Mitnick In The News
Share Ransomware Protection & Removal: How Businesses Can Best Defend Against
Ransomware is on the rise as cybercriminals turn to increasingly savvy and tougher-to-prevent means of monetizing cyber attacks. For businesses who become victim to ransomware attacks, the consequences can be devastating -- ransomware that lands in some shared locations within networks can literally paralyze an organization's operations. Thus, becoming savvier about preventing and defending against such attacks is vital for every business -- and not just major enterprises, but businesses of all sizes.
But ransomware is notoriously challenging to prevent altogether, leaving many companies to believe that a reactive approach is the only way to go. While knowing how to fight back if your company is attacked by ransomware is critical, taking proactive steps to minimize the odds that your organization falls victim to ransomware is equally necessary. Preventing ransomware attacks in the first place can save your business tens of thousands of dollars -- or perhaps millions -- in losses due to interrupted operations, data loss, and other consequences. To gain some insight into how today's companies are protecting themselves from and defending against ransomware attacks, we reached out to a panel of 44 security pros and business leaders and asked them to answer this question:
"How can businesses best defend against ransomware attacks?"
So how can modern organizations fend off ransomware attacks, and if your business becomes a victim to ransomware, what actions should you take to defend your company? Read on to find out what our experts reveal about what businesses should do to best defend against ransomware attacks.
Meet Our Panel of Security Experts:
Tim Bandos is the Director of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim recently joined Digital Guardian to help build our Managed Security Program (MSP) to deliver advanced threat protection to our global customer base. He brings a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.
"Not a week goes by now where we don’t see a barrage of ransomware related headlines..."
Where an organization, hospital, or business had to cough up a fairly large sum of money to decrypt files that became a victim of the incessant malware. Readers of these headlines will scratch their head in puzzlement as to why anyone would even pay, until of course they're faced with this scenario themselves. The first question that always comes to mind is, "How could we have prevented this?" There are multiple steps that can be taken to defend the enterprise against this species of malware and like anything in cybersecurity, a layered approach is always best.
- Ensure antivirus is installed and up to date across all endpoints within the business. Keep in mind, AV is based on signatures so new variants may and will slip through the cracks, but this could easily be a first line of defense. Additionally, it’s best to have a multi-faceted security solution that employs additional protective technologies such as heuristics, firewalls, behavioral-based threat prevention, etc. Digital Guardian offers an ‘Advanced Threat Prevention’ module that contains a suite of protection rules against ransomware based on how it behaviorally interacts on the operating system.
- Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email. I literally ask myself these questions when receiving an email message with a link or an attached file: 1) Do I know the sender? 2) Do I really need to open that file or go to that link? 3) Did I really order something from FedEx?? Phishing is a common entrance vector for ransomware and because most end users never think twice, it’s extremely successful.
- Backup the data. There are a ton of options here, from backing up to cloud providers to local storage devices or even network attached drives, but each comes with a certain level of risk. It’s imperative to remove the external storage device once a backup has been taken so that if ransomware does infect the computer, it won’t be able to touch the backup.
- GPO restrictions are an easy and affordable method for restricting not only ransomware, but malware in general from installing. GPO has the ability to provide granular control over the execution of files on an endpoint, so adding rules that block activity such as files executing from the ‘Appdata’ directory or even disabling the ability for executables to run from attachments.
- Patching commonly exploited third party software such as Java, Flash, and Adobe will undoubtedly prevent many of these types of attacks from even being successful in the first place.
- Restrict administrative rights on endpoints. I know this is of course a highly political and even cultural request to make, however reducing privileges will reduce the attack surface significantly. End users shouldn’t be downloading and installing games anyway, right?
Ransomware has significantly evolved over the years since it was first introduced back in 1989 as the ‘PC Cyborg’ Trojan and the user had to pay around $189 dollars to repair their computer. Fast forward 20+ years and we’ve seen a myriad of different types of specimens leveraging varying techniques in an effort for the authors or distributors to get paid. With no clear end in sight, we will continue to see these types of attacks, so tightening up the security belt and locking down our PCs is the wisest thing we could do in order to protect what matters most on these devices: the DATA!
Lee Munson is Comparitech's Security Researcher. Lee is a regular contributor to the Sophos' Naked Security blog and Social Media Manager for Brian Honan's BH Consulting. He is also the proud winner of the Best UK Security Blog and Best European Security Blog at the 2015 European Security Blogger Awards.
"If a business wishes to protect itself against ransomware, it needs to focus on..."
Both technological solutions and, more importantly, its people. One of the most important defenses against ransomware is to have a robust backup strategy in place that includes off-site storage and regular testing of images and other saved data to ensure their integrity.
Other technical solutions such as always showing hidden extensions (ransomware.jpg may actually be ransomware.jpg.exe), filtering out executable files from email servers, and disabling remote desktop connections are all effective in preventing this type of blackmailing code from ever gaining a foothold on a device or network.
But your people are where your main focus should reside. Staff are far from stupid, yet they remain the weakest link in any security system due to a lack of training and awareness.
By educating them about what ransomware is, how it can infect their machines, and what they can do to stop that from happening (by not opening email attachments, being extremely wary of links in emails, etc.) you will drastically improve the most important level of defense within your organization.
Steven J.J. Weisman, Esq.
Steven Weisman, Esq. is a lawyer, college professor at Bentley University where he teaches White Collar Crime, author, and one of the country's leading experts in scams, identity theft and cybersecurity. He also writes the blog www.scamicide.com where he provides daily updated information about the latest scams, identity theft schemes, and developments in cybersecurity.
