts of data can take quite some time.
Block the backup server for all types of users except the backup software itself. This way you prevent the infection from destroying the backup.
Tip 4: Segment networks and rights
This entails ensuring that different employees have read- or write access only to the specific areas of a server that they need. If they are affected by ransomware, this will only affect these areas.
Furthermore, the user should not be allowed to install any software or run software as administrator. This way any infection will be limited to the areas that the user has access to, and cannot easily take over the entire computer.
Tip 5: Ensure that all software is up to date
This applies to both clients and servers. Flash and Java are two vulnerable systems where most of the infections occur today. Outdated software may have security holes that the crooks can force their way through.
Tip 6: Limit what programs the users can run
Most people currently run antivirus, but antiviruses can only stop known malware. Every day there are new variants that the antivirus cannot recognize, since the attackers change the malware and test it against common antiviruses right before they send it out.
Whitelisting is the opposite tactic: Instead of, or in addition to, maintaining a list of programs you do not want to run, you maintain a list of software you actually want. Ransomware is not on that list, and will therefore not be run.
Whitelisting has proven difficult in practice, but is now becoming easier to use. It is the most efficient technique against ransomware.
Tip 7: Have an updated firewall
The firewall prevents outside users to access the local network. Classic firewalls block entrances. But some ports, such as port 80 (normally www/http) must usually be open, and a classic firewall will therefore not stop attacks via this port. More advanced firewalls therefore monitor content coming through the ports. In any case there are less risks connected to computer usage behind a firewall than in front of it.
Tip 8: Use intrusion detection systems (IDS)
IDS systems monitor the network traffic. If the system detects a computer that starts to send out large amounts of data or contacts servers it does not usually use, this is an early infection indication that can be used for blocking the computer and protecting others.