Here’s a nightmare scenario for you. Show up for work on a Monday morning to discover you’re locked out of all business systems. You’re infected with ransomware. No-one can work. Even worse, an anonymous creep is demanding payment in Bitcoin or Monero, which you probably don’t have. Where do you start and what do you do?
While it might not be you today (thank your lucky stars), it definitely could be. Plenty of Kiwi companies have experienced this waking nightmare; in fact, ransomware is rapidly becoming one of the most prevalent forms of malware, according to BitSight. Names like WannaCry and NotPetya should be familiar to most.
Where ransomware is concerned, prevention is always a lot better than cure. Actually, that goes for any information security compromise.
But before getting to ‘what to do’, a definition. Ransomware is the unvarnished ugly face of cybercrime. It arrives by email attachment or a tempting link or any one of a number of subtle social engineering ways to inveigle code onto your computers. Then it encrypts hard drives and sends you a message, attempting to extort money.
Getting into prevention requires an overview of how to, more generally, secure your information systems; we’ll deal with that after looking at how to get out of a ransomware pickle.
Dealing with ransomware
Firstly, do not pay the ransom. Paying a blackmailer might make them go away, but for how long? The attacker is already in. Even if they were to decrypt your files, how long until they locked it down again? Furthermore, if anyone pays the ransom, it encourages more attacks. If no one paid, there would be no reason to create the ransomware.
Secondly, get help immediately. Far too many businesses make it into a third day of business disruption before asking for help.
The general priority for dealing with malware is: containment, identification, notification, cleaning.
- Containment: Something’s gone wrong and your you’re not sure what it is. By turning things off and unplugging them, you can prevent the malware from spreading. This is tough, as it often means disruption – but a small disruption that may be a false alarm is far better than an outbreak which disrupts more of your business for longer.
- Identification: Once isolated (often while you are still finding and disconnecting any infected devices), you need to figure out what you’re dealing with. Offline virus scans, examining running processes, and dissecting file evidence on the machine will all help. Knowing what you are fighting is crucial to know the extent of the problem and how to defeat the malware.
- Notification: Internal and external communication is necessary. Internal users need to know the risks and what to look out for, and if any specific action is required of them (such as handing in any laptops or USB devices for checking). Whilst external notification of a security breach isn’t yet New Zealand law it is a good idea to notify anyone who might be at risk. If the virus sends out emails, tell your customers and partners to watch out for those emails. The last thing you want is to be the cause of your client getting infected.
- Cleaning: This is where preparation pays off. If you’ve done backups right, you can simply roll back to a time prior to being hit by the ransomware and restore. Job done. Well, almost. Some things may need to be recreated or rebuilt so your offline DR systems may come into play while you recover. Regardless of the details, one thing is true; be 100% sure that a clean device is not at risk of reinfection and really is clean. Or else you’ll end up chasing your tail.
A simple and sound prevention strategy
Think of security, and all systems, as a three-legged stool. Those three legs are People, Process and Technology. Take just one out and the stool is perhaps only suitable for a clown: it’s going to tip over, except unlike in the hands of a circus entertainer, the spill won’t be funny.
For a secure computing environment, then, all three legs must be sound.
- Technology is usually the easiest part of security (though it is easily – and often – neglected). The Australian Cyber Security Centre publishes a list of the most effective strategies to mitigate cyber security Incidents. It’s well worth assessing your IT systems against this list.
Note that antivirus software, while necessary, is far from sufficient: it barely makes the list. If you’re pinning your hopes of security on an antivirus subscription, you may find yourself coming up short.
- The People leg of the stool can either be the strongest or weakest support. If your people are security conscious and risk-aware, they can stop many attacks simply by recognising a dodgy email or link and reporting it, rather than blindly opening it up. At the same time, though, people are the easiest point for an attacked to probe. After all, kitten videos are just too cute to resist…
Regular reminders of security and continuous user education is the only approach to reinforcing this aspect.
- The Process leg is perhaps not automatically associated with cyber security but plays a crucial role in supporting the stool. With robust processes in place, created with security as part of the design, your information systems are more resilient.
An example might be requiring any payment requests, or change of bank account details, to be done telephonically rather than by email. The simple fact is that an ‘email from the CEO’ could be from anyone (spoofing). It’s harder to impersonate someone on the phone.
Note, however, that even with all three legs solidly in place, there’s no guarantee that you won’t be infected or targeted. Expect a compromise – and know what to do should it eventuate.
Are you sure your Greentree system is being backed up correctly and completely every day?
When did you last restore your backup to verify that it was up-to-date and useable? Is your backup available off-site in the event your
server fails, your network is unusable or your building is inaccessible?