Hollywood Hospital Pays Ransom to Unlock Data
9 Steps to Take to Avoid Being the Next Extortion Victim
To defend against ransomware attacks, it’s important to take a multi-pronged approach, says Mark Dill, principle consultant of consulting firm tw-Security and former long-time CISO at the Cleveland Clinic. “You can only attack this problem in a layered way – no one single fix will both reduce the likelihood and lower the harm.”
Dill says he recommends a combination of the following steps:
- Back up data: “For workstations, the My Documents folders should be redirected to a network drive and backed up regularly – so that an org has data to restore,” he says. For mobile workers with a laptop, “I recommend a well-vetted cloud service that has reasonable controls…that will sign a [HIPAA] business associate agreement.” It’s also important to change the retention period for data backups to one month, he says.
- Improve workforce awareness: Consider tools that phish users, and when they open the email or click on the attachment, they are tutored on how they should’ve been alerted that this was a phishing attack.
- Consider using AppLocker to create a blacklist/whitelist: you especially want to disallow Cyrptolocker variants from launching on Windows devices. Also, consider stripping away all email attachments. However, “while it works… it doesn’t seem practical in many settings. Also, be aware that many email filters will just quarantine the files – if a user requests a copy and then clicks, this control is defeated,” he says.
- Review the rights on shared drives: “If the infected user only needed to read files but was given ‘write’ access – trim back rights where possible; this malware needs to write in order to encrypt,” Dill says.
- Ban all personal web-mail and surfing on corporate devices: However, “depending upon an organization’s culture, be prepared for worker backlash,” he notes. Also, require employees to use their personally-owned mobile device through a “guest” wireless network for accessing their personal webmail accounts.
- Consider next generation anti-malware tools that use advanced math to predict malware: “Traditional antivirus suites are having difficulties blocking ransomware variants, especially the zero-day versions,” Dill notes.
- Evaluate advanced persistent threat tools: “Some variants of Crypto provide an initial/silent infection first; then the infected device reaches out to command and control servers to get the encryption key. FireEye and tools like this can block or alert on the activity,” he says. “An organization will still have an infected devices, but the malware can’t achieve its objective/payload.”
- Implement intrusion prevention systems: “They block some of the command and control traffic – check with your provider to confirm if this is an additional feature that you are not yet licensed for,” Dill says.
- Refine web filtering to block bad traffic: This includes blocking traffic to and from foreign countries that your organization is not actively doing business with; and quarantining or blocking inbound email traffic that comes from a newly created domain.
… If an organization does become victim of a ransomware attack, restoring data is the top priority, especially if a shared department folder has also been encrypted, Dill says, adding that using a combinations of the above security controls “creates a defense-in-depth strategy that works and avoids [a negative] outcome.”