Ransomeware 2017

Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems. Ransomware is frequently delivered through spear phishing e-mails to end users. When the victim organization determines they are no longer able to access their data, the cyber actor demands the payment of a ransom, at which time the actor will purportedly provide an avenue to the victim to regain access to their data. Recent iterations target enterprise end users, making awareness and training a critical preventative measure.

Key areas to focus on with ransomware are prevention, business continuity, and remediation. As ransomware techniques continue to evolve and become more sophisticated, even with the most robust prevention controls in place, there is no guarantee against exploitation. This makes contingency and remediation planning crucial to business recovery and continuity.

Prevention Considerations

• Implement an awareness and training program.
Because end users are targeted, employees and
individuals should be made aware of the threat
of ransomware and how it is delivered.
• Patch operating systems, software, and
firmware on devices, which may be
made easier through a centralized patch
management system.
• Ensure anti-virus and anti-malware solutions
are set to automatically update and that regular
scans are conducted.
• Manage the use of privileged accounts.
Implement the principle of least privilege: no
users should be assigned administrative access
unless absolutely needed; those with a need
for administrator accounts should only use
them when necessary.
• Configure access controls, including file,
directory, and network share permissions, with
least privilege in mind. If a user only needs to
read specific files, they should not have write
access to those files, directories, or shares.

• Disable macro scripts from office files
transmitted via e-mail. Consider using Office
Viewer software to open Microsoft Office files
transmitted via e-mail instead of full office suite
applications.

• Implement Software Restriction Policies
(SRP) or other controls to prevent programs
from executing from common ransomware
locations, such as temporary folders
supporting popular Internet browsers or
compression/decompression programs,
including the AppData/LocalAppData folder.

Business Continuity Considerations

  • Back up data regularly, and regularly verify the
    integrity of those backups.
  • Secure your backups. Ensure backups are not
    connected to the computers and networks
    they are backing up. Examples might be
    securing backups in the cloud or physically
    storing offline. Some instances of ransomware
    have the capability to lock cloud-based
    backups when systems continuously back
    up in real time, also known as persistent
    synchronization. Backups are critical in
    ransomware; if you are infected, this may be
    the best way to recover your critical data.

Other Considerations

  • Implement application whitelisting; only allow
    systems to execute programs known and
    permitted by security policy.
  • Execute operating system environments
    or specific programs in a virtualized
    environment.
  • Categorize data based on organizational
    value, and implement physical/logical
    separation of networks and data for different
    organizational units.

The Ransom
The FBI does not support paying a ransom to the
adversary. Paying a ransom does not guarantee
an organization will regain access to their data;
in fact, some individuals or organizations were
never provided with decryption keys after having
paid a ransom. Paying a ransom emboldens
the adversary to target other organizations for
profit, and provides for a lucrative environment
for other criminals to become involved. While
the FBI does not support paying a ransom, there
is an understanding that when businesses are
faced with an inability to function, executives will
evaluate all options to protect their shareholders,
employees, and customers.
In all cases the FBI encourages organizations
to contact a local FBI field office immediately
to report a ransomware event and request
assistance. Victims are also encouraged to
report cyber incidents to the FBI’s Internet Crime
Complaint Center (www.ic3.gov).

Ransomware_Trifold_e-version

3 Comments

  1. Good Stuff.

  2. #uscomputek

  3. #BestITServicesInLosAngeles

Leave a Comment