Ransomware: What it is & How to Defeat it
By now most people have heard of ransomware. You may not understand it, but you know enough to know that you don't want it. The city of Atlanta is currently in crisis, because of being hit with ransomware. Various systems including payroll and transport in the city have been affected. While I can't comment on how the attack on Atlanta happened as investigators are still on scene analyzing the issue, I'm certain more information will come in the following days. Being only 4 hours away from ATL (in Mt. Pleasant, SC just outside of Charleston), this is hitting close to home.
What is Ransomware?
Ransomware is a type of malware. It runs through a computer or network encrypting files as to make them inaccessible to others and then displays a message demanding a ransom in order to decrypt those files so they may be used again. Once the payment is made, the key to unlocking those files may or may not be given to the victim. Statistics show only 20% of businesses that pay the ransom to get the key to unlocking their documents. Incidents of ransomware can typically take 2-5 days to remediate.1 How long could your business be down? How much would it cost you?
What You Can Do Now
Many threats can be mitigated by patching systems. Make sure you patch all of your systems as your entire network is only as strong as your weakest link. Hackers and Cyber Criminals aren't looking for the hardest way in; they're looking for the easiest. Patching systems isn't fun or sexy for IT, but it's something that can be managed easily and pushed out on a schedule that works for your company. In traditional 9-5 businesses, there's no reason patches can't be pushed out to all machines after hours and often without much, if any, overhead. You can quickly check to see if your Windows system is up to date by clicking Start and typing Windows Update and then clicking Check for Updates. This can take some time, but you can continue to do other things on your computer while it checks. If you have many updates waiting to be installed, check with your IT to find out why! Some of the largest and most costly data breaches could have been averted if machines were properly patched.
Many anti-virus programs can detect ransomware, but not all are set up to do so. Sometimes certain settings need to be in place in order for the anti-virus product to look for this behavior. One popular anti-virus program implemented a change where ransomware detection would be incorporated in the protection scheme, however, the feature was not activated by default. This meant the company managing the anti-virus program need to know about this change and turn it on manually. Make sure when you're selecting an anti-virus product, ransomware protection is included and turned on!
Traditional anti-virus use definitions to identify malicious files. Basically, they check the file against a database of known bad files. Unfortunately, attackers are starting to use file-less attacks rendering this method of detection ineffective. This is only going to increase in the future. Becuase of this change in trends, the protection we use to defend ourselves need to change too. If you're not feeling good about your protection from your anti-virus product, maybe it's time for a change. There are a number of good "Next Gen" products out there that offer great protection.
What You May Need to Setup
A good backup system is a key component in any continuity plan. Are your full systems being backed up, or just your files? Make sure you have complete "bare-metal" restore capability and offsite backups as well. A few key things to take into consideration with your backup setup is the accounts being used for backup creation and where the backups are being stored. If an administrator account is being used, this can put your system and backups at risk. Separate "service" accounts should be used to define access to resources. If an attacker gets access to your system and your backups, you may not have any recourse if ransomware hits.
Network Access & a SOC
Make sure access to your network is secure. The use of VPN's to connect remotely can help crack down on doors your network has open to the public. If you remote into your office and aren't using a VPN, you may be putting your entire organization at risk. Unsecured RDP (Remote Desktop Protocol) access is one of the top ways for ransomware to get into your network. Attackers scan the internet for addresses with the port 3389 open (the door into the system) and then start their attack.
Adding services to a business class firewall such as IPS (intrusion protection system) can be very helpful, but if no one is looking at what's happening on your firewall, it may only be a matter of time before your system Enter a SOC or Security Operations Center. The SOC provides around the clock monitoring of systems and devices. Often using advanced machine learning tools, the SOC monitors network traffic, systems, and logs. The SOC can find an attack while it's occurring and take action to remediate the threat, so your systems do not get compromised.
End User Training
You may not think your receptionist or bookkeeper have much to do with the security of your network, but they may be your weakest link. As stated earlier, attackers look for the weakest link to work their way into your network. Whether it's a phishing email disguised as a request from an owner, or a seemingly innocent conversation with a person on the phone, every employee needs awareness training to identify when things just don't add up. You've all heard the term "if you see something, say something," but what if your employees don't know what to look for? How can they say something if they're not taught to see attacks?
You may think you can't afford a SOC or added backups, but can you afford not to?
To assess your risk contact us for a consultation today here!