“You’re still largely on your own when it comes to fighting ransomware attacks, which hackers use to encrypt your computer or critical files until you pay a ransom to unlock them.
Ransomware is a multi-million-dollar crime operation that strikes everyone from hospitals to police departments to online casinos.
It’s such a profitable scheme that experts say traditional cyberthieves are abandoning their old ways of making money—stealing credit card numbers and bank account credentials—in favor of ransomware.
You could choose to cave and pay, as many victims do. Last year, for example, the FBI says victims who reported attacks to the Bureau enriched cyber extortionists’ coffers by $24 million. But even if you’ve backed up your data in a safe place and choose not to pay the ransom, this doesn’t mean an attack won’t cost you. Victims of the CryptoWall ransomware, for example, have suffered an estimated $325 million in damages since that strain of ransomware was discovered in January 2015, according to the Cyber Threat Alliance (.pdf). The damages include the cost of disinfecting machines and restoring backup data—which can take days or weeks depending on the organization.
But don’t fear—you aren’t totally at the mercy of hackers. If you’re at risk for a ransomware attack, there are simple steps you can take to protect yourself and your business. Here’s what you should do.
First of All, Who Are Ransomware’s Prime Targets?
Any company or organization that depends on daily access to critical data—and can’t afford to lose access to it during the time it would take to respond to an attack—should be most worried about ransomware. That means banks, hospitals, Congress, police departments, and airlines and airports should all be on guard. But any large corporation or government agency is also at risk, including critical infrastructure, to a degree. Ransomware, for example, could affect the Windows systems that power and water plants use to monitor and configure operations, says Robert M. Lee, CEO at critical infrastructure security firm Dragos Security. The slightly relieving news is that ransomware, or at least the variants we know about to date, wouldn’t be able to infect the industrial control systems that actually run critical operations.
“Just because the Windows systems are gone, doesn’t mean the power just goes down,” he told WIRED. “[But] it could lock out operators from viewing or controlling the process.” In some industries that are heavily regulated, such as the nuclear power industry, this is enough to send a plant into automated shutdown, as regulations require when workers lose sight of operations.
Individual users are also at risk of ransomware attacks against home computers, and some of the suggestions below will apply to you as well, if you’re in that category.
1. Back Up, as Big Sean Says
The best defense against ransomware is to outwit attackers by not being vulnerable to their threats in the first place. This means backing up important data daily, so that even if your computers and servers get locked, you won’t be forced to pay to see your data again.
“More than 5,000 customers have called us for help with ransomware attacks in the last 12 months,” says Chris Doggett, senior vice president at Carbonite, which provides cloud backup services for individuals and small businesses. One health care customer lost access to 14 years of files, he says, and a community organization lost access to 170,000 files in an attack, but both had backed up their data to the cloud so they didn’t have to pay a ransom.
Some ransomware attackers search out backup systems to encrypt and lock, too, by first gaining entry to desktop systems and then manually working their way through a network to get to servers. So if you don’t back up to the cloud and instead backup to a local storage device or server, these should be offline and not directly connected to desktop systems where the ransomware or attacker can reach them.
“A lot of people store their documents in network shares,” says Anup Ghosh, CEO of security firm Invincea. “But network shares are as at risk as your desktop system in a ransomware infection. If the backups are done offline, and the backup is not reachable from the machine that is infected, then you’re fine.”
The same is true if you do your own machine backups with an external hard drive. Those drives should only be connected to a machine when doing backups, then disconnected. “If your backup drive is connected to the device at the time the ransomware runs, then it would also get encrypted,” he notes.
Backups won’t necessarily make a ransomware attack painless, however, since it can take a week or more to restore data, during which business operations may be impaired or halted.
“We’ve seen hospitals elect to pay the ransom because lives are on the line and presumably the downtime that was associated, even if they had the ability to recover, was not considered acceptable,” says Doggett.
2. Just Say No—To Suspicious Emails and Links
The primary method of infecting victims with ransomware involves every hacker’s favorite bait—the “spray-‘n’-pray” phishing attack, which involves spamming you with emails that carry a malicious attachment or instruct you to click on a URL where malware surreptitiously crawls into your machine. The recent ransomware attacks targeting Congressional members prompted the House IT staff to temporarily block access to Yahoo email accounts, which apparently were the accounts the attackers were phishing.
But ransomware hackers have also adopted another highly successful method—malvertising—which involves compromising an advertiser’s network by embedding malware in ads that get delivered through web sites you know and trust, such as the malvertising attacks that recently struck the New York Times and BBC. Ad blockers are one way to block malicious ads, patching known browser security holes will also thwart some malvertising.
When it comes to phishing attacks, experts are divided about the effectiveness of user training to educate workers on how to spot such attacks and right-click on email attachments to scan them for malware before opening. But with good training, “you can actually truly get a dramatic decrease in click-happy employees,” says Stu Sjouwerman, CEO of KnowBe4, which does security awareness training for companies. “You send them frequent simulated phishing attacks, and it starts to become a game. You make it part of your culture and if you, once a month, send a simulated attack, that will get people on their toes.” He says with awareness training he’s seen the number of workers clicking on phishing attacks drop from 15.9 percent to just 1.2 percent in some companies.
Doggett agrees that user training has a role to play in stopping ransomware.
“I see far too many people who don’t know the security 101 basics or simply don’t choose to follow them,” says Doggett. “So the IT department or security folks have a very significant role to play [to educate users].”
3. Patch and Block
But users should never be considered the stop-gap for infections, Ghosh says. “Users will open attachments, they will visit sites that are infected, and when that happens, you just need to make sure that your security technology protects you,” he says.
His stance isn’t surprising, since his company sells an end-point security product designed to protect desktop systems from infection. The product, called X, uses deep learning to detect ransomware and other malware, and Ghosh says a recent test of his product blocked 100 percent of attacks from 64 malicious web sites.
But no security product is infallible—otherwise individuals and businesses wouldn’t be getting hit with so much ransomware and other malware these days. That’s why companies should take other standard security measures to protect themselves, such as patching software security holes to prevent malicious software from exploiting them to infect systems.
“In web attacks, they’re exploiting vulnerabilities in your third-party plug-ins—Java and Flash—so obviously keeping those up to date is helpful,” Ghosh says.
Whitelisting software applications running on machines is another way Sjouwerman says you can resist attacks, since the lists won’t let your computer install anything that’s not already approved. Administrators first scan a machine to note the legitimate applications running on it, then configure it to prevent any other executable files from running or installing.
Other methods network administrators can use include limiting systems’ permissions to prevent malware from installing on systems without an administrator’s password. Administrators can also segment access to critical data using redundant servers. Rather than letting thousands of employees access files on a single server, they can break employees into smaller groups, so that if one server gets locked by ransomware, it won’t affect everyone. This tactic also forces attackers to locate and lock down more servers to make their assault effective.
4. Got an Infection? Disconnect
When MedStar Health got hit with ransomware earlier this year, administrators immediately shut down most of the organization’s network operations to prevent the infection from spreading. Sjouwerman, whose firm distributes a 20-page “hostage manual” (.pdf) on how to prevent and respond to ransomware, says that not only should administrators disconnect infected systems from the corporate network, they should also disable Wi-Fi and Bluetooth on machines to prevent the malware from spreading to other machines via those methods.
After that, victims should determine what strain of ransomware infected them. If it’s a known variant, anti-virus companies like Kaspersky Lab may have decryptors/a> to help unlock files or bypass the lock without paying a ransom, depending on the quality of encryption method the attackers used.
But if you haven’t backed up your data and can’t find a method to get around the encryption, your only option to get access to your data is to pay the ransom. Although the FBI recommends not paying, Ghosh says he understands the impulse.
“In traditional hacks, there is no pain for the user, and people move on,” he says. But ransomware can immediately bring business operations to a halt. And in the case of individual victims who can’t access family photos and other personal files when home systems get hit, “the pain involved with that is so off the charts…. As security people, it’s easy to say no [to paying]. Why would you feed the engine that’s going to drive more ransomware attacks? But … it’s kind of hard to tell someone don’t pay the money, because you’re not in their shoes.”