What you need to know about ransomware
Ransomware attacks are on the rise. Are you prepared?
Jason David | May 27, 2016
I recently bought a secure lockbox to store my personal documents, like my passport, car deed, and government records. I wanted to make sure that these vital docs were safe from thieves and fires. I used to be more reckless, storing them in a shoebox in my closet, but my experiences in security consulting have taught me to plan for the worst.
Recent stories in the news about ransomware attacks got me thinking about planning for the worst. Ransomware is a type of malware that encrypts computer files to make the victim’s data unusable, and then demands payment for the decryption key.
Recently, Hollywood Presbyterian Hospital (HPH) was infected by ransomware, and some patients even had to be transferred to nearby hospitals. The hospital was offline for more than a week, and employees lost access to email, electronic health records, and other medical services. Lab results had to be faxed and electronic patient data was unavailable for care providers.
The hospital ended up paying the ransom to restore their systems. In a released statement, HPH President & CEO Allen Stefanek said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” Hollywood Presbyterian Hospital paid a ransom of 40 Bitcoins, which is worth approximately $17,000.
The infection method for the HPH attack hasn’t been disclosed, but the leading theory is that it was a phishing attack. The most probable scenario is that a hospital employee unknowingly opened an infected attachment designed to look like a regular document such as an invoice or spreadsheet.
Another possible scenario is that an employee navigated to a drive-by website, unknowingly starting a download to his computer. Even legitimate websites have been compromised with infected code in recent weeks, including many WordPress sites.
Digital extortion on the rise
Ransomware attacks are becoming more prevalent. Between April 2014 and June 2015, the FBI received nearly 1,000 complaints about a single type of ransomware virus. In the past year, companies across industries have experienced ransomware attacks similar to the one that infected Hollywood Presbyterian Hospital.
Not even police departments are safe. Several police departments have been forced to pay ransoms even with help from cybersecurity firms and the FBI, who could not get around the encryption. Departments have made payments ranging from $500–$750 to recover their data.
The 5 stages of a ransomware attack
- Installation: After infection, ransomware installs itself onto a user’s computer the next time the computer is booted up.
- Contacting headquarters: Your computer (the client) contacts a server operated by the criminal to initiate the data theft.
- Handshake and keys: The client and server identify each other with a “handshake” and two cryptographic keys are created. One key goes to your computer and the other is securely stored on the criminal’s server.
- Encryption: Your computer then starts encrypting every file it finds from a list of common file extensions (.doc, .ppt, .jpg).
- Extortion: The victim receives a prompt asking for a ransom that must be paid within a time limit, using untraceable payments (e.g., Bitcoin).
How to be prepared
Ransomware attacks can be mitigated with effective security practices. Strong security requires multiple layers of defense—otherwise known as “defense-in-depth.” Essentially, it means you should always have several ways to stop malware attacks. Here are some suggestions:
- Data backups with versioning lets you recover encrypted data without paying a ransom. Instead, you can roll back data to a previous stable version.
- Access control follows the principle of least privilege, preventing attacks from spreading across an entire organization. Encryption attacks will be limited to only the files a user has access to.
- Timely patching will ensure that your organization is protected from discovered vulnerabilities. Organizations are often left vulnerable to ransomware attacks because their systems have not deployed patches.
- Security awareness training is critical, because employees are your greatest security risk. Spread awareness of malware attacks and train your employees to check for suspicious links and attachments.
- Incident response enables organizations to quickly detect, triage, respond, and recover from ransomware and other emerging cybersecurity incidents before they cause major damage and wreak havoc to business operations.
Does your organization have a spare key?
I was given two keys to my new lockbox. I hid one key in my apartment for easy access. I stored my second key in a storage locker, because I know that having and securing a spare key is critical to protecting my irreplaceable documents. Does your organization have a spare key?
Ransomware attacks are a lucrative business for criminals, and a daunting threat for organizations. Thankfully, there are ways to protect your organization from being impacted.
There are many standards and frameworks that can help gauge an organization’s cybersecurity, such as NIST CSF, ISO 27032, IEC 62443, etc. At Slalom, we believe that there’s no one-size-fits-all approach to cybersecurity. We can leverage an existing framework or customize a risk-based framework that best suits your unique environment and requirements to protect your cyber assets.
We use these frameworks to objectively measure your organization’s maturity across the security lifecycle, including.
- Identify: Do you know what’s in your environment and who’s responsible for it?
- Detect: Can you detect errors, attacks and other cyber incidents within your environment?
- Protect: Are you adopting industry-leading practices for encryption and other data protection measures?
- Respond: Can you effectively respond to cybersecurity incidents when they occur to minimize impact to the business and reduce secondary threats?
- Recover: What measures do you have in place to fully recover any operational or reputational damage?
With an understanding of your organization’s current security capabilities, we can help you create an action plan to quickly address the highest areas of risk to your organization.
Special thanks to Steve Luu for his contributions to this post.
Jason David is no longer with Slalom.