Recent Ransomware Attacks

The news has been dominated recently by reports of ransomware attacks.  Specifically, we’ve heard about the attacks in the gas pipeline and meat processing industries.  Though the news media is treating this as if it were a breaking event, the reality is that these types of attacks have been threatening individuals and organizations for several years.

We’re often asked how these attacks occur and how they can be prevented.  To understand the answers, it’s important to understand the anatomy of a ransomware attack.

Ransomware is a type of malicious code that seizes a workstation or server by encrypting the data that is housed.  Unencrypting the data involves paying a ransom to the perpetrator to receive the key to unlock the information.  In almost all cases, ransomware is transported to a device, usually a workstation or server, by tricking the recipient into downloading what appears to be legitimate code.  In some cases, these attacks happen through an email that contains a link.  The user clicks on the link which then directs them to a website where a piece of code is automatically installed on their workstation.  In some cases, the user gives permission not understanding the possible consequences.  In other cases, a user inadvertently allows ransomware code to be installed by clicking on a link in a web site.  There have been noted cases, although less frequent, where ransomware propagated on a network through a type of “worm” once installed on a single workstation.

At the end of the day, the malicious actors are attempting to monetize by encrypting the data and demanding a ransom to unencrypt.  These types of attacks not only attack the pocketbook but can also cause harm to the business or individual by rendering the systems unavailable for extended periods of time.  This was evident in the recent attacks.

While the attackers continue to become more sophisticated, there are a few very simple activities that can mitigate the harm in these attacks and, in most cases, prevent them all together:

1. Training, Training, Training. By teaching the workforce not to click on untrusted links in web sites, not to open an email or click on a link in an email from an untrusted source, how to recognize a suspicious email, and how to recognize a suspicious phone call, a large majority of these attacks can be prevented.  The attack vector is the human error.
2. Backup and Restore Procedures. Create and maintain backups of critical data.  Clearly, the first step in doing this is to identify the critical data and where it is stored/processed.  In many cases, recovering from a ransomware attack may be as simple as restoring information from backup.  However, if a proper risk analysis is not conducted and the location of critical data is not identified, you will find yourself scrambling to resume operations.
3. Limit the Ability to Install Applications by Removing Administrator Access. Operating systems such as Microsoft Windows may be configured to prevent a user from installing applications without administrator access.  By limiting this capability, the probability that malicious code will be installed can be reduced.

A few other tips include:

• Back up your most important data on a regular basis
• Refrain from opening attachments that look suspicious.
• Think twice before clicking that link.
• Keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up to date.
• Keep your Antivirus up to date and prevent the disabling of these types of applications.
• Keep the Windows Firewall turned on and properly configured at all times.
• Adjust your security software to scan compressed or archived files if this feature is available.
• Block popups using a reputable adware prevention utility.
• Use strong passwords.