Ransomware or other malicious software that destroys or prevents access to files is wreaking havoc on small business, local governments, education, and even larger enterprises. The estimated damages from ransomware attacks are expected to exceed $11.5 billion this year!
According to Osterman Research, on average, small companies lost over $100,000 per ransomware incident due to downtime. For one in six organizations, these attacks caused 25 hours or more of downtime. The City of Atlanta was a widely published case with remediation dragging on a full year later, and estimated damages close to $10M. Recently information services firm Wolters Kluwet was hit, and was still offline with many of its hosted applications a full week after the attack.
We had a client ask us to confirm how they are they protecting themselves from ransomware. This breaks down into the following questions:
- How do I keep from getting ransomware?
- What is at risk if I do get ransomware?
- How do I detect I have ransomware?
- Can I recover from ransomware?
Question 1 “How do I keep from getting ransomware”?
How do networks get infected? Open ports to the internet, vulnerable web services, email and drive by attacks, mostly. Do you run external vulnerability scans? That will help you to know what you are exposing, ports, services, vulnerable web apps. Are you enforcing MFA for all remote access (including vendors)? As for browser and email, are you confident in your endpoint protection, is it nextgen? Will it alert at the signs of an encryption process being initiated?
Question 2 “What is at risk if I get ransomware?”
What if you have done all the right things but some really ingenious bad actor has written in machine learning and unhooked the process and hidden it from the nextgen endpoint protection. Now what? Are your user’s local administrators? Do your developers and sysadmins use privileged accounts to do daily tasks? Are privileged accounts left logged on? Have you implemented LAPS (local administrator password system)? Have you done assessments to know that each user has access to the minimum they need to do their jobs? Do you have a matrix of what roles have access to what data and verify that is all they have access to? Have you protected your admin and service accounts using windows protected groups? Simpler are all your servers and workstations patched? Are you running smbv1 anywhere? Of lesser importance (but still important) are your users regularly given security training?
Question 3 “How do I detect if I have ransomware”?
Detection amounts to endpoint protection as first defense, followed by network and host based detection systems. Are you being monitored 24 x 7 x 365? Let’s take the nightmare scenario, its Friday at 7 pm, your network admin is getting on a plane for a vacation, is he the only one that gets an alert? In a spreading ransomware infection time is of the essence.What is the longest amount of time you can go without any intervention?
Question 4 “Can I recover from ransomware?”
So some advanced ransomware like SamSam, seeks to use machine learning to find the backups and encrypt them. Are your backups onsite? Are they in the cloud? Is there a persistent connection to them or are there air-gapped archives? Have you ever done a full restore? Can you run in an emergency mode? Have you tested it? Do you have management involvement in your incident response? Have you talked about the scenarios we might think about paying the ransom or decided you never would? Time is of the essence in these situations.
We were able to answer these specific questions for a recent client because we as a security and IT team had discussed them and put in place what would be needed to try to survive the attack. Oh by the way if you read this and thought “this looks like a full security management approach for many types of risks, not just ransomware”, please pat yourself on the back.
Have you asked or been asked these questions? Can you answer them? Don’t get caught between a rock and a ransom.