Ransomware: User Education is First Line of Defence
Date: Apr 26, 2016
Guest post: Mike Gillespie, director of cyber research and security at The Security Institute
What is the best strategy for business to protect against ransomware?
Ransomware has yet again reared its ugly head and despite various security websites issuing warning notices, people are still falling foul of it.
Ransomware is, in essence, a method of extorting money from an unsuspecting individual or organisation, most frequently by denying them access to their files through encryption of their data or hard drive.
One ransomware attack vector is via phishing or spam emails as the unsuspecting individual may inadvertently open an attachment or follow what they perceive to be abona fide web link. The act of clicking on the suspicious attachment or web link results in the initiating of a malware download, which then encrypts the user’s files or hard drive. Once completed, this then requires the user to pay.
Payment is often demanded in Bitcoin to unlock an organisation’s files or hard drive. It has been widely reported by victims that despite paying this “ransom”, they have still been unable to access the encrypted files or hard drive. So it is clear that prevention is better than cure when dealing with ransomware.
Depending on the type and version of ransomware that has been installed, there is a possibility that the user’s files or hard drive have not actually been encrypted, but a small piece of software has been installed that gives the impression that encryption has taken place.
This relies heavily on the emotional response of the victim and the fear that they could be compromised; such a fear is enough to prompt a response and, potentially, payment.
It is impossible to tell from the ‘splash screen’ that appears whether or not it is a genuine ransomware payload and only an attempt to use or recover the user’s files will clarify this.
There are numerous strategies for safeguarding against ransomware. The first, and by far the most effective, is user awareness and education, because ransomware does not install itself. For the malware to be downloaded successfully, it needs some form of user interaction, whether via phishing emails or by fraudulent websites that serve up ‘drive-by’ malware.
Ensure that all your staff, including management, recognise phishing and spam and so do not open suspicious emails or follow links to other websites unless they can be sure they are bona fide links. All users should also be cautious or even suspicious of attachments, pictures or graphics received unexpectedly from known persons, because the sender’s email account may have been compromised.
If in doubt, do not open any email without first confirming its origin by contacting the sender. It is also recommended to switch off any email preview window within a mail program because this may trigger the ransomware download.
Also, spear phishing might be used for a targeted ransomware attack on a specific user. This might make the malicious email hard to spot.
Scan all attachments
Secondly, ensure that any antivirus email program or software is up to date and scheduled to scan all email traffic to identify spam emails or emails that may contain known threats. This software should also be configured to scan all attachments or pictures embedded within emails or instant messaging attachments.
Thirdly, all hardware and software should be correctly patched and updated to the latest version to ensure that all known weaknesses or vulnerabilities have been addressed by the relevant supplier.
Finally, a good back-up regime is essential in this ever-changing virtual and internet-based environment. Remember, it is not sufficient just to make backups because they need to be tested to ensure they actually work.
In the event of your system being infected with ransomware, don’t give up hope or pay any ransom. There are various products available that can help to recover your files.
It is imperative that organisations take the threat of ransomware seriously. Once infected, the inability to access files or systems may affect other services offered by the organisation. An organisation’s ability to recover quickly from any ransomware infection will be greatly enhanced by having effective business continuity mechanisms available and free from infection.
This article was first published in Computerweekly.com in February 2016