If you don’t yet know about ransomware, you soon will. It’s been called the most profitable type of malware ever released. Bad guys deploy it on a computer or network and hold the data hostage until a fee is paid to get it back. Just last week the WannaCry ransomware strain went global, impacting computers in more than 150 countries and wreaking havoc on Britain’s National Health Service, Spain’s Telefonica and France’s Renault automobile factory.
Ransomware is usually brought into a company when a user clicks on a bad link in an email and cyber criminals download the malware to their computer or network without their knowledge. It happens fast, and sometimes you can’t tell it is there. Most antivirus programs do not detect it as it is rapidly changing with new variations every day. Being successfully hit by a ransomware attack can set a business back 50 years into “pen and paper” management and the ransom can get very high. The WannaCry attack charged £240/machine, which adds up very quickly, particularly for small and mid-sized businesses (SMBs)
It’s time to face facts: Ransomware has become a “when not if” scenario for businesses of all sizes. To pay or not to pay is ultimately a business decision and one which most organisations do not make lightly.
How did these ransomware victims get in such a dire situation?
In most cases, an employee opened up an attachment to an email that looked legitimate, but the attachment was malicious and infected the network.
If a business has up-to-date backups, ransomware is no problem. But in the cases where the company’s backup / restore strategy has failed one way or another it can go wrong in several ways. Perhaps it was thought their backups were being regularly made, but in reality, the process was broken, and no backups were being created at all. That amounts to a high-wire act without a safety net because hard disks sooner or later always fail. Or, backups were created, but the restore process failed and the business was unable to could not get their files back. This happens more often than you might think. Victims like this find themselves in an extremely uncomfortable position: pay an organised cybercrime network thousands of pounds and hope to get the files back, or be confronted with lost days, weeks, or months of work?
Understandably, you could take the perspective that it’s a matter of principle and that you should never pay ransom to criminals. That is easier said than done when you look at potential damage to your organisation that a ransomware attack can bring.
To pay or not to pay is ultimately a business decision.
Nowadays there are different types of ransomware infections. The low-grade spray-and-pray phishing attacks that only infect one workstation are relatively easy to fix by IT. Wiping the workstation and rebuilding it from scratch takes about 20 minutes.
It gets worse when that infected workstation had a connection to a file server, and all the files on that server were encrypted during the infection. Now a whole group of employees are left to sit on their hands without access to their files.
[easy-tweet tweet=”The ransom usually soars up to anything from £30,000 up to £75,000″ hashtags=”Ransomware, Backup”]
Worst case is the ‘bad guys’ were on the network for quite some time, were able to infect all of the organisation’s machines and lock them all at the same time. This type of network compromise sets an organisation back 50 years into “pen and paper” management, and the ransom usually soaring up to anything from £30,000 up to £75,000. Especially healthcare organisations with x-ray machines, MRI equipment and other medical devices that run Windows are vulnerable to attacks like this, with literally life-or-death in the balance. However, any organisation, large or small, is in the firing line for this new type of internet extortion.
What to do about this?
It is crucial to start with a so-called defence-in-depth strategy to protect your network:
- Weapons-grade backups that are tested regularly to see if the file-restore function actually works properly.
- Ensure all software is up-to-date. That means the Windows software, and also patch all third-party applications that are running in the organisation.
- Run updated antivirus software but don’t rely on it. Today’s antivirus often does not catch ransomware.
- Identify users that handle sensitive information and enforce 2-factor authentication.
- Check your firewall configuration and make sure no criminal network traffic is allowed out.
Ultimately, your employees are the weak link in your IT Security.
The standard defence in depth strategy above is a good start, but it’s missing a critical step: educate your users so they can thwart ransomware before it can infect your workstations or your network. A good security awareness training program will help educate users on what types of red flags to look for so they don’t make a mistake that puts your business at risk. That taking the time to question an email and call the person who supposedly sent it could save time, money and frustration for the entire company.
Let’s stay safe out there.
Stu Sjouwerman is the founder and CEO of KnowBe4, Inc. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”
Twitter alias (company) @KnowBe4