“Your files have been encrypted with the strongest military algorithms … without our special decoder it is impossible to restore the data.”

This is an excerpt from the ransom note aluminum manufacturer Norsk Hydro received in 2019 after ransomware had infected its IT systems, costing an estimated $45 million to resolve.

While ransomware has been around for over a decade, the number of variants, the advanced capabilities and the sheer volume of attacks over the past few years have firmly established ransomware as a common part of the business vernacular.

As criminals have evolved the capabilities of their ransomware, they have also sought a greater return on their investment, changing targeting patterns away from consumers and toward corporate and government entities, which is why threat intelligence is crucial.

The news media have been awash with stories of organizations suffering ransomware attacks throughout 2019, including nearly 1,000 U.S. government agencies, educational establishments and healthcare providers. Global manufacturing companies have been forced to put production systems under manual control or shut them down completely.

Based on publicly available information, ransom attacks have doubled since 2018. Demands have varied greatly, reaching up to $5.3 million ($1 million on average); however, the final costs of an attack are much higher.

The problem

To cyber criminals, the idea is simple — spread malware to as many systems in as many organizations as possible, lock up all their data and wait to get paid.

The defense for ransomware should also be simple — educate users about IT security, maintain the latest patching on all IT systems, maintain endpoint and antivirus systems, and ensure that all data is backed up in a secure location. In reality, employing these defenses is far from simple.

For most organizations, IT security is not a primary focus. Departments are understaffed and underfunded, and corporate networks have grown organically, leaving the asset database behind. Users are so focused on getting their job done that any training can be forgotten in a distracted moment.

Defending against ransomware

The best proactive defenses are based on security best practices:

  • Perform a network discovery exercise and compare the results to your asset database. Be aware of every single device on your network. You cannot protect what you don’t know is there.
  • Train employees to recognize phishing emails and avoid clicking on links that could be used to deliver ransomware or steal credentials that can be used in later attacks. Training should be presented by a professional organization.
  • Rigorously apply security patches to all network assets (operating systems, software and applications).
  • Ensure that endpoint security and antivirus systems are up to date. Should ransomware make it past a distracted employee, these systems may give you the first warning that could help you contain the outbreak.
  • Revisit and enhance access control restrictions, as overly permissive access to files can present unnecessary risk. Multifactor authentication should be used on all border access points.
  • Execute backups at least daily, preferably using the 3-2-1 rule: Create three copies of the data in two different storage formats, with one copy offsite. Test the quality of these backups regularly.

Responding and recovering

If a suspected victim of a ransomware attack is on the network, swift action can limit the damage and prevent the ransomware from spreading.

  • Isolate the suspected device from the network and take a snapshot of the machine, including saving system memory. This can later help identify the ransomware strain and other attack details.
  • Assess the damage and determine the point of entry.
  • Depending on the systems infected and the damage assessment, you may have to revert to your backup process to restore systems to a known good state. Reliable and well-tested backups are critical.

The process becomes much more difficult if your backups are not feasible and systems cannot be restored. Then your incident response team should:

  • Identify the lost data
  • Identify the bare minimum systems required to resume operations and define a recovery plan for restoring them
  • Implement plans to avoid any additional attacks from the same malware

Some organizations are tempted to pay the ransom to get access to their data and systems as soon as possible. This is not a good idea. Paying extortionists is a short-term solution that only encourages them to continue their activities. There is also no guarantee of receiving the decryption keys or that they will even work.

While ransomware attacks continue to increase, you can combat them by adjusting corporate approaches to security and by publicly refusing to pay ransoms as an official policy.

Keep track of the latest ransomware schemes with DXC’s monthly Threat Intelligence Report.