Over the past few months, ransomware outbreaks of “WannaCry” and “Petya” have both achieved media headlines. Both outbreaks disrupted or halted business operations of organizations across the globe. Ransomware for past few years has been a growing threat, but now it has matured into a threat that cannot be ignored anymore. Most ransomware infections are preventable with a proper cyber security program.
What is Ransomware?
Ransomware is a term to describe malware that holds a user’s data hostage until a ransom is paid. There are many variations of this type of malware, and each variation is designed differently, but the end goal is always to extort money from a victim.
How Does Ransomware Spread and How to Recognize Ransomware
Ransomware infections commonly begin when a victim visits a malicious website or opens a suspicious file. These infection vectors are often delivered via a phishing email. Phishing emails are designed to entice a victim to do some action like clicking a link to a website or opening an email attachment.
If a victim clicks a link to a malicious internet site, the victim’s web browser is scanned for security vulnerabilities. A security vulnerability is a software flaw that opens a computer to the possibility of an attack. If the web browser is found vulnerable, the security vulnerability is exploited, and ransomware is deployed.
If the victim opens an email attachment, the malicious document may have a small program embedded in it that is utilized to download and execute ransomware. Once a computer is infected with ransomware, it typically encrypts all data and displays a ransom note informing the victim what has happened and how to pay the ransom.
Ransomware Prevention
To reduce the risk of ransomware infection, an organization needs to have a patch management program and periodic security awareness training for users. These two items can prevent most ransomware infections from occurring.
A patch management program involves a reoccurring process of updating all computer systems in an organization by applying software patches. A software patch can contain either, a new software feature or a fix for a software flaw also called a bug. Sometimes a software bug can be classified as a security vulnerability. A software patch can close known security vulnerabilities. Ransomware often uses security vulnerabilities to spread and infect computers.
Security awareness training communicates to an organization’s users about phishing emails. Since phishing emails are the most common delivery method for ransomware, a program that trains users to spot phishing emails can help prevent ransomware infections. Training should inform users about the dangers of opening email attachments and clicking web links from unsolicited emails. Testing of users should be done periodically to ensure that users apply what they learned in their security awareness training.
How an incident management plan help with Ransomware Recovery
Recovery from a ransomware infection is depended on having an already established incident management and disaster recovery plan. To be effective, both plans should be in place before a ransomware infection occurs.
An incident management plan involves detecting, investigating and remediating an incident. An incident is any event that negatively affects business operations. An incident, like a ransomware infection, needs to be detected and identified promptly so that a remediation plan can be put together. Most ransomware variants have a deadline for when a ransom can be paid. If a deadline passes, all data becomes completely unrecoverable.
A ransomware infection can be detected through user feedback. Often, users are the first to notice suspicious activity on their computers. If a user is presented with a ransom note, a process of reporting and escalating events needs to be created. Once a ransomware infection has been detected, information about the event can be collected to assist in forming a remediation plan. A remediation plan is the enacting of a disaster recovery plan.
A disaster recovery plan is a set of steps to recover from an incident after it has impacted business operations. For a ransomware infection, a disaster recovery plan focuses on recovering data that was taken hostage and cleaning computer systems of ransomware.
Can You Recover Your Data Once You Pay the Ransomware?
There are no guaranteed ways to recover data after a ransomware infection. Paying the ransom does not guarantee recovery of data.
Business critical data should be periodically backed up in advance of an incident. If infected by ransomware, a recovery process should include wiping the affected system of ransomware and restore data from a prior backup. Keeping up to date backups and periodically testing your recovery process is the only guaranteed way to recover data from a ransomware infection.
Conclusion
All businesses are depended on their technology infrastructure to collect, process, and store data. This data is critical for daily business operations. Denial or destruction of this data via ransomware significantly affect business operations. Investing in a cyber security plan can help reduce the risks associated with ransomware. By having a patch management program, you reduce the opportunities ransomware can infect your organization. Security awareness training can help reduce the chances of users falling for phishing emails that deliver ransomware.
If affected by ransomware, an incident management plan can assist in identifying the infection in a timely manner. A disaster recovery plan can ensure that data can be recovered. The threat posed by ransomware will continue to evolve, but a well-designed cyber security program can help reduce the risks posed by ransomware.
Building an effective Incident Management Program can be complex and time-consuming, CISOSHARE strives to help businesses implement comprehensive solutions to protect organization’s confidentiality, integrity, and availability of information. Contact us today to get started or let us know if you have any questions.