WannaCry has the ring of a hipster band name, but in fact, it's the moniker for ransomware that recently infected more than 200,000 computer systems around the world. The attack crippled businesses, hospitals, and transportation systems globally. That a single malware had such sweeping impact only illustrates the ongoing need for businesses to better understand ransomware prevention.
In this post, we'll examine the ransomware threat, outline strategies to prevent ransomware infection, and address steps to take if your business is attacked.
Anyone who has encountered a story of kidnapping probably reads the word "ransom" and thinks of a bag or briefcase stuffed with money and dropped at a secure location. So, how does this relate to cybersecurity?
With ransomware, cybercriminals effectively kidnap an organization's data (since no kids are involved, we might call it data-napping). In fact, according to Symantec's 2017 Internet Security Threat Report, "detections of ransomware increased by 36 percent in 2016" and it remains a dangerous threat facing both individuals and organizations.
Ransomware infection typically occurs via email spam campaigns or web attack. Workers receiving a ransomware email might infect their computer by clicking on a malicious attachment, or employees might visit a malicious web page designed to prompt the download of exploit kits taking advantage of computer vulnerabilities to install malware.
If it happens to you, the installed ransomware encrypts your important documents and files, while leaving required operating system files alone. Thus, you're unable to access personal documents and files until you pay the ransom and are provided with a decryption key by the attacker.
"Attackers are demanding more and more from victims with the average ransom demand in 2016 rising to $1,077, up from $294 a year earlier." – Symantec
Attackers will often request their ransom in anonymous Bitcoin payments, and they're hitting Americans hard. Symantec's research suggests that cybercriminals are concentrating their efforts primarily on developed economies, with the US being the region most affected.
In the case of the WannaCry attack, the malware had characteristics of both ransomware and worms. The attack only encrypted the local user's machine, but also sought to infect other vulnerable machines on the same network.
"This is obviously the next evolution of malware," Cisco cybersecurity researcher Craig Williams told Wired. "It's going to attract copycats."
Curious about how the virus spread? View the New York Times' animated map of the WannaCry infection.
The hackers probably have you beat when it comes to tech know-how. So what can your organization do to better protect from ransomware attacks?
Humans tend to have a major flaw when it comes to security: trust. Trusting too much, one individual — and it only takes one — will open a malicious document that leads to a data compromise that impacts an entire company.
Thinking your organization isn't really a target, and trusting that it's OK to offer server message blocking (SMB) over the Internet to share access to files or printers, also opens a door wide open to an attacker who needs only infect one computer to infect the entire network. The best bet with the latest spate of ransomware exploiting SMB is to completely disable SMBv1 within Windows (WannaCry targeted older versions of Microsoft Windows).
When it comes to preventing ransomware attacks, proactive approaches are a must. Much like immunizing yourself from a physical virus, an organization needs to plan ahead to stop a computer infection.
Update Security. New ransomware variants are released regularly. To avoid being victim of the newest release, consistently update security software and operating systems. Don't make the cybercriminals' job easy — upgrade any outdated and unpatched software and stay current on anti-virus rules and signatures.
Bolster Firewalls. Firewalls are used to identify and analyze various types of network traffic. When ransomware attacks are publicized, information is offered to help filter out the threat. For instance, in WannaCry, the call was to explicitly deny all traffic for (TCP) Port 445 – SMB, (UDP) 137, (UDP) 138 and (TCP) 139.
Be Wary with Email. Educate employees to treat every single email with caution. Validate. Verify. Treat everything as potentially malicious until proven otherwise. Check the email address is legitimate. Look for obvious typos and grammatical errors in the body text. Hover over any links (without clicking on them) to see the URL. Consider it a particular red flag if a Microsoft Office email invites you to enable macros to view its contents.
59% of ransomware infections come from email — Osterman Research
Be Attentive to Cybersecurity News. In a recent attack in Europe there was a trend of high infection rates as people started work. By keeping an eye on reports of infection, North American companies would have had a few extra hours to mitigate and identify potential attack vectors and close them before their own employees' work day began.
Backup. Yep, we've all heard this one again and again. But, if you have a current backup of important data you don't have to rely on cybercriminals to unlock data.
Backup Smart. The backup advice bears repeating. Plus, it's smart to keep backups offsite and offline on reliable storage media such as magnetic tape. Otherwise, if your backup is accessible from the network, you're looking at the possibility of a ransomed backup!.
Realizing your business is a victim to a ransomware attack is stressful. Nevertheless, the first thing to do is try to react calmly. These additional strategies can help you prevent a wider infection and regain access to computers and files.
Disconnect. This is a little like amputating a limb to avoid the spread of the infection to the rest of the body. Disconnecting the infected device from the Internet and any other devices is necessary to the safety of the larger network.
Determine what you're dealing with. Use the information in the ransom note to help you research the situation. Enter the email address, the name of the ransomware, or even the text of the note into a search engine to learn more. You may find the cybercriminal is bluffing, or you might be able to access an available decryptor.
Remove the ransomware. Simple ransomware viruses can be cleaned up with malware removal in a system safe mode. However, aggressive ransomware disables system restore options and you may need to run a virus scanner from a bootable disc or USB drive.
Report the crime. Contact law enforcement, typically the closest FBI office, to report that you have been the victim of a ransomware attack. This can feel frustrating, as they may not be able to help much, yet making them aware might help others avoid a similar fate.
Revert to backups. Seriously, did we mention yet how smart it is to backup often? By reinstalling the operating system and restoration of files from your backups, you'll be back in business with your most important files at the ready once again.
Ransomware has been around since Joseph Popp's PC Cyborg in 1989. Since the criminals are making money off these attacks, we can expect them to continue. In the first quarter of 2016 alone, cybercriminals extorted $209 million from businesses.
In 2016, an IBM Security survey found 70 percent of business victims paid a ransom. Yet paying the ransom is no guarantee your troubles are over. You might pay the money and never get a recovery key in return. In the WannaCry outbreak, security analysts noted that with only three payment destinations and hundreds of thousands of victims, it would be difficult for the attackers to determine which victims paid and whose files to decrypt.
Even if the hackers do provide you with the ability to unencrypt your files, you run the risk that they'll simply hit your business again in the future. Plus, paying the ransom rewards the cybercriminal and provides them with an incentive to keep doing what they're doing to more consumers, small business, or large organizations.
According to Osterman research, financial services and healthcare industries are the most vulnerable to attack as they're most dependent on access to business-critical information. At the same time, though, it may be difficult to get a full picture of the problem as fewer than one in four ransomware attacks are reported to authorities.
RedTeam can help your organization detect and mitigate social engineering attacks. Our penetration testing identifies and fixes vulnerabilities on the application, network, device, and Internet-of-Things. We specialize in helping businesses understand the strengths and weaknesses of physical security controls.
Save your organization from ever having to make the choice about paying a ransom or reporting the attack with protective measures:
Spam email and exploit kits are the main attack tactics, but other ways to spread ransomware include:
Secondary infection — Downloaded malware triggers on an already infected computer.
Brute-forcing passwords — Spread through illicit access to software on servers using forced login credentials.
Exploiting vulnerabilities — Targeting vulnerable servers to spread malware throughout a network.
Self-propagation — Widespread infection spreads to all contacts via SMS or by infecting all removable drives.
Third-party app stores — Mobile ransomware spread via disreputable app stores.
Ready to get serious about protecting your company? Schedule your free RedTeam consultation today.