If you are like most people and are not immersed in cybersecurity issues on a daily basis, there is a good chance that you have only recently been introduced to ransomware through news reports and associated cyber alerts. That is probably the best way to be introduced to ransomware, which has been an emerging threat for several years now. The alternative is to have your or your company’s data encrypted and rendered inaccessible unless you pay a ransom. The number of ransomware incidents reported to the Department of Justice quadrupled from 2015 to 2016 and by all accounts this trend continues. It has only recently captured the public’s attention with some high-profile attacks on hospitals and the WannaCry “ransomworm” that reportedly affected more than 200,000 organizations.
A “worm” is a type of self-propagating software that can replicate itself from computer to computer without user intervention. Ransomware is software designed to render valuable data inaccessible unless and until the victim pays a ransom. It typically appears after a user took an action to unwittingly install it on their system. A ransomworm, like WannaCry, combines these two concepts, removing the need for a user to interact with the ransomware prior to it infecting their system. This greatly increases the threat to all organizations by allowing widespread and rapid dissemination.
To understand why the advent of a ransomworm is so disturbing, it is worth a bit of background on ransomware, which is troublesome enough. With ransomware, the data is typically rendered inaccessible through encryption. The ransomware is designed so that if the ransom is paid, the victim gets a code that can be entered into the program to unencrypt the data making it available again. The target systems can be computers of individuals or network servers. The data being encrypted might be valuable in and of itself to the victim or—as is increasingly the case—it is data required for an organization to provide services and do business.
Being informed about ransomware is the first step in building defenses against it. Ransomware often infects systems due to victims clicking on a link that runs an executable file or script. When these links come embedded in communications such as email, they are referred to as “phishing” attacks. Other avenues are links in untrustworthy websites or scripts embedded in certain kinds of documents. In each of these cases, an action from the victim initiates the process. It can be a seemingly innocuous act like opening a document or one errant click, but in those cases the action invokes the ransomware. To date, this has been the most common path, or “attack vector,” for ransomware to make its way into an organization’s systems. There are several technical and administrative safeguards that can help reduce the risk and damage of ransomware of this type:
- Regular updates: Ransomware often relies on exploiting known vulnerabilities in operating systems or often used programs. Applying patches regularly reduces exposure considerably.
- Regular backups: A robust backup system that is regularly tested can almost eliminate the detrimental effect of ransomware. If an infected computer or server can be isolated and the data restored quickly, business operations can resume normally.
- Incident response planning: Ransomware forces an individual or organization into a high-pressure situation where time is of the essence. A well thought out response plan that has considered and planned for ransomware is essential.
- Training: As noted above, ransomware typically requires users to click a link or open a file from an untrustworthy source. Users must be educated to understand the potential consequences and incentivized to be vigilant.
These measures are not insurmountable and yet many organizations still are not taking this threat seriously. If run of the mill ransomware has not gotten your attention, the ransomworm WannaCry should. This program was similar to the ransomware described above except it propagated without requiring user involvement by relying on recently disclosed bugs in operating system software. This ransomworm affected some 200,000 systems and, although it did
relatively little damage, consider that it may have been a first test-run and merely a bellwether of things to come. The ransomworm should be a very big concern. It could be used not just for extortion, but also for cyber terrorism. Preparing for a ransomworm is no different, except that it places a higher premium on updates, backups and incident response. Training remains important, however, it emphasizes the need for training on detection of abnormal events and isolating affected systems.
As with all cyber concerns, vigilance and planning are imperative in preparing for ransomware events, whether unique to your organization or on a massive scale. In each case those that take the threat seriously and prepare will come out ahead. If you have made it this far, the next step is to ask your organization what they are doing to prepare.