‘Your files have been encrypted!’ These five words have the potential to instill alarm as the realization dawns that your system has fallen victim to ransomware. How it happened and what happens next, rather depends upon the precautions that may or may not have been taken beforehand. And as we will explore in this article, taking some basic steps in advance could help save a lot of problems later.

Ransomware

Ransomware is a type of malware that has become a significant threat to U.S. businesses and individuals during the past two years. Most of the current ransomware variants encrypt files on the infected system/network (crypto-ransomware), although a few variants are known to erase files or block access to the system using other methods (locker ransomware). Once access to the system is blocked, the ransomware demands a ransom in order to unlock the files, frequently $200 - $3,000 in bitcoins, though other currencies and gift cards are occasionally reported. Ransomware variants almost always opportunistically target victims, infecting an array of devices from computers to smartphones.

Infection Vectors

The majority of ransomware is propagated through user-initiated actions such as clicking on a malicious link in a spam e-mail or visiting a malicious or compromised website. In other instances, malware is disseminated through malvertising and drive-by downloads, which do not require user engagement for the infection to be successful.

While almost all ransomware infections are opportunistic, disseminated through indiscriminate infection vectors such as those discussed above, in a few very rare instances cyber threat actors specifically target a victim. This may occur after the actors realize that a sensitive entity has been infected or because of specific infection attempts. The Federal Bureau of Investigation (FBI) refers to these instances as extortion, rather than ransomware, as there is almost always a higher ransom amount that coincides with the strategic targeting. This was the case in spring 2016 when several hospitals infected with strategically targeted ransomware made the news.

Additional Capabilities

In the past year, ransomware variant features have expanded to include data exfiltration, participation in distributed denial of service (DDoS) attacks, and anti-detection components. One variant deletes files regardless of whether or not a payment was made. Another variant includes the capability to lock cloud-based backups when systems continuously back up in real-time (a.k.a. during persistent synchronization). Other variants target smartphones and the Internet of Things (IoT) devices.

Although not as common, some variants claim to be from a law enforcement agency and that the user owes a “fee” or “fine” for conducting illegal activities, such as viewing pornography. In an effort to appear more legitimate these variants can use techniques to identify the victim’s rough geographic location in order to use the name of a specific law enforcement agency. No U.S. law enforcement agency will ever remotely lock or disable a computer and demand a fine to unlock it.

How to Mitigate the Risk of Ransomware Infections

These recommendations are not comprehensive but provide general best practices.

Securing Networks and Systems

• Have an incident response plan that includes what to do during a ransomware event.
• Backups are critical. Use a backup system that allows multiple iterations of the backups to be saved, in case a copy of the backups includes encrypted or infected files. Routinely test backups for data integrity and to ensure it is operational.
• Use antivirus and anti-spam solutions. Enable regular system and network scans with antivirus programs enabled to automatically update signatures. Implement an anti-spam solution to stop phishing emails from reaching the network. Consider adding a warning banner to all emails from external sources that reminds users of the dangers of clicking on links and opening attachments.
• Disable macros scripts. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
• Keep all systems patched, including all hardware, including mobile devices, operating systems, software, and applications, including cloud locations and content management systems (CMS), patched and up-to-date. Use a centralized patch management system if possible. Implement application white-listing and software restriction policies (SRP) to prevent the execution of programs in common ransomware locations, such as temporary folders.
• Restrict Internet access. Use a proxy server for Internet access and consider ad-blocking software. Restrict access to common ransomware entry points, such as personal email accounts and social networking websites.
• Apply the principles of least privilege and network segmentation. Categorize and separate data based on organizational value and where possible, implement virtual environments and the physical and logical separation of networks and data. Apply the principle of least privilege.
• Vet and monitor third parties that have remote access to the organization’s network and/or your connections to third parties, to ensure they are diligent with cybersecurity best practices.
• Participate in cybersecurity information-sharing programs and organizations, such as MS-ISAC and InfraGard.

Securing the End-User

• Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, not to click on links or open attachments contained in such emails, and to be cautious before visiting unknown websites.
• Remind users to close their browsers when not in use.
• Have a reporting plan that ensures staff knows where and how to report suspicious activity.

Responding to a Compromise/Attack

• Immediately disconnect the infected system from the network to prevent infection propagation.
• Determine the affected data as some sensitive data, such as electronically protected health information (ePHI) may require additional reporting and/or mitigation measures.
• Determine if a decryptor is available. Online resources such as No More Ransom! can help.
• Restore files from regularly maintained backups.
• Report the infection. It is highly recommended that SLTT government agencies report ransomware incidents to MS-ISAC. Other sectors and home users may report to infections to local Federal Bureau of Investigation (FBI) field offices or to the Internet Crime Complaint Center (IC3).