Ransomware is a form of malware that targets both human and technical weaknesses in organizations and individual networks in an effort to deny the availability of critical data and systems. Ransomware is frequently delivered through spear phishing e-mails to end users. When the victim organization determines they are no longer able to access their data, the cyber actor demands the payment of a ransom, at which time the actor will purportedly provide an avenue to the victim to regain access to their data. Recent iterations target enterprise end users, making awareness and training a critical preventative measure.
Key areas to focus on with ransomware are prevention, business continuity, and remediation. As ransomware techniques continue to evolve and become more sophisticated, even with the most robust prevention controls in place, there is no guarantee against exploitation. This makes contingency and remediation planning crucial to business recovery and continuity.
• Implement an awareness and training program.
Because end users are targeted, employees and
individuals should be made aware of the threat
of ransomware and how it is delivered.
• Patch operating systems, software, and
firmware on devices, which may be
made easier through a centralized patch
• Ensure anti-virus and anti-malware solutions
are set to automatically update and that regular
scans are conducted.
• Manage the use of privileged accounts.
Implement the principle of least privilege: no
users should be assigned administrative access
unless absolutely needed; those with a need
for administrator accounts should only use
them when necessary.
• Configure access controls, including file,
directory, and network share permissions, with
least privilege in mind. If a user only needs to
read specific files, they should not have write
access to those files, directories, or shares.
• Disable macro scripts from office files
transmitted via e-mail. Consider using Office
Viewer software to open Microsoft Office files
transmitted via e-mail instead of full office suite
• Implement Software Restriction Policies
(SRP) or other controls to prevent programs
from executing from common ransomware
locations, such as temporary folders
supporting popular Internet browsers or
including the AppData/LocalAppData folder.
Business Continuity Considerations
- Back up data regularly, and regularly verify the
integrity of those backups.
- Secure your backups. Ensure backups are not
connected to the computers and networks
they are backing up. Examples might be
securing backups in the cloud or physically
storing offline. Some instances of ransomware
have the capability to lock cloud-based
backups when systems continuously back
up in real time, also known as persistent
synchronization. Backups are critical in
ransomware; if you are infected, this may be
the best way to recover your critical data.
- Implement application whitelisting; only allow
systems to execute programs known and
permitted by security policy.
- Execute operating system environments
or specific programs in a virtualized
- Categorize data based on organizational
value, and implement physical/logical
separation of networks and data for different
The FBI does not support paying a ransom to the
adversary. Paying a ransom does not guarantee
an organization will regain access to their data;
in fact, some individuals or organizations were
never provided with decryption keys after having
paid a ransom. Paying a ransom emboldens
the adversary to target other organizations for
profit, and provides for a lucrative environment
for other criminals to become involved. While
the FBI does not support paying a ransom, there
is an understanding that when businesses are
faced with an inability to function, executives will
evaluate all options to protect their shareholders,
employees, and customers.
In all cases the FBI encourages organizations
to contact a local FBI field office immediately
to report a ransomware event and request
assistance. Victims are also encouraged to
report cyber incidents to the FBI’s Internet Crime
Complaint Center (www.ic3.gov).