"There are several things companies should be doing to combat ransomware..."
- The best defense against ransomware is to backup all of your data each day. In fact, my rule is to have three backup copies using two different formats with one off site.
- While everyone has heard of blacklisting, a good defense against ransomware is the use of whitelisting software that only allows specified programs to be run on the company's computers and therefore blocks malware.
- Install security software and maintain it with the latest security updates. While this will not protect against zero day exploits, many ransomware attacks use older versions for which there are security software defenses.
- Limit the ability of employees who do not need the authority to install software and limit the access of employees to data to only that data to which they need access.
- Most ransomware is delivered by spear phishing. Often the spear phishing is facilitated by information gathered through social media. Have a social media policy in place that limits work-related information, such as job titles from being posted on social media. In addition, have an ongoing education program for all employees about how to recognize and avoid spear phishing.
Paul Kubler, CISSP, EnCE, SEC+, CCNA, ACE
Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.
"In the recent years, we've seen a dramatic increase in the use of ransomware being delivered alongside..."
Phishing emails. They usually send an attachment such as URGENT ACCOUNT INFO with a file extension of .PDF.zip or .PDF.rar, which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk (some of the less damaging forms simply block your access to the computer, but do not encrypt - such as this example), or the documents and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data, this way future victims are more likely to pay.
What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:
- DO NOT open emails in the spam folder or emails whose recipients you do not know.
- DO NOT open attachments in emails of unknown origin.
- Use a reputable antivirus software - we recommend Kaspersky, which ranked the highest in our tests.
- Perform a regular backup to an external medium (external hard drive or the cloud).
- After backing up, disconnect your drive. Current ransomware is known to encrypt your back up drive as well.
- DO NOT pay the ransom. The reason why the criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional in your area.
What can your company do to prevent being victimized by these types of attacks?
- Humans need to be trained -- they are the weakest link. Companies should employ at minimum a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.
- Employees should be tested by having an outside party conduct a social engineering test, like something from Rapid7 or LIFARS. These kinds of tests help keep the employee on their toes and more likely to avoid the attacks.
- Since these attacks are on the rise, a number of new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block a large number of phishing exploits before they even reach the internal servers.
As a last line of defense, Cyphort has a good IDS/IPS solution that can help detect known attacks and how far they managed to get into the network by signature, behavior, and by community knowledge.
Eyal Benishti is founder & CEO of IronScales, which provides phishing mitigation and training solutions for organizations of all sizes to protect against traditional phishing, spear phishing, and whale phishing. IronScales focuses on ensuring that people can protect the organization in situations where traditional technology isn’t enough.
"Ransomware has been through several evolutions so far and, as such, requires..."
Careful attention. While the first ransomwares were simply encrypting the local hard drive and asking for money, its latest evolutions are now encrypting network drives. They’re even leaking out the data to make the extortion case even stronger for those using simple restore solutions to overcome the encryption hurdle, by threatening to publish the company data publicly. Since email attachments are the most common way to deliver a ransomware attack inside an organization, you need to take the following important steps:
- Filter both executable and password-protected files. Make sure your gateway mail scanner does not allow these files to go through without your inspection.
- Filter macro-enabled files like .docm. Since macros are yet another way to execute code on the victim machine, block them!
- Apply a patch management system, making sure that all desktop clients are fully patched. Cyber criminals are quick to exploit zero days, so stay ahead.
- Don’t give employees admin privileges on their machines if they don’t need them.
- Perform Data Leakage Prevention (DLP) and anomaly detection. Make sure no one is trying to leak data out of the company network. Pay close attention to suspicious outbound connections.
- Backup. Always keep an up-to-date backup. If you got hit, make sure you don’t restore the Malware together with the data!
- Train employees to spot phishing emails. This is the main attack vehicle, so make sure your staff is well-trained.
- Encourage and incentivize people to report back to you when they see suspicious emails. Act immediately. Automate the process. Some people will never learn, and those new to the company may not know the process. Make sure you leverage those who do know and can spot phishing to make up for those who don’t.
As Vice President of Technology for iCorps Technologies, Jeffery Lauria is responsible for managing iCorps' client accounts (small and mid-sized businesses) and helping them practice security best practices. Jeffery is an accomplished Information Security Executive whose experience spans over 20 years in all facets of IT. His certifications include CISSP, CGEIT, CISA, CRISC, CCISO, CCSK and MCSE.
"To defend against ransomware..."
There are some relatively straightforward and cost effective steps that all businesses can take. In addition, there are products and services that can provide additional mitigation.
As with all security issues, there is rarely a “silver bullet” or singular step that will fully mitigate the problem. Multiple steps are needed to be able to reasonably defend again ransomware. Some steps are designed to prevent ransomware to begin with, some steps will reduce the impact and ransomware, and some steps will allow recovery from ransomware. Below are quick-hit check-lists for each category outlining appropriate steps.
- Practice ‘Least Privilege.’ The Least Privilege concept says that any given account should have the least amount of privilege required to perform appropriate tasks. Common places where this concept can be applied, but often is not, include user permissions on endpoints and user permissions on network shares. All users, including IT admin personnel, should log in using a non-privileged account, and escalate privilege as needed using a secondary account. Most of the common tasks any user performs, such as browsing the internet, checking e-mail in Outlook, or editing a document do not require the ability to stop and start services or to edit registry keys – so remove those excess privileges. The key to this concept is that malicious software most often runs using the privilege level of the currently logged in user. If that user is an admin, so is the malicious software.
