Ransomware survival guide; the facts.
Protect your business from an expensive ransomware attack.
Unfortunately ransomware attacks have become a plague on businesses, as it is very easy for hackers to extort large sums of money.
The average ransomware demand is now nearly $1M. Most businesses are not prepared for a ransomware attack and the hackers exploit the lack of preparedness.
Ransomware attacks are growing exponentially and so it is not a question of ‘if’ but ‘when’ a business will be attacked with ransomware and a large sum of money extorted.
There are three steps to protecting a business from a #ransomware attack. The first step is adding security protection to the computer network,
which makes it a lot harder for the hacker to access the data stored in network. The second step is continuously training employees about cybersecurity
protection and attack avoidance procedures. The third step is to have a recovery plan that can be implemented quickly without paying the ransom in the
case that a hacker is able to plant ransomware.
By following the points described in this document many businesses will avoid a ransomware attack. The businesses that do get attacked should be
able to recover in a few hours without paying the ransom. Lets get started by understanding what ransomware is all about.
What is ransomware?
Ransomware is the name of a technique that cyber criminals use to extort money from businesses. Ransomware requires the following steps.
- The cyber criminal gains access to the business server or cloud where the business application data is stored.
- The cyber criminal encrypts the business data so that the business no longer has access to the data.
- The cyber criminal sends a demand via email requesting the payment of a large number of Bitcoin to provide the key to release the data. Bitcoin payments cannot be traced or recovered.
- The business then pays the extortion money and the cyber criminal sends the key to release the data (sometimes).
There are a few fun facts about ransomware.
- The average ransomware demand is about $1M.
- In 30% of cases that the business pays the extortion the hacker does not release the data.
- Once a business has been hacked the hacker will share the vulnerability that was used to hack
the network and so more hacker attacks will follow.
- The preferred ransomware targets include education, healthcare and smaller businesses as they
pay quickly. Large business and bank IT departments invest in cybersecurity as a priority and so are much harder to hack; however hackers
will try so all large businesses and banks have a 24/7/365 security team monitoring attempts to hack the network and block the hacker attacks where necessary.
- Ransomware theft is increasing exponentially as it is easy for the hacker to exploit, many
tools are available, and the businesses pay quickly.
- Most of the ransomware hackers are located in nations that are not friendly to the USA and so
the hacker has no risk of getting caught; much less than 1% of hackers face prosecution.
- Hackers do not need knowledge of programming, there are already several ransomware-as-a-service
(RaaS) businesses in foreign countries that the hacker can pay to provide the hacking service, and all the hacker has to do is to extort
the payment. This opens up ransomware to mafia-type organizations, which is the reason for the exponential growth with ransomware.
- It used to be that a business manager thought that a ransomware attack could never happen.
Now every business manager who has not been hacked with ransomware knows of a business that was hacked.
- It is inevitable that a hacker will try to attack a business; the hacker’s success will
depend on the precautions that the business takes now to block the hacker.
All businesses must invest in cybersecurity urgently before they become the next victim.
Business Segments that are primary targets for ransomware
Some businesses are high priority targets for hackers due to the ease of entry to databases and the fast response to pay the ransom.
Market research entities such as Statista have prepared statistics regarding the business segments that are the targets for ransomware.
It is important to note that many ransomware attacks are not reported because the businesses want to avoid the negative publicity regarding
the exposure of customer data to hackers. The two top segments for attacks are education and healthcare.
- Education: The education segment, especially government-funded education lacks
cybersecurity protection and so is an easy target for hackers. Cybersecurity investment depends on government policy and so
politicians give priority to other areas that benefit their voters. The result is that education entities, such as school boards,
periodically have to make ransom payments to have student information unlocked. The cost of the ransoms paid exceeds the cost
of the cybersecurity investment that should have been made. Education entities are easy money for the ransomware hackers.
