Feature
Ransomware: An Epidemic Your Institution Can Avoid Heather Wyson-Constan ne American Bankers Associa on
B
y now, you’ve mostly likely heard the news: ransomware is here and it’s a problem. Businesses of all types and sizes are targeted by criminals in this extor on scam that exploits vulnerabili es within an organiza on’s staff and technical processes to deliver malicious so ware. Once installed on a computer or mobile device, the malware can encrypt documents or en re opera ng systems, rendering them inaccessible or inoperable un l a ransom fee is paid by the vic m. The impact can be devasta ng. Imagine not being able to access your company’s email, customer informa on or vital records for days or even weeks. Such is the case when the Hollywood Presbyterian Medical Center fell vic m to a ransomware a ack in March 2016, causing them to remain offline for over a week un l the hospital agreed to pay the criminals approximately $17,000 in Bitcoin. Vic ms not only face monetary losses associated with the ransom and loss of business during the down me, but also the addi onal costs associated with the forensic review of their systems to ensure that the ransomware has, in fact, been removed and no other malware installed. There is also the loss of employee produc vity and, most importantly, customer trust. The Federal Bureau of Inves ga on reports that more than 1,800 complaints were filed in 2014 regarding ransomware with a loss of more than $23 million. In 2015, that number increased more than 30 percent to more than 2,400 complaints with a reported loss of more than $24 million. Infec on Vectors Ransomware is typically delivered through emails targeted to a specific individual within a business. While the email and its contents appear to be legi mate, they o en contain malicious
a achments or links to websites that host an exploit kit. The good news is that ransomware can be prevented through implementing and following basic cyber hygiene prac ces. The bad news is that the best technical defenses can be undone by employees who are o en the weak link in these social engineering scams; therefore, educa ng staff on these types of scams is integral. Employees should be taught to be cau ous when opening emails, links or a achments they don’t expect or recognize, even if the message appears to come from someone on their “safe” contact list. When in doubt, employees should contact the sender to confirm legi macy. Since ransomware is also present in downloadable games and file-sharing applica ons, employees should be taught to download so ware only from sites approved by the company, if at all. Technical Protec ons The FBI recommends that businesses take the following steps to protect themselves against infec on: • Patch opera ng system, so ware, and firmware on digital devices (i.e. using a centralized patch management system) • Ensure an virus and an -malware solu ons are set to automa cally update and conduct regular scans. • Manage the use of privileged accounts. No users should be assigned administra ve access unless absolutely needed and only use administrator accounts when necessary. • Configure access controls, including file, directory and network share permissions appropriately. • Disable macro scripts from office files transmi ed over email. Implement so ware restric on policies or other controls to prevent programs from execu ng from common ransomware loca ons. • Implement applica on whitelisting. Only allow systems to execute
•
programs known and permi ed by security policy. Use virtualized environments to execute opera ng system environments or specific programs.
Best Defense is a Good Offense While training staff and implemen ng appropriate technical measures to avoid the delivery of ransomware to your systems is your first line of defense, these scams will evolve and become more difficult to detect. Businesses must proac vely prepare to protect and recover their data and systems in the event they become infected with ransomware. The FBI recommends having a robust data backup and recovery plan for resuming and con nuing opera ons, including: • Systema cally backing up data and verifying the integrity of those backups. • Securing backups and ensuring that they are not connected to the computers and networks they are backing up. • Maintaining copies of files, par cularly sensi ve or proprietary data, in a separate secure loca on. • Categorizing data based on organiza onal value and implement physical/logical separa on of networks and data for different organiza on units. The FBI does not advocate paying the ransom as this does not necessarily guarantee receipt of a decryp on key from the criminals; however, the FBI acknowledges that execu ves must evaluate all op ons to protect their customers, employees and shareholders. Contact your local FBI Cyber Task Force for assistance and report all instances of ransomware and other criminal cyber ac vity to the FBI’s Internet Crime Complaint Center. (Heather Wyson-Constan ne is vice president of Payments and Cybersecurity for the American Bankers Associaon.) 23