Hospitals, school districts, state and local governments, law enforcement agencies, and businesses large and small — these are just a sampling of the organizations held hostage by ransomware, a treacherous type of malware that encrypts, or locks, critical digital files launched by criminals who demand a ransom to release them.
The inability to access data can be catastrophic in terms of both financial loss and damage to an organization’s reputation.
According to a release from the Federal Bureau of Investigation, the loss of privacy-sensitive or proprietary information, lost profits due to disruption of normal operations, financial losses incurred to restore systems and files — not to mention the harm it causes to an organization’s credibility — can cripple an organization’s ability to function.
Home computers are just as vulnerable to ransomware and the loss of access to personal and often irreplaceable data — including family photos, videos, private documents, and other information — can be devastating for individuals as well.
In a ransomware attack, victims may open an email and click on an attachment that appears to be from a trusted source but which actually contains a malicious ransomware code, the FBI warns. Or the email might contain a legitimate-looking URL, but when victims click on it, they are directed to a website that infects their computer with malicious software.
One the infection occurs, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the compromised computer is attached to. Users and organizations are generally not aware of the malware until they can no longer access data or until they begin to see computer messages advising them of the attack with demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.
Ransomware attacks are not only increasing, the FBI says, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam, but because email systems became better at filtering out spam, cyber criminals are now sending spear phishing emails targeting specific individuals. In newer cases of ransomware, some cyber criminals aren’t using emails at all — they can bypass the need for an individual to click on a link by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.
The FBI doesn’t recommend paying a ransom in response to a ransomware attack. Paying a ransom doesn’t guarantee an organization that it will get its data back — there have been cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only encourages cyber criminals to target more organizations, it also offers an enticement to other criminals to attempt this illegal activity. Perhaps more troublingly, by paying a ransom, an organization might inadvertently be funding other criminal activity. Hackers, criminals and terrorists use their illicit gains to finance their networks of criminal activity, to rob our nation of valuable intellectual property for economic advantage, to steal national security secrets, or to launch massive cyber strikes to support their political objectives.
So what does the FBI recommend? As ransomware techniques and malware continue to evolve — and because it’s difficult to detect a ransomware compromise before it’s too late — organizations in particular should focus on two main areas:
- Prevention efforts — in both awareness training for employees and robust technical prevention controls; and
- Creating a solid business or operational continuity plan in the event of a ransomware attack.
The FBI offers some tips for dealing with ransomware — primarily aimed at organizations and their employees — but some are also applicable to individual users:
- Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
- Patch operating system, software and firmware on digital devices which could be made easier through a centralized patch management system.
- Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
- Limit the use of privileged accounts — no users should be assigned administrative access unless absolutely needed, and only establish administrator accounts when required.
- Configure access controls, including file, directory, and network share permissions appropriately. If users only need to read specific information — they don’t need write-access to those files or directories.
- Disable macro scripts from office files transmitted over email.
- Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations such as temporary folders supporting popular internet browsers and compression/decompression programs.
- Back up data frequently and verify the integrity of the backups.
- Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.