- Healthcare: Hackers prefer medium to small healthcare targets for two reasons,
they are easy to hack and they pay the ransom quickly. Larger healthcare entities have IT departments and budgets to implement
the HIPAA (Health Insurance Portability and Accountability Act) security rule, which specifies strict access control to patient
data. Small and medium healthcare business investment priorities do not include IT and in fact there is resistance to installing
greater data security because the healthcare professionals claim to need fast access to patient data and do not want to be
hindered by login procedures. This is surprising because all healthcare entities have a legal obligation to comply with the
HIPAA security rule, which offers a high degree of cybersecurity protection. This means that many small and medium healthcare
entities are not in compliance with the HIPAA security rule. After a ransomware breach healthcare entities have a legal obligation
to report the data breach to HHS (U.S. Department of Health & Human Services) and then have to pay a fine corresponding to the number
of patient records that were breached. HHS publishes data breaches on their website. Until small and medium healthcare entities
increase cybersecurity investments they will remain the hackers favorite money-maker.
The two segments that are least attacked by ransomware are finance and retail.
- Finance: Financial firms such as banks have always been targets for hackers who try to
get access to customer accounts. Banks especially dedicate a bigger proportion of their IT budgets to cybersecurity than other segments
and this reflects in the lowest incidence of ransomware attacks. If a financial firm gets hacked it is usually to steal information
and the attack makes the news.
- Retail: Retail comes behind financial firms with few attacks. Many retail firms have on-line
e-commerce, which attracts hackers. Retail firms like banks dedicate a bigger proportion of their IT budgets to cybersecurity than the industry average.
What are the methods of ransomware attack?
The hacker will try several methods to access the business servers in order to plant the ransomware encryption. Hackers refer to the methods as attack vectors.
The most obvious method is to attack the business from the Internet. If the business has no firewall installed then the hacker can exploit vulnerabilities
of the router to gain access to the network. Most businesses do not upgrade the router firmware frequently if at all and so the router vulnerabilities do not
get patched. If the network has a firewall that is not properly configured then it is possible for the hacker to bypass the firewall. For this reason a firewall
must be installed and configured by a cybersecurity expert; simply connecting a firewall without the correct programming is not a solution that will protect the network.
If the hacker cannot access the network from the Internet the next step is to access the network end points. These are the points where users connect to the
network such as the WiFi, or the point where remote users connect to the network.
When remote users connect to a network this is done through ports that are left open and so the hacker can exploit the open ports to gain access to the network.
Methods of remote access must be protected. There are methods of social engineering that a hacker can use to obtain a password to gain remote access.
End-point users are the easy method of attack and most hackers will start at this point first so they don’t have to make a lot of effort. The purpose of the end
point attack is to install software on the users computer that gives the attacker access to the network. Once the software, called a Trojan virus, is installed it
will call the hacker and give the hacker access to that computer. The hacker then uses that computer, unknown to the user, to access the business data server.
There are many methods that hackers use to plant the Trojan virus software onto a staff computer. A few methods are listed below.
- Identify the employee emails (usually provided on the business website) and send a fake email that
appears to be from a bank or service such as Amazon, with a message that requires urgent attention “your account has just been charged” etc.
with a link to click to investigate the problem. When the link is clicked the virus is installed.
- Send an email message with an attachment that appears to be from another employee with a business
document. When an attempt is made to open the attachment the virus is installed on the computer.
- Provide a website address that is very similar to that of a supplier or customer in an email and when
opened installs a virus onto the computer.
- Send an employee a flash thumb-drive through the post without explanation. The employee may insert
the thumb-drive in the computer to see what is on it, which immediately installs the virus (this works about 40% of the time).
Once the virus is installed on the employee computer it calls the hacker to advise that the attack can start. As this call is outbound it is not blocked by the firewall,
firewalls are usually configured to block only inbound data traffic.
The methods employed to plant a virus on a staff computer are only limited by the creativity of the hacker. For this reason many banks and large businesses filter
business emails to remove links and attachments, and provide employees with a secure method of exchanging documents. Businesses also put locks on computer USB ports
to prevent a thumb-drive being inserted. It is also necessary to block access to personal email accounts on a business computer, as hackers will also use personal
emails to send links. Personal emails of business staff can be obtained from web sites such as LinkedIn.
Improve the security protection of the business network
It is not possible to protect a business network 100% against ransomware hackers. Hackers constantly discover some new vulnerability in operating systems like
Windows, or in application software that the businesses use. The vulnerability will allow the hacker to get access to the server or cloud and encrypt the business
data then attempt to extort a payment.
Software manufacturers race to patch newly discovered vulnerabilities to block hackers, but there is always a window for the hacker to attack between discovering
and patching the vulnerability. This also means that all businesses needs an ongoing maintenance contract with an IT firm to apply software patches as they are released,
otherwise the window of vulnerability becomes larger which increases the risk of attack.
