Ransomware is a growing threat, with a recent Malwarebytes study finding that 40% of businesses worldwide experienced a ransomware attack in just the last year.
Not only does ransomware cripple productivity by encrypting PCs, servers and databases to the point where they’re unusable, but it can also lead to significant business losses. The same study found that more than a third of ransomware victims lost revenue, while 20% were forced to stop business completely after an attack. How can you prevent your business from becoming the next victim?
How Ransomware Works
Knowing how ransomware operates is the first step. Most ransomware attacks gain entry to a target computer system when a user clicks on a legitimate-looking link in a phishing email, a malware-laced attachment or even an infected website.
Once clicked, the malware is downloaded and goes to work. It encrypts all files and folders on the victim’s local drives, and then it fans out, discovering and encrypting any files, network drives, public folders or other files/data to which the infected user has access.
The attacker then kicks off a message to inform the user that all critical data is encrypted and the decryption key will be sent only after a ransom is paid, usually in bitcoins. While many enterprises are tempted to pay the ransom to get back to business, experts advise against it.
Often, attackers receive the ransom but fail to provide the decryption key, leaving an organization both without its data and out the ransom money.
Common Ransomware Variants
When planning a ransomware defense strategy, it helps to know what to look for. Common ransomware variants attack by:
- Deleting random files: Once all files are encrypted, the Jigsaw attack deletes them one by one until ransom is paid. It usually also deletes an extra 1,000 files every time the infected computer is restarted.
- Encrypting critical components: The Petya attack specifically targets the Master File Table (which contains all the information about how files and folders are allocated), while both the RansomWeb and Kimcilware attacks encrypt website databases and hosted files to render sites unusable. Similarly, attacks like DMA Locker, Locky, Cerber and CryptoFortress find all open network Server Message Block (SMB) shares and encrypt them.
- Compressing files first: To speed up the encryption process, the Maktub attack compresses all files/folders first, making it even more insidious.
- Going beyond Windows: Newer attacks target cloud files and backups and even non-Windows devices like Android (SimpleLocker), Linux (Linux.Encode.1) and OSX (KeRanger).
4-Point Ransomware Defense Strategy
As ransomware attacks become both more common and sophisticated, enterprises must adopt a multi-layered, adaptive defense strategy that includes:
- Employee education: Employees should know what ransomware is and be able to identify potential scams.
- Strong patching and anti-malware: Ensure all OS, software and firmware on all devices are up to date, as are any antivirus or anti-malware solutions.
- Tight access controls. Implement the concept of least privilege, ensuring employees can only access the data they need to do their jobs, and limiting administrator and read/write access where appropriate.
- Smart backups: Test that all backups are working, easily recoverable and segmented off from other computers and networks.
NCA has both the expertise and best-in-class technology you need to prevent, defend and mitigate any type of ransomware attack. Learn more.
Network Computing Architects, Inc. is a premier provider of high quality sustainable and secure networking, information security solutions and unified communications. We partner with our clients to provide answers to business initiatives where leading technologies converge.
NCA achieved ISO 27001:2005 certification in December 2007 and is currently ISO 27001:2013 certified. The scope of NCA's ISMS is client confidential information within NCA Professional Services Practice.