- Configure white listing for plugins and add-ins for your browser. Instead of allowing Flash on every site, block it on every site and whitelist only the sites you trust. In addition, install ad-blocking software. Ransomware has been spread in the past using pop-ups and ads that could have been easily blocked. In a famous case in early 2015, CryptoLocker spread using infected ads for a well-known international brand. However, keep in mind that this step will fundamentally alter your web experience.
- Ensure your antivirus is installed on endpoints, that all options are enabled, that antivirus is up to date, and that tamper protection is enabled. Tamper protection will prevent malicious software from turning off the antivirus application. Antivirus will help catch malicious software before it installs, or can help prevent its spread in the event it successfully installs.
- User awareness training. Ensure all users are aware of threats and how to avoid them. For example, teaching end users how to identify phishy e-mail and not to click on links in e-mail without knowing they are from a trusted source is a critical step in preventing exposure to malicious software.
- Enable Unified Threat Management on edge devices such as a firewall. This can offer intrusion detection and prevention, web-site filtering where you block access to known or suspected malicious content, and another layer of antivirus.
Recovering: Here, we review steps to recover from ransomware that do not involve finding a BitCoin ATM and funding the development of more ransomware.
- Least Privilege is here, again. This time, it is more to point out that nearly all recovery options rely on the least privilege concept in one way or another. If you were logged in as an admin, it may not be relevant that you created backups – the malicious software can likely alter your backups, as well.
- Ensure that any OS options for automatically keeping previous versions of documents, such as Windows Shadow Copy is enabled. This step will allow you to quickly restore the previous version of any impacted file. Note that most well written ransomware applications will attempt to disable Shadow Copy, but that only admins can actually disable it. If you are logged in as an admin, ransomware will successfully disable this and alter any previous versions you may have had.
- Daily backup data to an external device using a dedicated backup account. Regardless of which type of backup you use, backing up to an external device or offsite will help protect backups from being altered.
- In a worst case scenario, file recovery tools may be able to assist in recovering from ransomware provided they are used immediately. Ransomware often functions by encrypting your files. In the process, they typically create a new file and delete the old file. The way hard drives allocate new files and delete old files is primarily using a File Allocation Table, which can be thought of as similar to a table of contents. Deleting a file is similar to erasing the listing out of the table of contents, and creating a new file is similar to adding a new listing to the table of contents. This is obviously a vast oversimplification, but the point is the some of the unaltered data may still exist on the hard drive. Time, however, is of the essence, and this possibility will likely go away as ransomware becomes more sophisticated and begins encrypting slack space on the drive.
#1 Best Selling Author Robert Siciliano, CSP, CEO of IDTheftSecurity.com is fun and funny, but serious about teaching you and your audience fraud prevention and personal security. Robert is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). His programs are cutting edge, easily digestible, and provide best practices to keep you, your clients, and employees safe and secure. Your audience will walk away as experts in identity theft prevention, online reputation management, online privacy, and data security.
"Cyber criminals have been attempting to extort money from individuals and companies for many years, and the latest attempt to take advantage of others is by using Ransomware as a Service, or RaaS. A ransomware virus..."
Infects a computer when a user clicks a link and unknowingly downloads a malicious file. The ransomware virus then encrypts the computer’s files and promises to render them useless unless the victim pays a ransom. The cost varies greatly, and groups sending these out can bring in hundreds of millions of dollars in profits. RaaS makes it even easier for criminals to deploy ransomware viruses. All they have to do is choose a ransomware virus, set a ransom amount and deadline, and then trick their victims into downloading it onto their computers.
What to do if systems become infected with ransomware
If you have been attacked with ransomware, consider the following:
- Tell the hacker you will pay, but that you need time to get the cash.
- Gather all correspondence from the hacker.
- Tell the webhosting provider and maybe call the cops, but expect little. If there is a major loss, reach out to the FBI; just know they might not see it as serious.
- Delete all infected files and download clean versions from your backup system. Remember: If you have a quality backup system in place, you won’t need to pay the ransom.
Handling computer viruses
Ransomware isn’t the only type of virus to be on the lookout for. Symptoms of other types of virus infections include programs opening up on their own and a slow computer. Some viruses may send messages from your email account without you knowing about it. Here are some more ways to protect yourself from ransomware and other computer viruses:
- Use both firewall and anti-virus software.
- Do not open attachments, links, or programs from an email, including those from people you know, until you check for viruses.
- Do not use public Wi-Fi connections unless on a virtual private network or using encryption software.
- Keep security software current, use administrative rights, and use a firewall.
- Use the most recent version of your operating system and browser.
- Back up all data.
- Train employees on security measures for all devices.
Stu Sjouwerman is the founder and CEO of KnowBe4, which hosts the world's most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was neglected, Sjouwerman teamed with Kevin Mitnick to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training.
"Regardless of whether you've been hit with ransomware or not, protecting your network from these types of attacks is now..."
An integral part of any network security framework for both individuals and companies.
Defense In Depth
Protecting yourself from intrusions and attacks requires securing your main layers of defense by utilizing Security Awareness Training and antivirus/anti-phishing software. If you consider a computer network (even a simple one, like your home computer) to consist of a series of layers that any malware or virus needs to penetrate, the outermost layer would consist of your users themselves. After all, it takes a user's interaction in order to initiate or allow a network intrusion. Only AFTER a user has clicked or visited a malicious link/site will your secondary and tertiary layers (firewalls and antivirus) come into play. Thus, the very first layer you will need to harden is that of the human operator. It is only in recent years that the importance of this layer of security has come to be recognized. In the past, software has been relied upon as a catch-all for these types of situations. Software just by itself is not enough anymore, users must be trained to prevent such attacks from happening in the first place.