The hacker’s objective is to get access to the business network and then access the server database and encrypt the files. If the business uses cloud applications
then the hacker needs access to the business network first. The task of getting cloud access is much harder than with network servers but can be done if the cloud
service has been miss-configured. The next figure illustrates the points where it is important that the business data processing system cybersecurity should be upgraded,
if it does not have these security features already installed.
The features highlighted in the diagram are described in the following paragraphs.
- A firewall between the Internet and the business network is essential. Ensure that the firewall is
properly configured. A firewall without proper configuration will not block a hacker. Call an expert to have the firewall reviewed, the configuration
checked, and possibly upgraded to a firewall that has more features.
- If possible move the business applications and data to a cloud hosting service. Cloud hosting is more
secure than a server located in the business network as the cloud companies invest heavily in cybersecurity. This might mean switching sales management
software running on the business servers to the Salesforce.com cloud. Software that is installed on business servers and has no cloud equivalent
can be moved to a cloud service such as AWS or Azure, however this must be done by experts as it is possible to leave an entry for hackers if the
cloud account is not secured correctly. Installing application software in the cloud will also benefit remote and hybrid workers.
- Offsite backup data storage should not be on-line; files should be backed up through a VPN tunnel using
an encrypted protocol. Both the network server and cloud server files should be backed up. Hackers will look to delete or encrypt backup server files
before encrypting the principal data files. The backup process should not delete the previous backup files. Previous backups should remain in storage.
The reason for this is that the hacker may have damaged the data file before encrypting it and so one or more of the backups may be damaged.
- The next item is very important but overlooked by businesses. End-point security must be installed to
ensure that only authorized staff has access to the network using devices that have been approved. The network end-points are the weakest link in
the network security. The end-point security product is called a network access controller (NAC) and can be configured with many parameters. All
user access has to pass through the end-point security. It is highly recommended to configure 2-factor authentication (2FA) to ensure the identity
of the staff member. 2FA will send a code to the staff member mobile phone after entering the password; the code is then typed in to complete the
authentication process. Most high-risk businesses like banks and e-commerce sites use 2FA to protect the customer information. 75% of hacker attacks
are made through the network end points using a Trojan virus installed in a staff computer.
- All user devices that connect to the network must have anti-virus software that is constantly updated with
the latest patches. Some end-point security systems have active agents installed on the staff computers that permit the computer software to be checked
before it is permitted to have access to the network.
- Remote user access is a point of entry for a hacker. Remote users should connect using virtual private
network (VPN) software. The firewall is configured to allow entry of the VPN connection. The VPN connection is directed to the VPN server; which then
connects to the end point security. Remote staffs that connect to the network have the same authentication process as staff on-site; a 2FA code is
entered after the password.
- Experts must review the network frequently, weekly or monthly. Upgrade patches must be applied to software
on all devices in the network. This includes ensuring that user computer operating system patches are applied. A known entry point that is not patched
will give a hacker access to the network and lead to data theft or ransomware.
Any business that has not implemented the list of points described above is at risk of a ransomware attack. Furthermore, each business has specific weaknesses that are
determined by the business model, and that might not be listed above. It is very important that a cybersecurity consultant who understands both technology and business
processes is called in to evaluate all possible weaknesses.
Staff training for cybersecurity awareness
On-going staff training is necessary to ensure that all staff is aware of security procedures and the risks of a hacker attack. A business might allocate one hour
each month for ‘cybersecurity awareness’ training. Many cybersecurity consultants provide this service and businesses can arrange a monthly program with the consultant.
The consultant must change the format of the training each month to avoid staff boredom which may result in them skipping the training. Businesses must make training
compulsory and allocate the time in staff schedules for this. It may be necessary to schedule several training sessions each month for different groups of staff.
It is very important that the cybersecurity expert understands the way that the business operates so that the potential attack vectors can be identified. A good
cybersecurity expert will understand both cyber technologies and business process weaknesses.
The cybersecurity awareness staff training should include the following points.
- Explain what a hacker attack is.
- Explain what ransomware is.
- Explain what damage that ransomware can do to the business.
- Explain the additional security procedures that require extra effort on the part of the staff but will
protect the business; for example the use of 2-factor authentication.
