The internet is an amazing, useful and often wonderful thing. It’s also a giant mess. For every resource it gives your business that helps you succeed, it also offers a threat. Not-safe-for-work embarrassments aside, there are some genuine dangers on the internet that can destroy even the strongest businesses. Perhaps the ultimate bogeyman today is ransomware. There’s no gentle way to say this. You need both preventative and responsive measures in place to deal with ransomware, and you need them today.
We have a great deal of first-hand experience helping companies get beyond malware attacks. The pain we have seen is completely frightening. In the interest of seeing a bit less of this, here are a few thoughts on the subject.
What Is Ransomware?
In short, ransomware is a specific category of malicious software. As the name suggests, it involves holding digital assets hostage for a ransom. To put it in simpler terms, the malicious software will lock you out of accessing some or all data or applications on the infected device. It’s pretty easy to see how crippling this can be to any business. What’s even scarier is that ransomware can, and usually does, spread across your network.
Who Is at Risk?
Technically speaking, any device that has access to the internet is at risk for a ransomware attack. In practice, it’s not quite so bleak. Cybercriminals use this tactic to make money, so they’re going to target victims who have the money to pay the ransom and are more likely to do so. This means that every operating business in the world is a potential target. Businesses in industries that are particularly data-dependent are the biggest targets of all. This includes health care and, ironically, tech companies.
Chances are that you invest a pretty penny in keeping your network and data safe. That’s a great thing, but even leading IT experts have fallen victim to ransomware. The problem is that crafty criminals exploit human error in order to get past security. If you employ more than one person, your personnel increase your risk of getting hit by an attack.
You might rush to retrain your staff and work on preventative measures, and that can work, but it’s important to understand the simple way a lot of ransomware gets past security. It asks for permission, and if a user isn’t paying attention, they can grant that permission. Obviously, there’s a lot more going on behind the scenes to beat your firewall and software security, but this is an important part of the equation. Human error is inevitable, and it can eventually expose your network to ransomware.
There’s an additional risk factor with all malware, and it’s probably the most important. Anyone who pays a ransomer is immediately at higher risk for a repeat attack. If you’re willing to pony up the cash, then you’re the best person to target with more ransoms. It’s a simple cost/reward analysis for the criminals.
This all applies to your personal devices and network, by the way, so there’s an extra reason to pay attention.
How Do You Deal With It?
Ok. If you shouldn’t pay the attackers, how do you deal with the ransomware? The first step is to remove the malicious software. Your IT team should be able to handle this part pretty easily (most of the time). Unfortunately, that easy step of removing the software won’t unlock your data. It will only prevent the problem from expanding. Once data is encrypted, your options are limited. You can trust that cybercriminals are using powerful encryption algorithms to make sure you must pay them. It’s extremely unlikely that you can force the vault open without spending exorbitant sums of money and time. Brute force simply isn’t an option.
Now, if you’re in a tight spot and you need that data, you’re going to be tempted to pay the attackers. It’s important to remember that the people who illegally infiltrated your computer are operating on the honor system. You have absolutely no guarantee that paying them will result in getting your data back. In fact, many ransomware processes corrupt data. Remembering that paying also makes you a more likely target in the future. Paying a ransomer is often tantamount to throwing money away.
As frustrating as it is, this is another case where the best defense is a good offense — sort of.
Backups, Backups and More Backups
The best way to deal with ransomware is to never get it in the first place. Make sure personnel do know the basics. Don’t talk to strangers. If you don’t recognize the sender of an email, don’t download the attachments. Likewise, don’t give permission to strange websites or unknown applications to make changes to your system.
And when presented with a log-on screen in a browser ALWAYS look at the URL or address:
Be sure this is someone you know and trust – and beware of subdomains, for example:
Bla-bla-bla.microsoft.com is safe because the final part “Microsoft.com” determines where you are.
microsoft.ei.com – is almost surely DANGEROUS!
Every single device that connects to the network needs active antivirus and malware protection software. GDV provides the best security posture of any cloud-based DR solution. We extend LogRhythm, a Gartner Magic Quadrant SIEM solution, combined with Bitlyft,an automated, AI-based remediation solution for all customers’ backup repositories. This enables GDV to detect and shut down brute force attacks, unauthorized process execution, improper data movement, unexpected encryption – such as a malware attack, and other serious security threats.
But, as we’ve said, prevention isn’t foolproof. There is only one way to be completely sure that you can beat ransomware. You have to have reliable backups. In IT, we’ve called it the “3-2-1-1 rule” for a long time. Perhaps we should start calling it the “law of 3-2-1-1” instead. Here is what we believe, for all you data you should:
3 – Have at least three copies,
2 – Store the copies on two different media types,
1 – And keep one backup copy offsite,
1 – And finally keep one OFFLINE,
and use a professional cloud backup provider. The additional “1 OFFLINE” is what we call the air-gapped copy. For those of you who aren’t IT experts, the air-gapped, local backup is tape, a flash drive, an external hard drive, or even data server that is powered OFF. For this copy, unless it is actively updating its copy of your data, it should be completely disconnected from your network and other devices – and not have power!
The idea is that a physical barrier (air) exists between this backup and any device that could potentially infect it. It’s then your ultimate get-out-of-jail card.
If you are disciplined in the rule of 3-2-1-1, then defeating ransomware gets a lot easier. Once the malicious software is removed, you can delete the encrypted (and probably corrupted) copy and simply replace it with one of your backups. The best part is that this protects you from a lot more than just malicious software. Device failure, disasters, emergencies and anything else that can threaten your data will have a hard time getting all three copies of your stuff at once.
That about covers it. Keeping up with the names and specific details of ransomware attacks would be daunting. Stick to the best practices your line of defense is solid.