Security Awareness Training
You need to implement effective Security Awareness Training. Despite evidence to the contrary, users do not come to work with the intention of clicking on phishing emails and infecting their computers! As many IT professionals can attest, a simple knowledge of what red flags to be aware of can make a huge difference in the ability of a user to discern malicious links/software from legitimate traffic. As the methods hackers and malware creators use to trick users are constantly changing, it is important to keep users up-to-date on not only the basics of IT and email security, but also the ever changing attack types and threat vectors. After all, everyone knows that there is no Nigerian prince out there and it's just a scammer right? But what if Becky from the accounting firm accidentally sends you a payroll spreadsheet? Not everyone is going to question the ambiguous origin of a well-crafted phishing email, especially with a juicy attachment like Q4 Payroll.zip. HR may receive 20 resumes a day, but only one of those needs to be malicious to cause an incident. Increasingly, hackers and attacks utilize social engineering to entice or trick a user into installing or opening a security hole. Good Security Awareness Training covers not only software based threat vectors and red-flags, but physical security training as well. User security training is a vital piece of securing your network.
If you are a victim, you can download this free ransomware hostage rescue manual: https://info.knowbe4.com/ransomware-hostage-rescue-manual-0%20
Dotan Bar Noy
Dotan Bar Noy is the Co-Founder & CEO of ReSec Technologies and has more than 10 years of management experience in technology and software companies. Dotan holds a BA in Economics & Management from the Israel Institute of Technology (Technion) and an MA in Law from Bar-Ilan University.
"Ransomware is mentioned frequently in the news and it’s not surprising that ransomware attacks are the number one form of malware..."
According to Verizon’s 2016 Data Breach Investigations Report (DBIR), ransomware attacks increased by over 16 percent since 2015. Defending an enterprise against such a threat will require all departments of an enterprise to work together.
Employees should have a basic understanding of what ransomware threats look like so they know when to report something and when not to click on a link or open a file. Some leading companies are offering such measurable employee training that might assist in their education.
High level executives need to fully understand the risk and the potential damages of ransomware attacks. They will then be able to allocate sufficient resources for training the employees and for implementing a solution that can counter such threats.
Cyber criminals are more organized than ever before and new individualized strains of malware are being manufactured constantly to evade the signature and behavior detection solutions that so many enterprises rely on. It is up to the CISO and the enterprise professional to move quickly, assess and deploy adequate solutions to prevent ransomware from entering the network perimeter—all in accordance to the enterprise architecture and risk analysis.
Verizon's 2016 report does offer one very solid recommendation for organizations: It calls to filter your incoming emails and flag suspicious content. All other recommendations (awareness training, etc.) are secondary.
By taking a top-down and bottom-up approach to the human side of security, enterprises will be better prepared for ransomware attacks even as they upgrade their security stack.
Tony Anscombe is the Senior Security Evangelist for AVG Technologies. Tony's role at AVG is to bring our growing free user population products and solutions that allow them to enjoy their online experiences while trusting AVG to provide them protection from malware and data loss.
"Ransomware is like digital kidnapping..."
An attacker encrypts the victim's computer, or even individual files, and charges a ransom for their safe return. If the ransom isn't paid the files are destroyed and seemingly lost forever. Individuals, businesses, colleges and government agencies have all been among targets of ransomware. Any institutions or individuals that have critical files or systems are potential targets for ransomware attackers. With smaller companies becoming attractive targets to cybercriminals due to their perceived lower levels of protection, no one is immune to the danger of ransomware. This also means that your end customers will require an increased level of service and expect your immediate response to their security needs. Here in the United States, both the FBI and the White Collar Crime Center advise you to report ransomware threats or events to the agency at www.ic3.gov, and importantly, they advise against paying the ransom! Here are also some basic tips for ransomware protection:
- Educate yourself and employees about ransomware.
- Regularly back up your data - and make sure a copy is stored offline.
- Install and enable antivirus protection.
- Make sure you keep all your systems and programs up to date.
- Beware of links, and attachments. If in doubt, do not open it!
As with disease in the real world, prevention is sometimes the best cure in the digital world. It may seem like a bother, but having a preventative strategy could save you pain in the long run.
Eyal Gruner, or boy security wonder, as Gartner VP Distinguished Analyst Avivah Litan referred to him in her blog, is the co-founder and CEO of cyber security company Cynet. He is also co-founder and former CEO of BugSec, a leading cyber consultancy, and Versafe, acquired by F5 Networks in 2013.
"To defend against ransomware attacks..."
First, businesses should operate under the assumption that they have already been hacked, and unknown threats lie within their systems, waiting to attack. Today's existing protection solutions, many of which operate on a single front - be it networks, files, users or endpoints, frequently miss new and previously unknown threats.
Second, in addition to covering their bases by implementing protection on all fronts, they should implement a detection solution. This is in line with technology research company Gartner's recent recommendations that enterprises move from a security budget spend of a 90-percent protection / 10-percent detection split, to a split of 60-percent protection / 40-percent detection. We recommend that organizations look for a solution that knows how to:
A: Detect ransomware before the payload is dropped, instantaneously killing the process before it can begin encryption.