- List the different methods that hackers will use to attack the business.
- List the precautions that staff must follow when using business computers.
- Provide a cybersecurity awareness document describing the procedures that staff should follow (keep it
short, bullet points).
- Provide a reporting method when a staff member identifies a possible attack.
- Have a cybersecurity expert on call to answer questions and ensure that all staff meets the expert
(ideally the expert should be the trainer).
- Provide a reward plan for staff members that identify a potential attack.
- Provide a reward plan for staff members that identify improvements for the cybersecurity awareness procedures.
- Use different case studies at each training session to vary the presentation.
It is important to have staff buy-in for participation with the cybersecurity awareness training and avoid staff thinking that this is wasting their time.
Ransomware attack recovery plan
It is possible that the hacker was able to find a method to break through the security ring and lock the business software with encryption. It is necessary
to have a plan in place to recover the data processing systems without paying the ransom. The plan will require the cooperation of an IT services company and
cybersecurity experts to implement. The recovery plan is implemented as follows.
- Have the IT and cybersecurity consultants on standby for the event that a hacker attack is discovered
and the business data cannot be accessed. This will require keeping the IT and cybersecurity consultants on retainer to provide 24/7 support.
- Preparation step 1: Contract with a cybersecurity expert to write an attack recovery procedure and
plan a budget to have it implemented immediately.
- Preparation step 2: backup business data daily or hourly to an offsite data storage using an encrypted
transfer protocol. The backup storage must be offline and only connected during the backup process VPN. The backup storage should retain multiple
historic copies of the data. Do not use online data backup, the hacker will delete or lock this before locking the primary database.
- Preparation step 3: have multiple hard drives prepared ready to install on the servers. These should
be an exact copy of the drives installed in the servers and kept up to date. Multiple copies are required because when the backup drive is installed
in the server the data may get corrupted again from a source that was not identified during the security assessment.
- The procedure that is followed after an attack is to remove the infected server hard drives and replace
with the backup drives, then restore the data from the offsite backup. After the data processing system has been recovered the hacker will try to
attack again using the same method of access. It will be necessary to disconnect the business network from the Internet before recovery until the
cybersecurity experts have found the point of entry and blocked it. This also means that users are not permitted to access the network during this
time as a user computer virus might write to the server.
- It is necessary to test the recovery procedure at least once, and testing the procedure every quarter
is preferred. If the data processing system is not used at the weekend then the IT and security team can be called in to replace the drives,
recover the data and check the server logs for access reports. Problems with the recovery procedure will be found and corrected and the recovery
plan updated. With practice the business recovery will be quicker and benefit the business when a real attack occurs. If the data processing
system is used 24/7 then take it offline during a public holiday “for maintenance purposes”.
In the case where the data storage is on a cloud server then it will harder for the hacker to lock the database but not impossible. Weaknesses occur when cloud
accounts are miss-configured. The cloud storage should be backed up hourly or daily to a cloud service or to offline storage at the installation of the IT service
provider. The business has recovery options with cloud-based applications.
- When an attack occurs create a new cloud service, reinstall the application software from a backup
then repopulate the data.
- Keep a second cloud service configured ready to be used. When the first account is hacked swap to the
second account and populate using the backup data storage. As cloud services charge for use the backup service should not have a high cost until it is used.
- As with the in-house server system, the source of the data breach must be investigated immediately
and plugged quickly as the hacker will attack again using the same method.
The recovery plan is an essential part of the business IT budget. The cost of not implementing it is partial or permanent damage to the business.
By implementing the steps described in this document a business will reduce the probability of getting attacked with ransomware. The probability is not zero
however as hackers are very creative and will discover new exploits that were not included in the plan. All businesses should have a cybersecurity expert make
frequent security reviews, if not possible monthly then at least quarterly. Cybersecurity is an ongoing expense for a business and requires an annual budget
that can be increased in the case where a new exploit is discovered and requires immediate attention. Cybersecurity is the cost of doing business in the Internet
age where business administration uses computers and businesses are permanently connected to the Internet. However much a business spends on cybersecurity it
will always be much less than the cost of paying a ransom. If the cybersecurity protection works really well then the business will never find out how much was
saved by not getting hacked and extorted with ransomware.
Readers are invited to share this information with others. If any reader has a question regarding this information please contact us via our contact page.