printer friendly version

Four steps to surviving ransomware

According to Symantec’s 2016 Internet Security Threat Report, ransomware attacks increased by 35% in 2015. A survey by Malwarebytes found that nearly 40% of companies suffered a ransomware attack in 2015-16.

Al de Brito, senior technical analyst, ContinuitySA.

Ransomware usually arrives on a device via a sort of phishing attack, and can then spread to other devices on the same network. Either data files or the Master Boot Record are targeted. In the first case, data files are encrypted, in the latter, the device itself will not start up. Each type of attack comes with a demand for a ransom payment before access to the data or device will be restored.

Ransomware has become big business and payments are usually requested in Bitcoin, the cryptocurrency whose major characteristic is its untraceability. Based on our experience with a wide range of clients, the following key steps will help companies avoid falling victim to a ransomware attack and, in the event of one occurring, to be resilient enough to recover quickly.

Develop and implement security policies and procedures

The first step obviously is to spell out formally what the company’s risk profile is, and how all its employees need to behave in order to reduce risk. Some basic inclusions would be to require all users to ensure that they install all software updates, especially those relating to antivirus software, as well as firmware updates for hardware. Another key point here would be to ensure that these policies and procedures fall within the governance framework, and that administrators and security staff work closely together.

A word of warning: the solution is not simply to try and close everything down, but rather to specify safe habits. For example, data sticks will always be used, so rather than try to prohibit them, companies should ensure that scanning and encryption programmes are available and are used.

It is also critical that an ongoing programme for educating staff and enhancing awareness is in place.

Assess

Companies must understand which security standards are mandatory for particular industries and build them into their policies and procedures. Care must be taken to remain compliant over time and as regulations change. The other side of assessment is to put mechanisms in place to ascertain whether systems have been breached. Regular penetration and vulnerability testing must be implemented to establish the system’s integrity.

Monitor and investigate

Companies need to keep abreast of developments in ransomware and other security threats. This will provide early warning of new measures that need to be integrated into the security policies and procedures. Many companies use a service provider to handle this because it is highly specialised and requires familiarity with the Dark Web, where hackers operate.

Put a comprehensive response programme in place

In the event that an attack does occur, the company needs to have a well-thought-out set of responses in place to ensure it can recover within the shortest possible time. This will include a crisis communications protocol for dealing with the media and clients. It makes best sense to integrate the response to a ransomware attack into the business continuity plan because that will mean that the data will be backed up and recoverable at the disaster recovery site, and alternative devices and servers will also be available at the work-area recovery site.

However, it is very important to ensure that the disaster and work-area recovery sites are as highly secure – if the production site is compromised, bringing the disaster recovery site up will make it vulnerable.

Share this article:

Further reading: