We have just witnessed one of the largest ransomware attacks in history. Known as “WannaCrypt,” this ransomware targets Windows XP systems and has impacted organizations across the globe. This post gives an overview of what ransomware is and explains the steps organizations can take to protect themselves against WannaCrypt and other forms of malware going forward.
The WannaCrypt variant of ransomware is more advanced than previous versions, enabling the rapid spread of the ransomware globally. It combines the capabilities of ransomware with behavior we typically see in a network worm. When it infects a system, WannaCrypt starts encrypting local files and searches the network for other vulnerable systems it can spread to.
How does ransomware work?
A ransomware attack typically begins when a user clicks on a link or attachment in an email. The user is then directed to a malicious website that makes them download software or a file pretending to be a legitimate document which, when opened, installs the ransomware on the user’s computer.
Once ransomware encrypts the user’s files it demands a payment of money—a ransom—in exchange for restoring the encrypted files. Bitcoin and other crypto-currencies are often used because they give the attackers anonymity and are difficult to trace.
How do you protect yourself from threats like ransomware?
It’s important to take a holistic view when thinking about security. Developing a defense-in-depth approach to protecting users against malware in general will go a long way towards eliminating the threat of ransomware. Strong endpoint protection, network isolation, and building an ability to quarantine outbreaks will allow you to react and contain any ransomware outbreak. Taking a data-centric (rather than device-centric) approach is the best way to get your business data back online and your employees productive again.
Focus on the fundamentals
The basics of data security have not changed over the years. Your focus should start with the fundamentals: patching vulnerable systems, upgrading end-of-life systems, and investing in IT modernization are all critical for building a defensible infrastructure.
This goes hand in hand with employee education on how to avoid clicking on malware in emails. Ransomware is only effective if it can get into your systems and, unfortunately, user actions are still the most likely way that ransomware will get downloaded into your network.
Prevent initial infection
Ransomware announces itself to users and leaves a very obvious signature of activity on an infected system. The first priority is to apply strong endpoint anti-virus protections on systems. While not foolproof, antivirus software will keep the majority of malware from infecting your systems. An aggressive email filtering system is particularly useful for preventing obvious phishing emails from being sent to users. Anti-virus solutions quickly adapt and can detect and eliminate ransomware.
Limit lateral movement on your network
Companies are often structured in ‘flat’ networks that allow any system to connect to any other system. That means that ransomware can spread easily because every system is able to reach every other system. It’s critical for those companies to have network anti-virus scanning capabilities that can detect ransomware as it traverses the network so they can prevent it from spreading broadly. Network isolation or compartmentalization gives companies time to single ransomware out and eradicate it from systems without suffering massive data losses.
IT departments, especially those that have a flat network, should also think about appropriate quarantine abilities. Taking affected systems offline quickly can prevent the ransomware from scanning and infecting more systems on the network.
Take a data-centric view
Ransomware is unique among malware in that it targets user data. Frequently backing up your systems limits your exposure in an attack. Ransomware loses its effectiveness if infected files can be rapidly recovered, undoing any potential damage.
Look to cloud services that provide constant and transparent synchronization of your business files while your employees are using them. Dropbox, for example, offers file-version history for all files stored in any Dropbox account. This feature can be used to easily roll back any files that are encrypted by ransomware to their previous state.
WannaCrypt represents a significant evolution in ransomware. Like many other criminal activities, these efforts are continuing to become more sophisticated and harder to recover from. Organizations need to take the right steps now to protect themselves from this evolving threat.