Ransomware has cost US businesses over $75 billion. According to the FBI, there are over 4,000 attacks every single day. If your organization hasn’t experienced an attack, it will. In a recent webinar sponsored by Veriato RansomSafe, Nick Cavalancia, founder of Techvangelism laid out a five step plan to thwart ransomware attacks that businesses can put into effect.
Big business
“In 2016 ransomware was considered to be a $1 billion business. I chose the word business on purpose,” says Cavalancia.
In some states there are companies that are building Trojans, they’re building the ransomware, they’re building the delivery mechanisms, they’re building the mechanisms for taking the money… everything. Any XaaS you can find on the web you can find on the dark web.
Layered defenses are key
A five step approach is what Cavalancia recommends. It begins with preparation, which happens before an attack. Step two is detection, three is containment. Next is eradication and finally recovery, whether it’s a workstation or server that gets encrypted, or both. These steps are divided into three stages, he said: “The things you should do before the ransomware ever hits, the things you do during when it does actually hit, and then what you’re going to do after the fact.”
Be proactive. An ounce of prevention is worth a pound of cure. Be sure your end points are protected. If you don’t already have one, install a good all-round anti-virus solution that will detect malware, trojans, and ransomware threats. It could be signature-based, heuristics-based or behavior-based, that examines email and messaging, scans and validates URLs and provides URL protection.
For IT folks, think about implementing least privilege protocol for IT. “Login with a low-level user account for your emails, Word, Excel, and whatever else, and then log on to a privileged account with a different set of credentials from another workstation,” Cavalancia suggested. He also recommended a separate machine that’s hardened with no internet access for actual IT management. Be religious about regular if not daily backups. Consider creating protocol and actions and running through them like a fire drill, so that when an attack actually happens personnel act swiftly.
During the attack your goals are twofold: identify and isolate. Identify which machines are being impacted and what data is being impacted. Isolate it by doing a machine and process quarantine. Cavalancia said, “There are some great tools that exist. VMware’s NSX is fantastic software to find networking anomalies. It’s a virtualization layer, and provides a lot of APIs to allow third-party vendors to hook into it. It will isolate the machine from the network so your antivirus can go in and clean it up.”
After the attack itself, Cavalancia says the strategy is to be as operational as you were before the attack. Get rid of the ransomware. According to Cavalancia, on average six machines and two servers get hit. “It’s a question of whether you’re going to pay or not. The answer used to be don’t pay. The reason for that was there was no guarantee that they actually had the decryption key. But as the business of ransomware has evolved, it may be in a company’s best interest to pay the ransom. It’s $200. The decisive question is can you easily recover faster and more cost effectively than paying the ransom itself?”
Post attack it’s a matter of recovery. If you’ve backed up religiously, are using image-based machines, or you have VDI, you just go back to an earlier snapshot, then you don’t have to pay. Wipe the machines and start over.
To listen to the webinar in its entirety go here.