The Top 5 Resources to Protect your Business Against the threat of Ransomware in 2017

What is RansomWare?

Its malicious software that restricts access to an infected computer while displaying a notification to the user to pay a Ransom to restore access to their files and folders. Traditionally this is an individual user problem, but in 2016 we have observed the move to Healthcare and Business focussed infections.

Ransomware is on the rise. At the back end is a criminal organisation, organised, developing software that encrypts your data, and offers a simple get out, pay up. The more people pay up; more money goes into the development of Ransomware to evade today's advancing countermeasures. Businesses today need to plan effectively for a Ransomware attack, and have an effective, tested, plan to restore data and services efficiently.

There are generally 5 phases to a Ransomware attack;

• Infection – Can be delivered in a number of ways, by email (asking the user to click a link, open a compromised document, web page etc) and even if your AV pattern file is 100% up to date zero-day malware can sail through your perimeter defences and just wait for a user to click on a link or email document. 
• Execution - once delivered, it then needs to execute on the local machine and do as much as it can do to remain active and running using custom encryption methods.
• Backup Removal - typically post encryption, Ransomware will target any local backups and remove them, restricting your options, as much as possible, for easy restoration.
• File Encryption - here the malware seeks out any non-Windows system files (My Documents / Pictures and other locations) and once communicated with its Command and Control Server (to retrieve the encryption keys and payment information) starts to silently encrypt user files on the local machine. This process can also start to encrypt any File Shares.
• Notification - A pop up appears, with payment links, for the user to pay to receive the decryption keys to regain access to files and folders. Typically, this is delivered with a timer, putting pressure on the individual or business to pay within a specified time period otherwise risk the loss of that data completely.

In today's dark web, you can purchase Ransomware as a service, this is organised and generates huge income for the organisations behind it.

Issues for today's Business

Traditional Antivirus vendors cannot be relied upon to successfully detect and prevent a Ransomware infection. They may be able to detect known variants, but a simple change to the code makes a payload zero day which AV techniques, for the majority of vendors, will not detect or prevent successfully. This leaves your business vulnerable and at risk.

Once Ransomware starts to encrypt, its silent until it completes its task. This means that an infection can encrypt all shares that that user has access to, including potentially Cloud storage locations also.

The standard operation is that once a client has been encrypted, a pop up appears telling you that you basically have a choice - pay up or restore from backup. The issue with paying up, aside from funding criminal activity and the next generation of Ransomware, is that you have to find the original infection method, as you may get infected once again.

High Level Considerations

Identify your critical data in your business, as well as locations of other data. Implement a backup plan that will assist you to restore and recover as soon as you can. For example, a critical CRM system could be set to backup as near to every minute as you can do, that way, when it comes to recovery, you should not be in a position where not too much data has been lost.

Implement an Incident Response Team. This can consist of various resources internally (Board Member for oversight, IT Security / Management) as well as trusted go-to partners or third parties that can be called upon during times of crisis.

Build a list of critical storage locations, and where file shares exist. Ensure there are no open file shares, the shares are restricted as much as they can be to reduce the impact of a Ransomware infection

Make Ransomware incidents part of your Business Continuity plan.

Try and ensure that if an infection does take place, don't rely on recovery for your business, more tolerance and resiliency.

The Ransomware Threat

Your business users are just one step away from clicking on an email or web link that has arrived to them. Whether from an email that has got through your perimeter defences, on a compromised website, or introduced through a USB connected device.

Your business needs to adopt the approach that this will happen, or that a Ransomware file is hiding on a system somewhere just waiting to be exploited. Authors of Ransomware are constantly adapting their techniques and code to bypass Security measures in a business, and it will be a matter of time only before they are successful and your data is held to ransom.

In today's environment, Authors are there to take the small amount of money and run. We suggest that in the near future that as the focus shifts from being a personal attack, will be shifted to being business focussed, and may have a reflection on the introduction GPDR guidelines and fines. You may find your business being held hostage where files are held to ransom, you don't pay up, they threaten to broadcast that you have been hacked. With the GPDR fines running into a percentage of your turnover, it could wipe out your GP for the year.

In the majority of cases, Ransomware hits the local laptop or desktop, encrypts local files/folders but leaves the Windows System environment accessible. Businesses need to consider the effect of file shares and also replication processes. If you operate a DFS environment, and a data share gets encrypted, it's only a matter of time before the encrypted state is replicated. There are no recorded events, at the time of writing, where Ransomware affects a Sharepoint implementation through a web portal or interface (mapped Storage repository could be), but this could be a matter of time only.

Additionally, Ransomware is considered to be a single infection, in the near-term future we may see self-propagating Ransomware across your desktop or server estate.

5 Steps to Protect Yourself Against Ransomware

Below we list a number of steps, processes and procedures that we consider to be critical to ensure that you are as protected as you can be against infection.

1. Review your Traditional AV vendor against today's Next Generation providers. Some providers operate a behavioural method to detect malicious applications and services, others work on an algorithm which are quite effective, where others determine what the malware is doing in a sandbox. All look at the outcome and make a decision on what it should do next. Protect your Endpoints
2. Review where your critical data is stored. Look at file shares, ensure you have a good RPO on getting your business back up and running quickly and efficiently. Is anything stored on the local PC - do you need to look at a local endpoint backup? Review your IT users, sometimes DBA’s have file shares mapped for ease of use for their day to day operations. This can be unavoidable, but inherently vulnerable.Where possible, review all file shares and operate on a least privilege scenario. If a user has full access, but only needs read, remove that higher privilege
3. Notifications and Alerts - would your systems and services notify IT Administrators if it noticed a mass change in files?
4. Patching - Where you can, patch aggressively. Ransomware is delivered, more often than not, through a vulnerability in an application or operating system.
5. User Education. Your business user is most likely to be the cause of an infection. Zero day attacks may get through your perimeter defences, but it's just waiting, for example, in an email for just one user to click and open. Educate users to recognise the threat in emails, for example. Is this an email they are expecting, is it asking them to download something and enable active content in a Word document.

A lot of businesses today don't have the budgets for the Next Generation AV solutions being touted as the Solution for Ransomware. If you do get infected, if you don't have the budget for the high end Next Generation AV solutions, then the following high level steps should be observed;

• Contain - isolate the machine
• Incident - make sure you have fully identified the scope of the incident - is it on one machine? how was it infected? are there other systems at risk?
• Infected Machines - the ideal is to replace or completely rebuild any affected machine, although it's important to make sure you have identified the source of the infection to prevent it happening again - was it from an email? and infected web page? 
• Restore - need to restore from a clean backup
• Call an expert - ensure you know the infection method, the vulnerability and what to do for active next steps.

Summary

Ransomware is just beginning to transfer from individuals to businesses. In 2016 the focus seemed to be in the Health Sector and it’s only a matter of time before targeted attacks happen to businesses and organisations. Its moving from quick cash wins (which is extremely profitable in its own right) to focussing on Businesses with more resources available to them.

If you are seeking budget approval for any next generation service, the justification can be simple. Work out what the cost to the business where you estimate services would be offline during the period of recovery, and balance that out against the cost of the NextGen vendor service.