We’re seeing a rash of ransomware sweeping across IT systems, ranging from large enterprises to microbusinesses with only a few PCs. As I am writing this, we are in the middle of responding to an incident where a business has been entirely shut down due to being infected with the Locky ransomware. The entire business has been shut down for 10 days now because a single employee’s PC contracted a virus which managed to attach itself to the entire network, encrypting every Microsoft Word, Excel, Access file, along with every picture, PDF, video, and audio file it could grab – which was all of them. We received a panicked call from the client on Monday morning, expecting that we would be able to wave our magic wand and get their data back. Sadly, this was not the case, as the client was lacking all of the critical controls we will outline in this and subsequent articles.
Invariably, when we deal with these issues, we’re asked the same questions:
- How/why did this happen?
- How can we make sure this never happens again?
How and why did this happen? Usually it’s because of a combination of risks that, when pooled together, form a formidable threat to any IT system. In most cases today, we see ransomware has gotten in to systems via email attachments or seemingly innocent websites which have been hijacked – often by serving up malicious ads – to distribute malware.
Unfortunately there is no way to make sure anything “never happens again,” and anyone who tells you otherwise is just plain delusional. Promising complete protection is like guaranteeing you’ll never have a car accident – it can’t be done unless you never get into a car again.
However, just as there are things you can do to protect yourself when you choose to drive in your car, there are many steps that can be taken – right now – to dramatically lower the likelihood that your business will be the next victim of ransomware. Here are the top 10 steps you can take right now to dramatically improve the chances your business will survive a ransomware attack.
- Drop Administrator Rights
To be clear, this step alone does not protect you from ransomware, which can affect admin and non-admin users alike. However, it can help to contain an outbreak and confine it, resulting in a relatively smaller incident. I’ve lost count of the number of times I’ve written about how running with full administrative rights over your own PC is a bad idea. The more power your have, the more power you have to do damage. There’s no need to perform everyday tasks – like reading email or surfing the web – as an administrator. You or your IT staff can do this for you on most desktop systems with very little effort, and reap a very big reward as a result. - Patch, Patch, Patch
Make sure you have a regular, diligent schedule for applying patches, both to your operating system (Windows, Mac, Linux, iOS, Chrome, or Android) and third-party applications and add-ons (from Microsoft, Adobe, Oracle, Google, Mozilla, Apple, etc.) have the latest security updates. Malware almost always exploits security flaws in programs, and these flaws are “patched” in software updates from the publisher. Make sure these are applied promptly. - Use a Web Content Filter to Limit Internet Access
If you and your staff don’t need it to do your job, don’t allow it. Period. Most of your employees do not need access to Facebook, Amazon, CNN, YouTube, and a majority of the websites they’re accessing every day. Every time you go online and access a website – any website – you are increasing your exposure to bad things, even if you think the site you’re visiting is perfectly innocent. We’ve seen numerous examples in the last few weeks alone of popular websites that were compromised and used as malware attack platforms.
If you read this and said “Oh, but we do use YouTube!” Fine! Allow YouTube, but block everything else that isn’t needed (like Facebook, Amazon, CNN, etc.) - Configure Your Firewall to Filter OUTbound Traffic
Along with #3, work with your IT staff to ensure that your firewall allows only legitimate traffic both in AND out. A lot of the problems stem from compromised systems inside your network which are allowed to send traffic out to the bad guys. If this communication is blocked, you have a better chance of recovering your system before it’s too late. You have to work with a competent firewall technician to make sure this is done properly. - Restrict Attachments
First off, if you did not request it, don’t open it, even if the attachment seems to be from someone you know. Consider having your IT staff filter out email attachments; if a job doesn’t require receipt of email attachments, don’t allow them! If you are required to receive attachments to do your job, such as the case for HR professionals, make sure that your default application for handling them is a lesser-functioning viewer, such as the Microsoft Word Viewer. This is a greatly stripped-down program that lacks the features that viruses use to take over your system. - Restrict Access to File Shares (aka “Silo Your Data”)
Most small firms we work with have a single file repository on their network, and every staff member has full access to it, and all of its contents. This means that anyone, from the CEO all the way down to an intern, has the ability to inadvertently encrypt every document on the server. Compartmentalizing data into silos where people have the least privileges required to do their job is the key to keeping a virus outbreak from running rampant through the entire organization.
Note: this expands upon step 1 by further restricting your own ability to accidentally cause damage to other systems you have access to. - Have Rock Solid Backups
Get a solid, robust backup solution that backs up everything on your system – not just a few files and folders – several times per day (not just overnight), and keeps multiple versions that go back several months, allowing you to go back to prior to the infection.Key step that is too often overlooked: test your backups. Do NOT assume that everything is working fine – test your backups, or have your IT staff test them for you, and give a full report on the restore process. Do a full restore to make sure you could get everything back if the server literally blew up in a ball of flames. - Train Your Users
By this, I don’t mean “last year we went through a checklist to make sure our users knew what not to do if they get a phishing email.” Seriously – when was the last time you did something only one time, a year ago, and you remember what it was and how to do it? It just doesn’t work like that! You and your staff need constant education, reminders, and updated information. For starters, make sure your staff know that there are numerous other businesses that are falling victim to ransomware which are delivered as email attachments and through infected websites. Then, work with a competent security professional to educate yourself and your staff in the latest threats so you know what to be on the lookout for. - Allow Only Whitelisted Applications
This one takes some effort, but the idea is simple: configure your computers to only run authorized applications. That means if you only need to run Word, Excel, and Outlook to do your job, your computer will only run Word, Excel, and Outlook. This does take some work and fine-tuning to get it right, and you need to work closely with your IT provider to make sure that nothing is overlooked, but once you’ve taken these steps, your computer is dramatically more secure because its exposure to harmful programs is significantly reduced. - Prepare for the Worst
Should all of the above steps fail, which can happen, be prepared to shut down for a while. Speak with an insurance agent who specializes in cyber liability insurance and make sure you are covered against outages and extortion. Most likely, your policies will pay you nothing in such an event. Also, be prepared to pay a ransom, in Bitcoin – an online currency that is completely untraceable (which is why criminals favor it over things like credit cards, gift cards, etc.). Set up an account with a reputable Bitcoin exchange today so that your entire business won’t be stuck for a week twiddling its collective thumbs while you set up accounts that enable payment.
While this list is by no means exhaustive, taking these proactive measures will dramatically improve the likelihood of your business surviving – perhaps even shrugging off – a ransomware attack. We will be following up with subsequent posts with more details on each of the above points.
Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.