B. Detect ransomware that has already started to encrypt, eliminating the threat of it spreading further, to minimize the damage.
C: Do nothing and pay the ransom.
Third, within the bigger picture, in order to find and rapidly eliminate ransomware and other malware which have bypassed existing preventions, we recommend an organization follow these best practices:
- Collect threat indicators from across the organization.
- Correlate indicators to determine risk ranking, and minimize false positives.
- Invoke advanced security threat intelligence.
- Remediate within all potential threat vectors.
Greg Edwards is CEO of Watch Point Data, driven to build a superior, global cybersecurity firm to defend small and medium businesses from the cybercriminals lurking in the shadows of the Internet.
"The best way to defend against ransomware is to..."
Use multiple layers of defense.
- While AV is minimally effective, at least it will stop the known variants of ransomware.
- Patch management; patching Windows and all ancillary applications at the desktop level will prevent most ransomware from running.
- Create Group Policy restrictions to restrict ransomware's ability to run locally.
- Use ad blocking software within browsers.
- Use a system to monitor network shares and block actively running ransomware.
- Verify data backup and business continuity plans. Having a good backup is the last line of defense, if you are hit with ransomware, you can recover and not pay the cyber criminals.
Morphisec's VP R&D, Michael Gorelik, has more than seven years of experience leading diverse cybersecurity software development projects. Previously, Michael was the VP R&D at MotionLogic GmbH and also served in senior leadership positions at Deutsche Telekom Labs. Michael holds Bsc and Msc degrees from Ben-Gurion University and jointly holds two patents in the IT space.
"The best defense against ransomware attacks is to..."
Not focus on ransomware. Ransomware is the last part in an attack kill chain (the payload, as it's called). The right way to prevent ransomware is by thwarting the attackers' efforts to deliver the ransomware to a user's machine. How? Through a moving target defense (MTD) strategy. Ransomware and other malware are delivered through exploit kits, the hacking tools that search for known vulnerabilities in applications such as unpatched browsers or outdated plugins. MTD uses counter-deception techniques to constantly change the target surface, so that attackers can't get a foothold - forcing the attacker to search for the target over and over again, increasing the likelihood of their discovery and making attacks costly and unfeasible.
Oscar Marquez is Chief Technology Officer and a founding member of iSheriff, with overall responsibility for world-wide support and the development and delivery of the company's world-class cloud security products.
"The first and foremost step towards protection against ransomware..."
Is awareness. Do not open any email from any unrecognized, sketchy email address. Downloading attachments from such emails may prove costly. And never enable Macros in your Word. If you remain vigilant enough, then you can reduce the chances of such attacks succeeding significantly.
The second, and very crucial step towards protection from ransomware, is keeping your antivirus updated all the time. A patch in such antivirus may prove instrumental in warding off malware, such as Locky. This is one of the basic security measures that a user must always keep in mind. Yes, antivirus software may clog up your memory or make the operation of your system jittery, but it also is the best precautionary step towards malware protection.
Finally, you should always browse carefully. While browsing the internet, carefully check the sites you're accessing. Completely avoid any website which looks sketchy and untrustworthy. You may be lured into clicking on a link on your social media page and unknowingly installing unscrupulous elements. Avoid providing personal information to any website you do not trust.
Steve is the Director of Security Research at Duo Security's Duo Labs where he is responsible for our team of crazy researchers. Steve brings over 20 years of Information Security experience including roles at various product companies, consultancies and research teams.
"Some basic security hygiene tips can help best against ransomware attacks..."
Here are a few expert tips:
- Make sure the devices on your networks are up to date. With employees bringing their personal devices into the workplace, IT admins have to make sure that those devices are just as secure as their managed devices - they need to see if devices are out of date, rooted/jailbroken, or otherwise posing security risks. Otherwise, they're leaving known vulnerabilities open to hackers.
- Passwords aren't enough. The most popular password in the world remains 123456, proving the point that passwords are easily guessed and easily bypassed. Instead, use a password manager like Lastpass that automates the generation of complex passwords and stores them so memorization is no longer an issue.
- Use two-factor authentication. A hacker may steal your passwords, but it's nearly impossible to steal those and your smartphone or token at the same time.
- Use common sense with your email and train your employees to do the same. Never open email attachments or click on links from a sender you don't know and trust. Phishing and social engineering are ongoing problems that are often the main open door leading to a data breach.
Joseph Carson is a cyber security professional with 20+ years' experience in enterprise security & infrastructure. Joseph is a Certified Information Systems Security Professional (CISSP). An active member of the cyber security community, Joe is a Director at Thycotic.
"The best thing businesses can do to defend against ransomware attacks is..."
Educate employees. Recent statistics indicate that one in five employees will open and click on emails containing malware. Security awareness programs can be a very cost effective solution; they not only protect the employees on corporate systems, but also allow the employees to use that same knowledge to protect their own personal systems, information and families from the same threats.
Understanding how hackers operate will give you a cyber advantage. In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization's structure, clients, etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like ransomware and gain access, which, for most attackers, is easily done. Organizations should use similar analysis techniques to identify potential targets for ransomware and use that knowledge to deploy security controls to mitigate the risks.
Password and privileged account management should be a major concern for every organization. Implementing effective security controls can be the difference between a properly defending yourself against a simple perimeter breach or experiencing a cyber catastrophe.
Most ransomware incidents have used known vulnerabilities and exploits to expose weaknesses in systems in order to infect the system with malicious software. By keeping systems' security updates current you will significantly reduce the risks of malicious software exploiting those vulnerabilities.
