How Ransomware Works
Ransomware such as CryptoLocker typically gets onto your PC either through a phishing email or a web site hosting malware. Ransomware will either encrypt files, make the computer unusable or make threats, all to extort money to fix the problem. CryptoLocker encrypts documents on the computer, shared network drives and connected devices, and then demands a payment in bitcoins to decrypt the files. For a typical organisation with staff having access to multiple documents on shared drives, a CryptoLocker incident can mean serious damage and lost resource, even if the organisation has backups, pays the ransom or manages to find another way to clean up the problem.
To reduce the risk of getting affected by ransomware and to limit the damage if affected, there are layers of security that you can make sure you have in place. Having overlapping security controls means that if one layer is penetrated, the other layers may prevent a breach.
Make sure you have regular backups that are tested and are kept offline. Regularly test backups to see if they can be restored. If the backups are to another hard disk or to the cloud and the backups are accessible on the network, then even if it is offsite, this may still be accessed and encrypted by ransomware.
Effective and Up-to-Date Antivirus
Many organisations have antivirus software installed on all PCs, however at Dionach we often find PCs with antivirus definitions that are quite out of date or have important features such as on-access scanning disabled. Ensure that antivirus is managed centrally, with someone regularly checking that all PCs have up-to-date signatures and that staff are not disabling antivirus features. Consider using an external mail filtering company for spam filtering and malware filtering. Many of these companies also offer web filtering. This can check and prevent common malware when staff are browsing the Internet. Although antivirus is an important security control it is far from infallible, as new variants of malware will not always be picked up quickly.
Software Security Updates
Some ransomware will exploit vulnerabilities in unpatched software to get onto a computer. Commonly targeted software includes browsers such as Internet Explorer and applications such as Adobe Reader. Although many desktops will be configured to auto-update through Microsoft Update, typically we see a proportion of PCs that have not been updated for some time, and have non-Microsoft software that is not kept up-to-date. Ensure that software updates are managed centrally and regularly checked. Windows Software Update Services (WSUS) is very useful for central management, but does not cover non-Microsoft software. There are other products that centrally manage security updates to all software.
Limit Staff Access
CryptoLocker will try and encrypt documents on the PC and any network drives to which the victim has access. Therefore the damage can be limited if the victim user only has access to documents specifically required for their job role. In your organisation review the use of local and domain administrator accounts and access to shared network drives. Although some users may need read access to some documents, they may not need write access to many of these. Setup a regular review of user access rights, as privilege creep is a common problem.
An email phishing test will determine how susceptible your organisation is to general phishing and spear phishing attacks, and how effective some of the technical and staff security controls are. Internal penetration testing on your internal network and systems can reveal network access control problems, configuration weaknesses, missing security updates.
Technical security controls are ineffective if a member of staff manages to opens a malicious attachment or downloads and runs a Trojan, all the while ignoring security warnings. Some staff may think that information security is an IT problem, so isn’t their responsibility. Ensure that staff are made aware of how ransomware and other malware can get onto their PC and what damage it can do, and how vital they as individuals are in trying to prevent this from happening. Having email phishing tests can help with this, as this demonstrates that it can really happen to them. A regular awareness exercise with examples of how recent malware works can be very effective.
Incident Response Plans
Finally, ensure that you have effective incident response plans in place, so that if and when you are affected by ransomware or have another type of breach you have proper procedures in place. This should at a minimum ensure that your organisation returns to normal operations as soon as possible.
Many of these layers of security can be found as security controls within ISO 27001, the international standard for information security. Using a framework such as ISO 27001 for managing information security means that not only will you cover these layers, but also you will have the means to identify and deal with threats other than ransomware, through a formal risk assessment process.