When many people think of cybersecurity attacks, they imagine viruses or trojans designed to cripple information systems and/or steal the sensitive information they contain. These attacks still happen, though another approach rapidly gaining popularity is to infect a company, organization, or even an individual computer, with a ransomware trojan. There are numerous ransomware attack types that have appeared in the news, such as CryptoLocker, CryptoWall, WannaCry, and others. Regardless of the type, the objective of the ransomware is the same—encrypt or otherwise disable access to critical files on a computer system or network and then demand payment from the affected party. In most cases, if the affected party does not pay by the set deadline all data will be permanently deleted.
One recent, notable incident is the shutdown of all Baltimore City servers on May 8, 2019, except for EMS, police, fire, and 311, which was caused specifically by ransomware known as RobinHood and the attackers are demanding a $75,000 ransom to release the affected files. As of today, this attack is still ongoing, and the city has not found a suitable way to resolve the issue and refuses to concede to the ransom.
This type of attack can bring an entire city government to a halt and it can be extremely disruptive to any organization regardless of the size. Clearview’s Technology and Cybersecurity team has been monitoring an uptick in the number of ransomware events and are prepared to offer a comprehensive package of services and support to assist companies with preparing for or defending against an on-going ransomware threat. Below are FIVE Clearview recommended strategies that your organization can use to assist with preventing a ransomware event:
1) Patch Management
Effective patch management is one of the single most important mitigators to the risk of ransomware within your organization. For instance, the WannaCry ransomware that affected numerous Windows systems in May 2017 spread like wildfire because it took advantage of a vulnerability in the Windows SMB protocol. This vulnerability had already been addressed in a critical security update released by Microsoft two months prior. Most personal computers are configured for automatic patching, but corporate IT environments typically rely on testing patches in an isolated environment before pushing them to users. This delay in patching can be crucial when the next wave of ransomware takes corporate IT by storm and, as such, effective patch management will remain vital in preventing these attacks.
2) Anti-Virus and Firewalls
Confirm that anti-virus and firewall software is properly installed and ensure that it is routinely updated and patched to protect against the latest virus definitions. While not entirely foolproof, accomplishing this can remove an attack vector used by criminals and can assist in preventing infection and removing preexisting malware.
3) Inbound Email Content Screening
This is crucial in preventing two common methods that attackers use to impersonate members of your organization including Email Address Spoofing, the act of modifying or spoofing the way your email address and display name appears, and Display Name Spoofing, the act of spoofing someone’s display name and not their email address. These attacks can be prevented with methods such as adding SPF, DKIM, or DMARC DNS records to your domain name, which assist in filtering spoofed emails, and by following industry best practices when it comes to information system security awareness training.
4) Security Awareness Training
One of the most common threats posed to organizations comes from within in the form of non-malicious, yet uninformed employees. These employees, who have not received information security awareness training, may be more susceptible to common social engineering techniques and are more susceptible to accidentally downloading email attachments infected with ransomware. Therefore, it is crucial to provide security awareness training that covers multiple attack vectors including extorting data, phishing for sensitive information, and being directly targeted with malware.
5) Active Network Monitoring Solutions
This method is used by deploying a software suite that monitors and generates alerts for your computer systems or networks if suspicious activity is detected. For example, the ransomware RYUK will encrypt files and rename them as “YourFile.txt.RYK,” which would be detected using an active network monitoring solution configured to detect massive file name changes for that particular extension. In this case, the attack could be detected immediately and could prevent a total loss of data to a ransomware attack.
If your company or organization is not fully aware of, or needs assistance with, your posture towards defending against ransomware attacks, engage with Clearview Group to perform a Cyber Security Risk Assessment. Contact Albie Swartz at firstname.lastname@example.org for more information about ransomware, cyber security, and how your organization can best protect itself.