Insights

Ransomware: Avoiding a Hostage Situation

Ransomware: Avoiding a Hostage Situation

Aug 21, 2017

Ransomware attacks continue to escalate worldwide, causing data loss, downtime, and costly expense to businesses in all industries. Ransomware is a type of malicious software (malware) criminals put on computer systems that encrypts the data. These cyber criminals then extort individuals and businesses with a ransom demand in order to obtain the decryption key. Some of the latest ransomware variants, like WannaCry and Petya, have made international news. But the fact is that even before the latest outbreaks there were an estimated 4,000 ransomware attacks a day.

Unfortunately, because of the ease of ransomware deployment and the lucrative nature of this type of cybercrime, all businesses must be prepared to prevent attacks and respond to them if affected.

Preventive Steps

Patch and update. For many variants of ransomware, including WannaCry, software patches and updates were available before the virus was released. Patch and update routinely.

Replace unsupported operating systems. Unsupported operating systems like Windows XP, Windows 8, and Windows Server 2003 are particularly vulnerable because Microsoft does not provide regular updates. Make plans to remove unsupported operating systems.

Use antivirus/anti-malware. Set antivirus and anti-malware programs to update automatically with the latest updates and patches, and conduct regular scans of computers on the network.

Train your employees. Many times malware requires someone to click on an email attachment. Employees need a healthy dose of education and paranoia to make sure they think before they click. Companies should conduct email phishing tests to send bogus emails to employees to see how many fall for the trick and then should use the results to improve security through training and awareness campaigns.

Back up data regularly and test recovery/restore. Make sure that your data is backed up and that you can recover to restore points that are prior to the data getting infected by malware. Most important, test the recovery process to make sure the backups work!

Limit administrator access. Your employees may not like this, but if they can’t download programs with an administrator password (including malware), it will protect them and your business.

Review cybersecurity insurance policies. Cybersecurity insurance has become big business as of late, but the coverage seems to vary greatly among providers. Review your insurance coverage to see what damages resulting from ransomware are covered by the policy.

Infected by ransomware? Take these steps.

Just like a cold or flu, computer viruses like to spread the infection to others. Isolation and containment are the keys to limiting the damage. If a computer on your network is infected, the following respond and recover steps should be taken:

Respond:

  • Isolate the infected device immediately to contain the virus from spreading.
  • Isolate or power off devices that have not been completely corrupted.
  • Secure backup systems by taking them offline to preserve the integrity of your data backups.
  • Collect and secure partial portions of data that may exist.
  • Change all online account and network passwords.
  • Delete registry values and files to stop them from loading.
  • Report the incident to your local FBI field office or the Secret Service.

Recover:

  • Hopefully, any impacted computers have clean backups so data can be restored. Recover data from a restore point prior to the infection.
  • If data has not been successfully backed up to a recent restore point, or if the backup also was corrupted by ransomware because restore points were not set up properly, companies will need to give careful consideration to whether or not to pay the ransom. Paying the ransom is not advised because there are no guarantees that your data will be restored, and paying the ransom encourages this extortion business model. But if there are no alternatives, companies should consult with their stakeholders and business advisors, including legal counsel, computer forensics advisor, and insurance provider, to understand the options and risks.

Face Reality

Ransomware variants are going to continue to happen. Take time now to review and test your incident response plan. Many incident response plans have not been updated to include today’s more relevant incidents. Update your plans to address ransomware and prepare your teams through tabletop mock drills. Now is a good time to make sure your plans include advance arrangements with service providers that your organization may need to deal with while addressing an incident. This includes legal counsel, computer forensics, public relations, IT support, law enforcement, and—heaven forbid—an exchange to purchase bitcoin to pay a ransom!

Unsure of your organization’s ability to respond to a ransomware attack? Need to know how to prevent one in the first place? Contact Wipfli today and explore the many ways our cybersecurity experts can help.

Author(s)

Jeff Olejnik
Jeff Olejnik
Director, Risk Advisory Services
View Profile