Overcoming the threat of ransomware

Ransomware is a fast emerging threat and successful attack method faced by organisations and individuals alike.

Ransomware is a fast emerging threat and successful attack method faced by organisations and individuals alike. Attackers use malware to break into computers and lock victims out of patient records, sensitive documents, case information, and other irreplaceable data. Victims then face a tough choice: pay the ransom or lose access to their data forever.

Since ransomware first appeared in 1989, malware authors have used increasingly advanced and more complex techniques. Today, ransomware is rapidly spreading through phishing emails that contain an infected Word document, as well as through a technique called “malvertising,” which works by inserting malicious code into an online ad network. When a person visits a website featuring the malicious ad, the code executes and the browser automatically loads the malicious content.

With new variants appearing daily, ransomware is a rapidly growing threat. In fact, by the end of 2011 nearly 100,000 different variants of ransomware were seen in the wild. In the first quarter of 2015, the number of known unique variants had jumped to more than 750,000. In light of these numbers, organisations large and small should take some practical steps to reduce their chances of falling victim to this threat.

When securing their data, organisations are usually encouraged to reduce the overall volume of data they hold and focus on protecting the data that means the most to their customers and to the organisation itself. However, ransomware encourages us to turn this concept on its head.

Backup, backup, and backup again

Your most reliable defence is something you should be doing already: backing up your data on a regular basis. If you have a complete backup of your important data and fall victim to a ransomware attack, you can simply wipe your computer clean, recover your data from your backup, and avoid paying the ransom that your attackers are demanding.

However, it’s not enough just to back up your data every now and then. Instead, it’s critical to keep the backup up to date. What’s more, it’s a good idea to keep multiple backups, in case your system automatically backs up after the ransomware takes hold and overwrites your backup with compromised data. Just remember to keep your backups offline and isolated from your network, as some ransomware will try to encrypt networked and removable drives.

You should also regularly test your backups by restoring from them; this will give you confidence that the backup data is safe and you’ll know what to do in the event of a real problem.

Keeping your attack surface in check

At this stage, you’re probably thinking creating backups presents a bit of a contradiction, as this can only add to your attack surface by generating more potentially vulnerable data. The trick is to address the issue of what data you store and what value it has. For example, you probably no longer need emails that are four years old, or notes about every meeting you attended three years ago. However, losing that important document you’re working on just a few hours before your deadline would have a devastating effect.

When it comes to managing your data, best practice is to remove ROT (redundant, obsolete, and trivial) data, appropriately securing the most important information, and protecting it against the worst case scenario.

Taking a well-rounded approach

While regular backups will help protect against ransomware, there are additional practices you should also adopt. In order to implement an in depth defence, there are some tips you should consider:

  • Ensure you have strong and up to date antivirus and firewall solutions
  • Only use escalated account privileges – through which an account gains elevated access to resources that are normally protected from an application or user – when they are needed
  • Set up good email rules and filters to protect against potentially dangerous attachments, such as .exe files
  • Enable software – such as Windows System Restore, Mac OS Time Machine, or the equivalent in your operating system – which will allow you to restore your computer's system files to an earlier point in time
  • Disable remote access tools if you don’t need them
  • Ensure all your software is up to date
  • Stay aware of security issues
  • Consider using a Cryptolocker prevention utility to guard against this most common form of ransomware.

Limiting the damage

So what should you do if you do fall victim to ransomware? The first step is to immediately isolate the infected machine from the network to contain the infection. Take some time to consider your options before acting, and avoid the initial instinct to pay the ransom to make the problem go away. Depending on the type of attack, you may have some better options than paying your attacker. For example, the Windows volume shadow copy service can help you recover data or encryption keys from certain ransomware variants.

The dangers of ransomware aren’t going away anytime soon. The ease with which attackers can compromise a machine means it will be a threat for years to come. Fortunately, enterprises can take a few simple steps to protect themselves.

Backing up your data, not opening attachments from unknown senders, and following the suggestions above, you can greatly decrease the risk and impact of becoming a victim.

Stuart Clarke, Chief Technical Officer, Cybersecurity, Nuix

Image source: Shutterstock/Nicescene