How to lessen the risk of ransomware attacks on your organization's data
It’s been about a month since the devastating May 7 ransomware attack on the city of Baltimore’s systems, and at the time of this writing only 65% of employees have access to their email.
Water service bills are being estimated and processed manually, as the utility’s billing system has been compromised, and city officials must use library computers to process payroll. The particularly vicious malware at the center of this attack, dubbed “Robbin Hood,” disabled nearly all computerized functions for the city government, and the city is only slowly recovering.
Could the same thing happen to your business?
How does ransomware work?
The FBI are still investigating the specific point of access by which the Robbin Hood ransomware entered the Baltimore City network, but all ransomware, such as SamSam that hit the City of Atlanta, WannaCry that hit Boeing, Petya and Cryptolocker, work similarly.
The malware is sent into the organization by email via an attachment or a URL link (a Trojan). These are disguised in very clever phishing emails to appear as legitimate mails from trusted sources, with attachments that seem real, (“Bob, here is that report you asked me for last week”), tricking the recipient into clicking on the attachment to execute the malware. It can also appear in web pop-ups, or via “drive-by downloading”, when a user unknowingly visits an infected website and the malware is downloaded without their knowledge.
From one to all
Ransomware can be either isolated to one computer or spread across the network. Once the attack is launched, the hackers gather as much data as possible, stealing user names and passwords, network server and remote desktop logins. This enables the criminals to distribute the ransomware throughout the organization. With passwords commonly reused, the virus spreads like wildfire.
Why is ransomware so Nasty?
Unlike other viruses, ransomware doesn’t just steal the data, it locks it down by encrypting the files.
When an attack happens, you suddenly have no access to a program or to login at all. A screen appears announcing that your files have been encrypted, and that you need to pay a ransom to obtain an encryption key, for Robbin Hood, typically 3 bitcoin (about $24,400) for one computer, 13 bitcoin ($105,600) for a network. Sometimes, there is a countdown clock for payment, increasing the ransom after a certain time window has passed.
What if your computer is attacked?
At this point, there are no “anti-virus” or clean up options. No one can “disinfect” your machine. You either pay, or lose your data.
The city of Baltimore decided not to pay. The FBI actually does not advise to not pay under any circumstances. In its “Ransomware Prevention and Response for CISOs” document, the organization advises:
“Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness and cost of restarting systems from backup.”
Note that, even if you pay, there is no guarantee that hackers will give you the encryption key, or that the tools provided will work. A survey carried out by the research firm CyberEdge Group found that nearly 40% of victims who paid still could not recover their files. Also, paying may identify your organization as more vulnerable, and may make you a more likely target for future attacks.