Anand Adya founded Greenlight Technologies in 2004, leading the company from its inception into the market leading provider of cyber governance, regulatory management, and compliance solutions. As an industry thought leader, he is a frequent speaker on the topic of governance, risk and compliance management at major conferences.
"Ransomware is quickly becoming a growing threat to companies and no one is immune..."
Even healthcare facilities such as the Hollywood Presbyterian Medical Center have been hit with ransomware and had to pay to unlock their systems. One of the keys to preventing this type of attack is to educate your employees about the cyber threats that are lurking out there. They need to understand the ramifications if they click on a questionable link (or attachment) in an email and mistakenly download ransomware. From an IT perspective, it's critical to frequently back up data and manage mapped drives. In addition, you must ensure that your software, email filters, perimeter defenses and anti-virus solutions are all up to date. Keep your critical data in segregated or air-gapped networks that utilize additional firewall protection and controlled access from authorized devices / users. Also, content security tools can be put in place to alert you to any file extension discrepancies. For example, an email may contain a file with the .pdf extension but it could actually be .exe ransomware. There are numerous security controls and processes in place and there will always be exceptions, alerts and failures for these controls and it is critical to understand the business impact from each one.
As Director of Product Management, Raymond Suarez manages the strategic planning and market development of Core Security's penetration testing and vulnerability management solutions. During his career, Raymond has been involved with delivering security products for networks, databases, server and desktop technologies vital to protecting critical systems and IT services.
"We saw the first major instance of ransomware with the breach of Sony Pictures in late 2014..."
The hackers held information and released it slowly while asking Sony for a ransom in order to stop the leak. Since then, we've seen several more major ransomware attacks which show the power of hackers to not only steal our information but to use it against us. The larger the company, the larger their attack surface. As a result, creating a traditional layered defense for the full attack surface is challenging. Just protecting the perimeter without protecting the inside won't work, and inconsistent patching and outdated software leave organizations exposed. So, what can companies do to protect themselves?
- Scan to find exploitable vulnerabilities which can open paths to your organization's mission-critical systems and data.
- Create processes to patch operating systems, with a patching focus on risk to critical assets.
- Use penetration testing to validate vulnerability and patch management activity.
- Align information security goals with desired business outcomes and adopt processes that span information security and IT operations.
Ron Schlecht, Jr.
Ron Schlecht, Jr. is co-founder and managing partner of BTB Security, a provider of cyber security, breach response, and digital forensics services. Schlecht is a Certified Information Systems Security Professional (CISSP) and Certified Computer Examiner (CCE) with 16 years of experience in security risk management and digital forensics. He has an extensively varied background performing jobs in law enforcement and information security/forensics.
"To defend against ransomware attacks, organizations should rely on..."
Commodity protections, like content filtering, spam filtering, anti-virus and awareness training. If they aren't doing holistic monitoring, this may be the issue to drive that necessity. Additionally, they should ensure they have appropriate backups so field machines or even servers can be wiped and re-deployed if and when ransomware hits. Finally, organizations need to write an incident response plan to specifically address ransomware including what steps they need to take when it's detected.
Dylan Sachs directs Identity Theft and Anti-Phishing efforts at BrandProtect. He works directly with leading financial institutions, health care providers and Fortune 500 enterprises to help CISOs and security teams deploy better defenses against modern email and identity theft attacks, including socially engineered exploits.
"To better protect against ransomware attacks, and other malware or BEC attacks carried by socially-engineered emails, businesses need to..."
Begin proactively monitoring for threats that exist beyond their traditional firewalls. Take these socially engineered attacks, for example. The most effective attacks originate from a domain that is a close variant of a company's actual email domain. Instead of XYZ.com, they'll register XYZ.biz, or XYZ-finance.net. The criminals are banking on the fact that the targeted individual will skim past the similar domain and not notice that it is illegitimate. It surprisingly easy for the criminals. To turn a cybersquatting domain into a potential spear phishing platform, a potential phisher only has to activate the domain's MX record.
An MX record is a type of resource record in the Domain Name System that specifies a mail server responsible for sending and accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. An active MX record allows a domain to communicate with other emails domains to send and receive messages. Simply put, there is only one reason for a criminal to activate the MX record of a copycat domain, or to acquire a similar domain with an active MX record - to attack.
But CISOs can take advantage of this technical requirement to get ahead of cyberattacks and proactively block them. By proactively monitoring beyond their perimeter for similar domains with active MX records, CISOs can gain a crucial advantage. When an MX record goes active on a similar-looking domain, CISOs can immediately block inbound emails and prevent potential attacks.
Scott Brown is the President of Ryan Creek Technology Associates and Author of "Essential IT Concepts for Small Business" and "Swiss Cheese and Cyber Security."
"Ransomware, or any malicious software, needs to be addressed with..."
Multiple layered security. Think of it like an onion. The essential layers of that onion are identified below in order of precedence.
First and foremost is end user education. End-users without the proper education can defeat the best of technical controls on accident.
Secondly, a good backup system should be in place to enable recovery in case of an infection, because no computer connected to the internet is perfectly safe, regardless of the security in place.
Next, have a business class firewall and/or unified threat management appliance with a virus scanning engine, intrusion prevention, and web content filtering. Restrict user activity to only what is necessary to accomplish the organization's goals.
Run both business class anti-virus and anti-malware applications on the end-user machines and servers. The use of multiple applications will allow a second opinion regarding threats. No anti-virus program is perfect.
