- AUTHOR: KIM ZETTER.KIM ZETTER SECURITY
- DATE OF PUBLICATION: 05.13.16.05.13.16 wired.com
- TIME OF PUBLICATION: 1:00 PM.1:00 PM
4 WAYS TO PROTECT AGAINST THE VERY
REAL THREAT OF RANSOMWARE
RANSOMWARE IS A multi-million-dollar crime operation
that strikes everyone from hospitals to police departments to online casinos.
It’s
such a profitable scheme that experts say traditional cyberthieves are
abandoning their old ways of making money—stealing credit card numbers and bank
account credentials—in favor of ransomware.
But
now that lawmakers on Capitol Hill are in the sights of cyber extortionists, the government
will finally do something to stop the scourge, right?
Don’t
count on it. You’re still largely on your own when it comes to fightingransomware attacks, which hackers use to encrypt your
computer or critical files until you pay a ransom to unlock them. You could
choose to cave and pay, as many victims do. Last year, for example, the FBI
says victims who reported attacks to the Bureau enriched cyber extortionists’
coffers by $24 million. But even if you’ve backed up your data in a safe place
and choose not to pay the ransom, this doesn’t mean an attack won’t cost you.
Victims of the CryptoWall ransomware, for example, have suffered an estimated
$325 million in damages since that strain of ransomware was discovered in
January 2015, according to the Cyber Threat Alliance (.pdf). The damages include
the cost of disinfecting machines and restoring backup data—which can take days
or weeks depending on the organization.
But
don’t fear—you aren’t totally at the mercy of hackers. If you’re at risk for a
ransomware attack, there are simple steps you can take to protect yourself and
your business. Here’s what you should do.
First of All, Who Are
Ransomware’s Prime Targets?
Any
company or organization that depends on daily access to critical data—and can’t
afford to lose access to it during the time it would take to respond to an
attack—should be most worried about ransomware. That means banks, hospitals,
Congress, police departments, and airlines and airports should all be on guard.
But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for
example, could affect the Windows systems that power and water plants use to
monitor and configure operations, says Robert M. Lee, CEO at critical
infrastructure security firm Dragos Security. The slightly relieving news is that
ransomware, or at least the variants we know about to date, wouldn’t be able to
infect the industrial control systems that actually run critical operations.
“Just
because the Windows systems are gone, doesn’t mean the power just goes down,”
he told WIRED. “[But] it could lock out operators from viewing or controlling
the process.” In some industries that are heavily regulated, such as the
nuclear power industry, this is enough to send a plant into automated shutdown,
as regulations require when workers lose sight of operations.
Individual
users are also at risk of ransomware attacks against home computers, and some
of the suggestions below will apply to you as well, if you’re in that category.
1. Back Up, as Big Sean
Says
The
best defense against ransomware is to outwit attackers by not being vulnerable
to their threats in the first place. This means backing up important data
daily, so that even if your computers and servers get locked, you won’t be
forced to pay to see your data again.
“More
than 5,000 customers have called us for help with ransomware attacks in the
last 12 months,” says Chris Doggett, senior vice president at Carbonite, which
provides cloud backup services for individuals and small businesses. One health
care customer lost access to 14 years of files, he says, and a community
organization lost access to 170,000 files in an attack, but both had backed up
their data to the cloud so they didn’t have to pay a ransom.
Some
ransomware attackers search out backup systems to encrypt and lock, too, by
first gaining entry to desktop systems and then manually working their way
through a network to get to servers. So if you don’t back up to the cloud and
instead backup to a local storage device or server, these should be offline and
not directly connected to desktop systems where the ransomware or attacker can
reach them.
“A
lot of people store their documents in network shares,” says Anup Ghosh, CEO of
security firm Invincea. “But
network shares are as at risk as your desktop system in a ransomware infection.
If the backups are done offline, and the backup is not reachable from the
machine that is infected, then you’re fine.”
The
same is true if you do your own machine backups with an external hard drive.
Those drives should only be connected to a machine when doing backups, then
disconnected. “If your backup drive is connected to the device at the time the
ransomware runs, then it would also get encrypted,” he notes.
Backups
won’t necessarily make a ransomware attack painless, however, since it can take
a week or more to restore data, during which business operations may be
impaired or halted.
“We’ve
seen hospitals elect to pay the ransom because lives are on the line and
presumably the downtime that was associated, even if they had the ability to
recover, was not considered acceptable,” says Doggett.
2. Just Say No—To
Suspicious Emails and Links
The
primary method of infecting victims with ransomware involves every hacker’s
favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with
emails that carry a malicious attachment or instruct you to click on a URL
where malware surreptitiously crawls into your machine. The recent ransomware
attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which
apparently were the accounts the attackers were phishing.
