By Paul Mazzucco, TierPoint Chief Security Officer
Ransomware attacks have escalated dramatically in recent months. In fact, there’s been a 300 percent increase in ransomware attacks this year according to the FBI, to an average of 4,000 attacks a day, up from 1,000 ransomware attacks a day last year. What’s more, organizations are more often targeted – because the bigger potential payoff.
At TierPoint we’ve assisted many clients with data restoration to avoid the downtime that can be caused by a ransomware attack. Here’s what your organization needs to know about what is ransomware and how to protect your organization from it.
What is ransomware?
Basically, three traits are common among the many variants of ransomware viruses:
- They infect your computer, such as through a malicious email or a visited website.
- They encrypt your files and demand payment (usually in bitcoin) to receive a decryption key.
- The decryption key is usually successful, however, it can depend on the honesty and follow-through of the attacker.
Not all ransomware is created equally. There are two main types – lock screen and encryption ransomware. Encryption is getting all the press this year. While you may be able to find a workaround to lock screen ransomware, that’s not the case with file-encrypting ransomware. By the time you realize your files are encrypted and unreadable, or you find or receive a ransom note, the damage has been done – and it is irreversible without the private decryption key held by the attacker.
How files get infected with ransomware
Attackers are changing their tactics. While spam emails used to be a popular way to spread malware such as ransomware, spam filters have taken the wind out of that approach. Now it is spear-phishing, which targets an individual directly. In fact, 93% of all phishing emails contain some sort of ransomware encryption, according to a report by PhishMe, an anti-phishing vendor. And the FBI says recent iterations target enterprise end users.
But that’s not all. Other sources of ransomware include malicious advertising (even on trusted websites) and bold cold calls via phone where an attacker poses as a software vendor or IT provider and directly requests remote access to the user’s computer to resolve a purported problem – but instead installs ransomware.
How you know if you have been hit by encryption ransomware
You likely won’t know you’ve been hit right away, but within seconds the ransomware virus will silently start encrypting your files – and files accessible via your network. The files are generally encrypted with a public encryption key in such a way that you cannot unencrypt the files without the second key of the pair. You probably won’t get a ransom note until hours or days later when the encryption is complete.
In the meantime, you may discover files that appear to be corrupted. Encrypted files cannot be read by any application, and the first sign of damage may be error messages on your computer when opening files – asking which application should be used.
The introduction of MIRAI – a malware and botnet combination – has introduced even more complexity into the ransomware arena. This virus not only affects your network, it can compromise any and all IoT devices, including DVRs, home security cameras, routers, etc. and is accessed via wireless network gateways. The Mirai malware source code has been recently released to the public, however more cases like this – with vulnerable IoT and networking devices – will continue, disrupting online services and costing businesses a fortune.*
How much does the ransom payoff cost?
Organizations are being targeted for higher ransom amounts. Network World cites Ramirez as providing the example of Hollywood Presbyterian Medical Center, which paid bitcoin valued at around $17,000 to the perpetrators of a ransomware attack. CSO Online reports that the original ransom demand was $3.6 million.
Unfortunately, the FBI reports that even if payment is made, the decryption key provided by the perpetrator to unlock the files may not work due to system configuration issues. Or the perpetrators may not provide the key after receiving the money and instead follow up with a second ransom demand.
Avoid becoming a ransomware statistic
Besides the business continuity crisis caused by downtime due to a ransomware virus, an organization could also be subject to fines. Ramirez was said to have warned that a company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might very well violate the FTC Act.
The FBI offers tips for dealing with a ransomware threat. A key point to ensuring business continuity in a world of ransomware is to back up data regularly and test the backups. Any backups, including cloud backups, need to be secured in a way that they are inaccessible to a spreading ransomware virus.
Having a secure and validated data backup program is the easiest way to avoid having to pay the ransom. Our in-house experts can help you avoid the headache of ransomware and other security breaches.
Organizations that put off mitigating a security risk such as ransomware to a later date often never deal with it at all. Consider whether your organization has the expertise and the current bandwidth to ensure you don’t become a ransomware statistic.
If you feel your company is at high risk for ransomware, having a secure and validated data back-up program is the easiest way to avoid having to pay ransomware, and TierPoint has assisted many clients with data restoration to avoid the downtime these attacks cause. If you would like to learn more about proactive measures to protect your business, contact us
Paul Mazzucco is responsible for all TierPoint corporate standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards. Paul joined TierPoint through its 2014 acquisition of Xand, where he served in a similar role.