Aqib Nazir is a father to a beautiful son, husband to an amazing wife, and son to a great mom with a passion for IT. He is an IT consultant, a web developer, and blogger. You can follow his blog to learn more about starting a blog and monetizing it.
"The best way to defend against ransomware attacks is..."
There is this famous saying, "Prevention is better than cure," that absolutely applies in the field of Information Technology. Even major companies like Sony and eBay have suffered serious cyber attacks in the past years. The best way businesses can tackle ransomware attacks is to keep their data backed up regularly. When there is a ransomware attack, you have only two options: You either pay ransom and get the control back, or you don't pay ransom and lose the data. You better understand how much worse it could get when you lose control of your data. Therefore, the best way to defend ransomware attacks is to have regular data backups. You can either set up an automated backup system on the Cloud or just create manual backups on a physical storage device.
Dr. Eli David
Dr. Eli David, CTO of Deep Instinct, has published more than 20 papers in leading AI journals and conferences, focusing on applications of genetic algorithms and neural networks (especially deep learning) in various real-world domains.
"Ransomware is growing exponentially, mainly because it is now easier to find this type of malware as-a-service on the Darkweb, so it is no longer confined to..."
Sophisticated hackers. Furthermore, the fact that, many times, victims are willing to pay makes it lucrative. Despite being a threat that is expected to grow according to many projections for 2016, you can protect yourself against it: Apply cybersecurity solutions that can identify and block malware attacks in real-time; keep your systems and applications up-to-date; be wary of unsolicited emails; and back-up your files and keep copies offline to be able to retrieve the files without having to succumb to the ransom. One such solution gaining ground as a method to stop ransomware attacks is using deep learning technology. Using the brain’s ability to learn to identify an object and turn its identification into second nature, deep learning technology can innately learn to detect any cyberthreats and instinctively prevent and block zero-day, APT, and ransomware attacks in real-time.
Lyle Liberman is the COO of JANUS Associates, the nation's oldest independent IT security consultancy. Headquartered in Stamford, CT, JANUS provides a full range of information security and business transformation solutions including Information Security Risk Analysis, Penetration Testing, Security Awareness Training, Regulatory and PCI Compliance Assessment, Current/Future State Assessments, Disaster Recovery and Business Continuity Planning, and Data Forensics.
"Ransomware attacks and cyberattacks in general require sound preventative actions including..."
Educating employees, and this starts with offering security awareness training on a regular basis. Security awareness training will help employees spot a poisoned email that may contain a link to a site serving up ransomware. Employees should also be taught never to click on an ad banner anywhere on a web page as hijacked banner ads are another favorite method of delivering all types of malware payloads, including ransomware. A sound security awareness program should include regularly scheduled training once every 90 days. Most organizations only offer training when they on-board a new employee, or once yearly at the most. Studies have shown that the effectiveness of training is long forgotten after 90 days, so it is important to keep reminding your team in short 15-minute sessions of the do's and don'ts of good cyber hygiene. Finally, if a ransomware screen appears on a workstation, the machine should not be shut down as all data may be lost. Instead, the employee should unplug the network cable from the back of the machine or shut down the Wi-Fi connection immediately. This may help prevent the spread of the attack throughout the network.
John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is a risk and security advisor with ISACA and president of IP Architects. He has designed and implemented enterprise-wide electronic business solutions, information security programs, and threat and vulnerability management solutions for global clients in a range of industries, including financial services, government, hospitality, media and entertainment, aerospace, and information technology (IT).
"Ransomware payouts are on the rise as cybercriminals have little trouble finding enterprises unprepared to defend themselves against the attacks..."
This threat commonly uses malware to encrypt data files and propagate itself throughout networks to maximize its impact. Attackers then harvest encryption keys to decrypt data and hold it for ransom. Victims receive the encryption keys -- and access to their data -- only after sending payment to the attackers.
Ransomware is among the major cyber threats identified in ISACA's CSX Threats & Controls tool. To limit the impact of attacks and respond effectively, organizations should consider these 5 questions:
- Pay or No? - When faced with ransomware demands the first question, of course, is whether to pay. Sometimes it makes sense economically or efficiency-wise to pay rather than unilaterally restore data and systems. Enterprises should be cautious, however, because if the payment is publicized, it could set the organization up for future attacks. That is why these decisions should be made before an attack ever occurs. Organizations should determine their ransomware risk appetite, considering factors such as recovery cost, data availability, productivity loss and reputational impact. It should establish thresholds to decide if it is worthwhile to pay the ransom.
- Negotiate or Not? - If the decision is made to pay, should an organization negotiate with the attacker? Cybercriminals prefer to get some money rather than no money. The enterprise may save money if it negotiates. Organizations should consider the projected cost of remediation, and if the ransom is less, the decision to pay may be an easy one.
- Simple Ransomware or Something More? - Sometimes a ransomware attack is simply a ransomware attack. Other times, it can be part of a multifaceted attack strategy designed to distract the organization as the attacker tries to escape with data assets or implant malware tools for future use. After a ransomware attack the remediation should include a thorough investigation to determine if the attacker executed other malicious actions or left behind capabilities for future attacks.
