By Bryce Austin, MDSG |
There were seven people sitting around the table in the aftermath of this ransomware infection: the CEO, the VP, the CFO, the Special Agent from the FBI, the business owner, the forensics technician, and the company’s CISO (Chief Information Security Officer).
“Don’t pay,” was the CEO’s vote. The VP agreed with him.
“Pay it,” was the owner’s response. The CFO nodded in agreement.
“Paying could be a violation of Federal law,” stated the FBI representative.
The CISO had a hard time getting words out, as this was the largest ransom that he had dealt with at the time. $1,200,000 was a tremendous amount of money.
“I don’t see another option given the status of our backups. Either we pay the ransom or we begin liquidating the assets of the company. Which is the lesser of two evils?”
The CISO negotiated the ransom demand from the malicious actors down to $410,000. The Bitcoin took several hours to amass, but this data breach required payment. His mind was focused on how he could have prevented the ransomware attack, but it was too late.
The cybercriminals hacked the network via a phishing email, which is a common type of malicious email. The email tricks the victim into installing some type of malware or giving up their password. The victim’s company didn’t have adequate cybersecurity awareness training to teach their team members to detect and delete these types of emails.
The malware wormed its way into most of the computers in the network, encrypting files as it went. The cyber criminals delivered a decryption key, but 30% of the victim’s data was gone forever. Some of their hard drives filled up during the encryption process, and the ransomware software kept running after the drives were full. Every file encrypted after that point was not retrievable. The total recovery took three months.
Ransomware prevention includes three key areas: Cyber security hygiene of your employees, proper security software practices by your IT department, and your data backup strategy. Here are five ways to prevent a ransomware attack, and five ways to recover from an attack if you fall victim to one:
Ransomware prevention defenses to help prevent attacks:
- Add Multi Factor Authentication (MFA) on all of your email accounts. This is the single most important thing you can do for ransomware prevention.
- Patch all of your computers. Ransomware cybercriminals love unpatched computers, as there are vulnerabilities on them that they can exploit. You need to patch every computer in your environment, and the easiest way to do that is to set them to patch themselves. Just Google how to do that.
- Patch anything on your network that faces the Internet directly. Firewalls, security cameras, doorbells, etc.
- Install good antivirus protection software everywhere. All PCs, all Macs, all servers (if you have servers), everywhere.
- If your users have local admin credentials, you may want to rethink that. If a cybercriminal compromises a computer, whatever permissions the user for that computer has are what the cybercriminal has. If that user is a local administrator, the cybercriminal is going to use that access to do more damage.
In case you fall victim to ransomware, you need the following. Please note that most of these need to be done before the attack takes place:
- OFFLINE backups. These are backups that are kept off of your network. Cyber criminals will try to delete your backups before encrypting your data. If your backups are not on your network, the bad guys can’t destroy them.
- Tested restore procedures. If you try to restore your backups only when you need them, you are rolling the dice every time you are in a real bind.
- Involve law enforcement. Reporting ransomware to law enforcement is a great way to make cyber criminals work harder. For ransomware victims in the USA, the website ic3.gov is a great resource for this.
- Ensure that you have 35% free drive space on all network drives. Ransomware often bloats the data on the drives it encrypts. As soon as a drive fills up, the ransomware process will keep trying to move forward. Every file it encrypts after the drive is full will be unrecoverable, even if the victim pays the ransom.
- If you have cyber security liability insurance, call your insurance company ASAP! Some insurance policies have a clause stating that the customer must inform their insurance company within 24 hours of a suspected incident. If you take a few days to confirm that an incident is real, it can be an expensive mistake.
If everyone followed the recommendations above, ransomware prevention would be so strong that most ransomware cyber criminals would become a thing of the past. With proactive action and a good cyber security awareness training program for your employees, cybercrime is a solvable problem!