But
ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an
advertiser’s network by embedding malware in ads that get delivered through web
sites you know and trust, such as the malvertising attacks that recently struck the New
York Times and BBC. Ad blockers are one way to block malicious ads, patching known browser
security holes will also thwart some malvertising.
When
it comes to phishing attacks, experts are divided about the effectiveness of
user training to educate workers on how to spot such attacks and right-click on
email attachments to scan them for malware before opening. But with good
training, “you can actually truly get a dramatic decrease in click-happy
employees,” says Stu Sjouwerman, CEO of KnowBe4, which does security awareness training for
companies. “You send them frequent simulated phishing attacks, and it starts to
become a game. You make it part of your culture and if you, once a month, send
a simulated attack, that will get people on their toes.” He says with awareness
training he’s seen the number of workers clicking on phishing attacks drop from 15.9 percent to just 1.2 percent in some
companies.
Doggett
agrees that user training has a role to play in stopping ransomware.
“I
see far too many people who don’t know the security 101 basics or simply don’t
choose to follow them,” says Doggett. “So the IT department or security folks
have a very significant role to play [to educate users].”
3. Patch and Block
But
users should never be considered the stop-gap for infections, Ghosh says.
“Users will open attachments, they will visit sites that are infected, and when
that happens, you just need to make sure that your security technology protects
you,” he says.
His
stance isn’t surprising, since his company sells an end-point security product
designed to protect desktop systems from infection. The product, called X, uses deep learning to
detect ransomware and other malware, and Ghosh says a recent test of his product blocked 100 percent of attacks
from 64 malicious web sites.
But
no security product is infallible—otherwise individuals and businesses wouldn’t
be getting hit with so much ransomware and other malware these days. That’s why
companies should take other standard security measures to protect themselves,
such as patching software security holes to prevent malicious software from
exploiting them to infect systems.
“In
web attacks, they’re exploiting vulnerabilities in your third-party
plug-ins—Java and Flash—so obviously keeping those up to date is helpful,”
Ghosh says.
Whitelisting
software applications running on machines is another way Sjouwerman says you
can resist attacks, since the lists won’t let your computer install anything
that’s not already approved. Administrators first scan a machine to note the
legitimate applications running on it, then configure it to prevent any other
executable files from running or installing.
Other
methods network administrators can use include limiting systems’ permissions to
prevent malware from installing on systems without an administrator’s password.
Administrators can also segment access to critical data using redundant
servers. Rather than letting thousands of employees access files on a single
server, they can break employees into smaller groups, so that if one server
gets locked by ransomware, it won’t affect everyone. This tactic also forces
attackers to locate and lock down more servers to make their assault effective.
4. Got an Infection?
Disconnect
When
MedStar Health got hit with ransomware earlier this year, administrators
immediately shut down most of the organization’s network operations to prevent
the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and
respond to ransomware, says that not only should administrators disconnect
infected systems from the corporate network, they should also disable Wi-Fi and
Bluetooth on machines to prevent the malware from spreading to other machines
via those methods.
After
that, victims should determine what strain of ransomware infected them. If it’s
a known variant, anti-virus companies like Kaspersky Lab may have decryptors to help unlock files or bypass the lock without
paying a ransom, depending on the quality of encryption method the attackers
used.
But if you haven’t backed up your
data and can’t find a method to get around the encryption, your only option to
get access to your data is to pay the ransom. Although the FBI recommends not
paying, Ghosh says he understands the impulse.
“In traditional hacks, there is no
pain for the user, and people move on,” he says. But ransomware can immediately
bring business operations to a halt. And in the case of individual victims who
can’t access family photos and other personal files when home systems get hit,
“the pain involved with that is so off the charts…. As security people, it’s
easy to say no [to paying]. Why would you feed the engine that’s going to drive
more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the
money, because you’re not in their shoes.”
=============================================== Good Netiquette And A Green Internet To All! Special Bulletin - My just released book,
"You're Hired. Super Charge our Email Skills in 60 Minutes! (And Get That Job...)
is now on sales at Amazon.com
Great Reasons for Purchasing Netiquette IQ
·
Get more
email opens. Improve 100% or more.
·
Receive
more responses, interviews, appointments, prospects and sales.
·
Be better
understood.
·
Eliminate
indecisin.
·
Avoid
being spammed 100% or more.
·
Have
recipient finish reading your email content.
·
Save time
by reducing questions.
·
Increase
your level of clarity.
·
Improve
you time management with your email.
·
Have
quick access to a wealth of relevant email information.
Enjoy
most of what you need for email in a single book.
=================================
**Important note** - contact our company for very powerful solutions for IPmanagement (IPv4 and IPv6, security, firewall and APT solutions:
www.tabularosa.net
==================================================
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================