Every computer installation is vulnerable to attack by malware. It used to be simply e-mail borne viruses, but over time malware has acquired a degree of sophistication matched only by the antivirus and malware protection systems developed to thwart it. We now see rootkits, spambots, and latterly ransomware. An entire sub-industry has grown up around cybersecurity.
It’s not just malware, cybersecurity now needs to be aware of external threats such as cyber‑attacks designed to keep an organisation off-line, and theft of information, including theft of intellectual property and theft of information for identity theft, blackmail or defamation.
Ransomware is the latest development in malware. At best it costs money, time, effort and lost reputation before it is fixed.
What is ransomware?
The ransomware concept is very simple. Criminals deliver you a piece of malware, usually an infected e-mail. When activated, the malware encrypts your systems and data, denying you access. You must pay a ransom within a specified period to receive a decryption key to recover your systems and data. If you don’t pay or pay too late, you cannot recover your information.
If your business is entirely dependent on your online systems being available 24/7/365, this could be a show-stopper. Ransomware attacks have been recorded on Mac and Linux systems.
How can a business protect against ransomware?
Defensive tactics are at least two-pronged – prevention and recovery. Simply put, a business must include cybersecurity in its business continuity programme. Preferably as a key consideration.
In terms of prevention an organisation must have comprehensive cybersecurity and anti-malware software and appliances in place. Malware must come into the system, usually through infected emails, or systems and data downloaded from the Internet or brought in by users on portable devices. That is where prevention starts. Locking the gates to stop it getting in:
- Both corporate and personal E-Mail needs to be intercepted and analysed using antivirus and malware protection software before it reaches the desktop. Infected email can either be discarded or quarantined. Some organisations refuse certain types of attachment, and some go as far as only allowing receipt of email from known senders. Some organisations also prohibit users connecting to their private email accounts for both downloaded email and Internet based mail like Hotmail or Gmail.
- Implement Ad-Ware detection and removal software if it is not included in the antivirus and malware protection software you use. Adware in itself is not usually malware, but has the potential to carry malware with it. It is also very irritating and intrusive.
- Allowing users unrestricted access to the Internet is not wise for security or productivity. Some websites carry malware that is automatically downloaded to the user PC when the web page is opened. Browsers like Internet Explorer, Edge, Firefox and Chrome have introduced security features to prevent users inadvertently going to these sites. Secure mode should be switched on, and users not able to alter browser security settings. They must not be allowed to download any material onto their hard drives. They must not be allowed to install any software applications.
- Users must be prohibited from using their cellular phones or dongles to access the Internet independently of the corporate connection. Disabling USB ports usually prevents this.
- A vital task is to keep Ad-Ware and antivirus and malware protection software files up to date, at least daily. Antivirus and malware protection software consists of two parts, a software application (analysis engine) that checks computer files, including email and email attachments for malware before they are processed by your system, and signature files that identify malware to the analysis engine. Both the signature files and the system files need to be updated regularly. Most if not all commercial antivirus and malware protection software has an option to carry this out automatically at a time and interval you choose.
- Malware is often imported using via personal devices like flash drives, CD/DVDs and portable hard drives attached to a user’s computer USB port. Open USB ports and the ability to read and write CD/DVDs on a user PC should be disabled. Use of personal data carriers should be prohibited.
- Updates and Patching. It is important to keep your system up to date. Patches are released to defend your system from the latest threats therefore, it is highly recommended to install them to protect your software and hardware.
However, having said all that, even the strictest prevention regime will fail at some time or other. A determined user or piece of malware will find its way into your environment.
It is possible given skilled staff and enough computing power to decrypt systems encoded by ransomware, but that is by no means a given, and is unlikely to happen before your business fails. Payment of the ransom is no guarantee either.
Your best friend in the recovery environment is a comprehensive set of complete up to date backups of systems and data. In the case of ransomware, a complete reinstallation of your systems and data from the ground up might be the quickest, most sure and cheapest way to recover.
However, many businesses do not have this degree of comprehensive cover. Audits often find that some backups are missing because of failed and unmonitored backup runs, some might already be infected, some might not include vital systems. A regular test of backups is essential. It would not be the first time that a “good” backup is not so.
A business needs a comprehensive and closely monitored backup regime to ensure that if they do need to carry out a full reinstallation, they have the information to allow them to do so.