- Are Backups Enough? - When organizations choose not to pay they can recover from a ransomware attack by restoring data from backups, which must be comprehensive, have integrity and be recent enough to be useful to the organization. A key consideration is whether the backups are infected by the original attack. Sophisticated attackers can implant attack capabilities in systems and have them lay dormant for a long period of time to later propagate the ransomware throughout the enterprise's backups. To limit the possibility of re-infection, back up only data files and not system files. The attack code may be in the data files, but an action would have to occur for it to install and operate again. Ideally, the method of exploitation and attack should be identified prior to recovering the backups.
- Segment or Disable Networks/Systems? - Ransomware malware/attack code often attempts to quickly replicate itself across systems and networks to increase its effectiveness. Organizations often use resources, such as shared storage and network file shares, that are easily leveraged by modern ransomware tools like Cryptowall. It is critical to identify when to segment and/or disable networks and systems to contain an attacker. The conditions and scenarios for doing this should be discussed and agreed upon in advance by business process owners and leaders.
Aviv is the Co-Founder and CTO of Seculert, an attack detection and analytics platform. He has over 10 years of experience in leading software development and security research teams. Aviv has published several pioneering security research articles and is a frequent participant and requested speaker at information security conferences worldwide.
"Unfortunately, there is no way to 100% prevent ransomware attacks. Therefore, the best way to defend against ransomware is to..."
Backup the data before the attack occurs. However, this is true only if you’ve configured the backup in a way that ransomware can’t access the files. Also, the backup files might become completely encrypted if you are backing up everything all at once and replace the previous backup. With this in mind, you should do incremental backups (or keep previous versions), and keep the backup in locations with no immediate access (e.g., the cloud).
Justin Lavelle is a Scams Prevention Expert and the Communications Director of BeenVerified.com. BeenVerified is a leading source of online background checks and contact information. It helps people discover, understand, and use public data in their everyday lives and can provide peace of mind by offering a fast, easy, and affordable way to do background checks on potential dates. BeenVerified allows individuals to find more information about people, phone numbers, email addresses, and property records.
"The most effective way to defend against ransomware attacks is..."
Being taken hostage is a terrifying experience, but what if the hostage is your personal or work computer? The latest online threat does just that. Ransomware is used by criminal hackers to take over your computer, rendering it unusable until you pay a ransom for your computer to be “released” back to you.
Ransomware attacks don’t discriminate between PCs or Macs, and unfortunately, there don't seem to be many protections out there, let alone quick fixes, if your computer is taken hostage. In fact, the FBI has suggested that users who have been infected by ransomware “just pay the ransom.”
With that being the case, the best option you have is to avoid ransomware in the first place. The most effective way to do that is to be aware of the classic online malware pitfalls.
Ransomware and other malware that can infect your computer typically come from three main areas:
- Infected web sites: Obscure web sites can be set up with the sole purpose of infecting your computer and even mainstream sites can be unwittingly affected. Before you download anything from a web site, be sure the site isn’t known for uploading malware. You can do search uncertain URLs through a search on Sucuri.
- Email spam: Ransomware can also be sent to you. Everyone is aware of classic Nigerian prince email scams, but incoming spam emails are getting more sophisticated. As a practice, delete any email from a seemingly suspicious sender before you open it.
- P2P downloads: Third party download sites, many of which are illegal or live on the dark web, can also have various strains of malware. That new video game you think you are downloading could actually be a nasty virus. Avoid downloading anything from unknown or anonymous users.
It’s important to keep your antivirus software up to date and not to get complacent as ransomware is constantly mutating into new forms. As mentioned, even Mac computers are susceptible to ransomware attacks. Sophos is a good antivirus option for both Mac and PC computers.
Adrienne Johnson has worked in the Information Technology field for nearly 25 years. She specializes in closing the gap between engineers and business managers. Adrienne helps business managers understand the business implications of technology and provides insight to help them better select the solutions that are best for their organizations. Adrienne is currently the Communications Manager for CorpInfo.
"The best way to mitigate ransomware is..."
A regular and validated data and systems backup. It is very difficult to control every user and every attack method. While there are excellent suggestions on protecting against malware, including ransomware, the threats are constantly evolving. Criminals are consistently identifying new vulnerabilities and manipulation techniques. The surest protection is to plan an effective response.
While most business think they are backing up data, many may not be aware how ineffective their backup programs are. To protect against ransomware, it is vital to regularly backup data and systems. Eliminating ransomware will require wiping the system, so a system-state backup or snapshot is essential to rapidly recover.
Since ransomware encrypts data on all attached and mapped drives, including mapped cloud storage and USB flash drives, these must be backed up as well.
The more frequent the backup, the less data is lost. So, backup frequency should be determined based on the strategic importance of the data and how much data the organization can afford to lose.
Since any attached device will be encrypted, the storage must be external and not mapped or connected to the device after the backup is completed.
Often the weak link in backup programs is data validation and recovery testing. Files may be corrupted, and tapes and USB connections can and do fail. It is important to validate the backup integrity and to test the recovery process on a frequent and regular basis to confirm integrity.
Business should use caution when using only tape backups. Tapes utilize magnetic media which makes them sensitive to corruption and damage. Even if the backup is properly executed all the segments on the tape are valid, corruption or damage can happen in handling. While the actual percentage is disputed, it is widely accepted that tape backups have a significant failure rate.
Mike Baker is Founder and Principal at Mosaic451, a bespoke cyber security service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.
"The best way businesses can defend against ransomware attacks is..."
Business is coming under siege by cybercriminals who aren’t necessarily after data -- they never even access it. Instead, they are infecting computers with ransomware in order to lock down a system and prevent the owner from accessing data until a ransom is paid, usually in Bitcoin.
Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must fi