Criminals want to steal your data, or deny you access to it. Either way they want you to pay them in untraceable bitcoin for the decryption key that will unlock the access to the valuable information your business requires to operate daily. How did you get here? Well, maybe one of your end-users clicked on a link or a file attachment while at work, at home or in a coffee shop. They might have clicked on an offer on social media that was too good to be true. The attackers know that through their massive spam, malvertising and phishing campaigns, they are guaranteed a minimum 20% success rate.
As of the most recently reported period, spam messages accounted for 48.16 percent of e-mail traffic worldwide according to Statista (The Statistics Portal)
This allows cyber criminals to install malware, rootkits or execute drive by attacks on your end-user’s devices providing them with easy access to your data, to rewrite it in an encrypted format and then delete all your original files. It will be virtually impossible to get your data back without the decryption key mentioned earlier.
Some ransomware variants have been observed moving data to the Dark Web, even after the victim pays the ransom, or worse, hitting the victim again later, or much worse, never giving them access to their precious data ever again. Your users may see file encryption or a screen/system lock that displays a warning notification and instructions on what you need to do and where to send the money or bitcoin.
Ransomware, like WannaCry, can act like a worm so once it gets inside your network, it spreads laterally to other machines without interaction by the attacker or the infected user. In the UK, a WannaCry attack on the National Health Service impacted more than 230,000 individual computers and medical devices that were running Microsoft’s Windows operating system.
SamSam is a much more sophisticated type of ransomware that is not automatically triggered by a user opening a malicious email. SamSam is manually installed during targeted attacks by a small group of individuals who are making up to $300,000 a month in bitcoin payments by demanding as much as $65,000 from each their victims. Let’s be clear that targeted attacks always start with phishing, where the hackers obtain valid credentials from an unsuspecting user who… wait for it… clicks on a malicious link in an email. Hackers use these stolen, valid credentials to access your corporate systems and will typically wait, watch and learn. They will then move laterally in your environment to gain admin access to your infrastructure and implant the SamSam ransomware undetected at night, on the weekend or during your system backup cycle.
Some recent examples of this type of attack include:
- The city of Atlanta lost access to court systems and most of the computers at the Department of Public Works and years of police dash cam video was deleted. It took them 5 days to get their systems back, but the damage was still felt for months later. They spent $2.6 million to avoid paying a $52,000 ransom request.
- The Colorado Department of Transportation was forced to shut down more than 2,000 computers.
- A hospital in Indiana lost access to patient histories and appointment schedules.
- Hancock Health in Indiana was forced to shut down its entire network and pay the ransom to get its data and systems back to normal
The Ultimate Fix for Ransomware Risk is Behavioral Change
Applying The Human Fix to Human Risk™ should be the first step your organization takes when addressing the ransomware problem. Cybercriminals rely on natural human instincts to convince their victims to take the bait that ultimately leads to a successful ransomware attack. Typically, they show:
- Trust of those they know – people will be more open with someone they like, who perhaps is physically appealing or seems familiar to them for some reason
- Respect for authority, and not wanting to disappoint authority figures
- Willingness to gain something (such as approval) in return for doing or providing something else
- Responsiveness to urgent demands
- Desire to be helpful
To effectively change behaviors that lead to ransomware infections and build a security culture, you need a comprehensive awareness program that is carefully planned, and which is based on your organization’s specific needs and objectives. This is difficult to achieve unless you apply an ongoing structured approach – The Security Awareness 5-Step Framework:
- Step 1: Analyze your organization’s needs and objectives and develop a cyber security awareness program that generates results.
- Step 2: Plan your campaigns to stay on track and engage your workforce as well as your stakeholders.
- Step 3: Deploy an effective training initiative and witness behavior change as it happens.
- Step 4: Measure the performance of your campaigns against your objectives and demonstrate progress to stakeholders.
- Step 5: Optimize campaigns accordingly and update your program to incorporate new insights.
The threat is continually evolving, and your cyber security awareness program needs to be able to adapt and be optimized by continuously refining your ransomware campaigns:
- Analyze measurements
- Compare results vs objectives
- Conduct a post mortem
- Identify areas of improvement
- Refine objectives
Some additional recommended protections against ransomware
- Regular, secure offline backups – Losing a days’ worth of data is better than losing it all!
- Encrypt your data – This will prevent data leakage, at rest, in transit or in use.
- Perform updates regularly
- Malware protection
- Firewalls, Routers, Switches, ADC’s
- Restrict software installation – This can prevent rootkits from being added automatically and remotely
- Implement password policies and data access controls – Makes it harder to access and modify your most critical data
- Multifactor Authentication – Stolen credentials and brute force password attacks become useless
- Implement Privileged Access Management on critical systems – Automate password rotation and control, monitor and record admin access
- Filter data and Web surfing options
It is critical for you and your security teams to have the right methods, tools and techniques to stop ransomware from infecting your environment. You spend a large percentage of your budget on technology and processes, but have you called out and included the human factors that contribute to ransomware risks? Yes, users are part of the risks associated with ransomware – but they can become part of the solution and your first line of defense.
Do you have a methodology to change their behaviors? Is your message to them “beware” … or, “be aware”?
Attend this on-demand webcast to learn more about how users are part of the risks associated with ransomware—and how they can become part of the solution and your first line of defense:
- Who is targeted by ransomware, and why
- What human actions or inactions open the door to ransomware
- What is the real fix to ransomware risks and how you can best prevent them