Ransomware is one of the biggest threats facing IT. What exactly is ransomware? Ransomware is a program that once installed in a system encrypts an organization’s data and the only way to get it unencrypted is to pay a fee to the person who wrote the program for the encryption key.
The bad actors who develop these programs are smart, they set the ransom fee at a price that will hurt, but not so high that you’d consider yourself crazy to pay it. As a result it has become a big business. Some studies report total payments to ransomware developers in 2017 will exceed $1 billion. With that kind of money at stake, ransomware creators are making huge investments in their programs to make sure they can infect an organization’s data quicker, without detection and more thoroughly.
How Does Ransomware Work?
The first step for a successful ransomware attack is for the ransomware creator to install the program on a system within an organization’s network. Unfortunately, that is pretty easy. Ransomware creators use email and websites to spread the program, using enticing offers that requires a user in your network the click of a link. Those emails are no longer a grammatically incorrect email from a Nigerian prince either. They are well designed emails or websites that look like they come from reputable companies.
Once the program is inside the organization, how it spreads varies. Generally the programs quickly crawl through the network encrypting every file that it accesses. Some programs now have the intelligence to also attack or encrypt known backup targets and snapshot copies.
What To Do About Ransomware?
The way to beat ransomware is to dry up its funding source, the ransoms. The problem is, for the most part, organizations are on their own when it comes to ransomware. Once a file is encrypted it is almost impossible to decrypt without the key. Organizations have to do what they can to prevent getting infected and then be able to recover from an infection easily. Paying the ransom has to become the absolute method of last resort.
How to Stop Ransomware
While difficult to stop there are some functional steps that IT can take to keep a ransomware attack from ever occurring. The most obvious is to train users to never click on a link in email and to only click on links from trusted websites. While user training and constant reminding does help, eventually someone will make a mistake and the attack will occur.
The next step is to limit the damage. Segment the network and file shares so that not all data is accessible by all users. A new reason for groups is to limit exposure to ransomware. IT should also make sure that they have an accurate inventory of servers, desktops and laptops. Make sure inactive devices are powered off.
Finally, have a method to detect an attack is occurring. There are several products on the market that will alert you to a sudden increase in the rate of change of certain files and what the source of the change is.
Despite all these measures, the likelihood that your organization will be attacked by a ransomware virus is increasingly high. Once you detect an attack you will have to recover some portion of data or pay the ransom. The problem is the way ransomware attacks and when the attacks occur often render traditional backup technology useless. In fact, there are now known cases of a ransomware attack infecting the backup storage device itself. In our next entry will explore why backups and snapshots fall short.
Sponsored by Nexsan