Layers of Security: Block Ransomware
Today’s topic of discussion is ransomware. In simplest terms, ransomware is a type of malicious computer software that, once downloaded onto a person’s computer or server, scans for and begins encrypting files and folders.
Typically, it begins with local files on the computer to which it was downloaded then branches out through the network to whatever other devices it can access.
Once the files are encrypted and rendered inaccessible, the intention is to force the victim to pay a ransom (usually via bitcoin) to the attackers in hopes of getting the encryption key or decryption method. This allows them to regain access to their data.
My first personal experience with ransomware dates to about 2013 and I would say that ransomware came to mainstream prominence in about 2015. But there are incidents of ransomware in its current form dating to 2010 and earlier.
There’s a lot to be learned about proper network security by looking at the way ransomware, or any virus, behaves. This illustrates how these layers of security that I’m always talking about mitigate a lot of risks.
If your perimeter is hardened, ransomware should have a tough time getting in. Most comes in via spam, phishing attacks and sketchy websites, all of which should be blocked by default.
At the same time, user training should take care of a good chunk of the targeted phishing attacks that spam filters sometimes miss.
If something does get through, antivirus software (next-gen especially) should stop it and even if it doesn’t, a properly secured and segmented network means it shouldn’t get very far in the first place.
Monitoring and management should kick in at some point as well, and your IT professional should be intervening early to prevent further damage.
When all else fails, good, disconnected backups should make any kind of further remediation easy.
This is one of the reasons I find stories of companies being down for weeks due to ransomware so egregious. Every network is different and there are two sides to every story, but a two-week recovery time, in most cases, means something went horribly wrong and there were many layers of protection that were skipped.
That first ransomware attack I experienced in 2013 was horrifying to me because it seemed to be the first type of modern malware that could do real, lasting damage to a business.
Up to that point, viruses were more of a nuisance. Many were mischievous without being malicious and the main point was mostly to display ads as a method of generating revenue for the attacker.
The IT industry shifted due to ransomware. It was a gamechanger.
What about the question that I know is on everyone’s mind: Should you pay the ransom? The official position of Avrem Technologies is unequivocally NO.
For what it’s worth, that is also the position of the FBI and the Department of Homeland Security. By paying the ransom you’re feeding the problem and have no guarantee of getting your data back anyway.
But when it’s your company’s data – and ultimately future – on the line, it’s not black and white.
Attackers purposefully make the ransom relatively inexpensive compared to the costs of restoration, downtime or the possibility of going out of business and it’s very tempting to throw something their way to get back in business. So the takeaway is this: Don’t put yourself in the position to be ransomed in the first place. Have multiple layers of security in place as well as good, tested data backup. And even if your data are safe and recoverable, some downtime during the restoration and cleanup process is to be expected.
That’s why you should have a business continuity plan in place so the company is still functional.
It all sounds daunting and sometimes like overkill until the day you need to be fully protected.
As a final note, ransomware attackers are getting wise to the advice I’ve just mentioned and the latest ransomware attacks include the caveat that if you don’t pay the ransom, they’ll release whatever data you have. If your data is encrypted at rest, as it should be, it completely eliminates this possibility as well. Attackers can’t release what they cannot access.
So do yourself a favor and get some kind of data encryption. It’s not just for medical companies anymore.
Editor’s Note: Robert Merva is the owner and CEO of Avrem Technologies, a Canfield-based business IT and cybersecurity consulting firm he started in 2007. Avrem monitors and manages the networks, servers, computers and software that businesses rely on every day. By combining a unique approach with years of experience and proven solutions, clients have more uptime, are more efficient and have better security, all with fewer headaches.
Copyright 2020 The Business Journal, Youngstown, Ohio.