Despite being such a major threat to organizations’ cyber and data security, ransomware is a fairly simple type of malware. Once present on a system, the malware often uses functionality built into the computer’s operating system to access and encrypt the victim’s files.
Because ransomware uses modern encryption algorithms, it is impossible to retrieve the user’s files without access to the decryption key. Since the ransomware operator is the only one with access to this key, their victims have an incentive to pay the ransom. If the ransom is paid, all the cybercriminal has to do is provide the decryption key to enable the victim to regain access to their data.
A successful ransomware attack can be devastating to a business. Organizations caught unprepared could be left with the choice between paying a ransom demand and writing off the stolen data entirely.
However, there are several actions that a company can take to minimize their exposure to and the potential impacts of a ransomware attack.
The goal of ransomware is to force the victim to pay a ransom in order to regain access to their encrypted data. However, this is only effective if the target actually loses access to their data. A robust, secure data backup solution is an effective way to mitigate the impact of a ransomware attack. If systems are backed up regularly, then the data lost to a ransomware attack should be minimal or non-existent.
However, it is important to ensure that the data backup solution can’t be encrypted as well. Data should be stored in a read-only format to prevent the spread of ransomware to drives containing recovery data.
Phishing emails are one of the most popular ways to spread ransom malware. By tricking a user into clicking on a link or opening a malicious attachment, cybercriminals can gain access to the employee’s computer and begin the process of installing and executing the ransomware program on it.
Frequent cybersecurity awareness training is crucial to protecting the organization against ransomware. This training should instruct employees to do the following:
Cybercriminals commonly use the Remote Desktop Protocol (RDP) and similar tools to gain remote access to an organization’s systems using guessed or stolen login credentials. Once inside, the attacker can drop ransomware on the machine and execute it, encrypting the files stored there.
This potential attack vector can be closed through the use of strong user authentication. Enforcing a strong password policy, requiring the use of multi-factor authentication, and educating employees about phishing attacks designed to steal login credentials are all critical components of an organization’s cybersecurity strategy.
WannaCry, one of the most famous ransomware variants in existence, is an example of a ransomware worm. Rather than relying upon phishing emails or RDP to gain access to target systems, WannaCry spread itself by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol.
At the time of the famous WannaCry attack in May 2017, a patch existed for the EternalBlue vulnerability used by WannaCry. This patch was available a month before the attack and labeled as “critical” due to its high potential for exploitation. However, many organizations and individuals did not apply the patch in time, resulting in a ransomware outbreak that infected 200,000 computers within three days.
Keeping computers up-to-date and applying security patches, especially those labeled as critical, can help to limit an organization’s vulnerability to ransomware attacks.
While the previous ransomware prevention steps can help to mitigate an organization’s exposure to ransomware threats, they do not provide perfect protection. Some ransomware operators use well-researched and highly targeted spear phishing emails as their attack vector. These emails may trick even the most diligent employee, resulting in ransomware gaining access to an organization’s internal systems.
Protecting against this ransomware that “slips through the cracks” requires a specialized security solution. In order to achieve its objective, ransomware must perform certain anomalous actions, such as opening and encrypting large numbers of files. Anti-ransomware solutions monitor programs running on a computer for suspicious behaviors commonly exhibited by ransomware, and if these behaviors are detected, the program can take action to stop encryption before further damage can be done.