There have been several ransomware attacks on Australian businesses lately. Awareness of this threat is increasing, but a number of small businesses, in particular, are still in the dark around what this is and how to protect themselves against it. 

BUT FIRST, WHAT IS RANSOMWARE?

Ransomware comprises a class of malware that restricts access to the computer system that it infects and demands a ransom paid to the creator of the malware in order for the restriction to be removed.  The most common form of ransomware seen now encrypts files on the system's hard drive and sends some or all the files to the attacker, while some may simply lock the system and display messages intended to coax the user into paying.  

data securityRansomware typically propagates like a conventional computer worm, entering a system through, for example, a downloaded file (usually sent via a link in an email) or a vulnerability in a network or operating system service.  

Ransomware has become a major concern with a series of well-publicised attacks crippling small businesses both here and overseas recently.  

TWO STYLES OF 'RANSOMWARE ATTACKS' HAVE EMERGED

The first version simply locks the victim's screen.  Criminals have, to date, been using an official-looking logo to intimidate the victim (such as a local law enforcement agency or a government department) and prevents access to their computer by locking it until payment has been made.  It is a broad-brush approach, distributed en masse in the hope that a percentage of victims will choose to pay the 'fine' or ransom demand presented on the locked screen.  This scenario does not typically encrypt any files on the victim's computer (although early examples may have) and is more often now just a form of malware, for which most security vendors have tools to assist.

The second type of ransomware is a more targeted and challenging concern. It is a more targeted attack that actually encrypts files on the target computer and sends a copy of the files to the attacker for extortion attempts later. Under this scenario, cybercriminals specifically target a particular victim, typically a small business.  The computers targeted are hacked and files on the computer are encrypted and stolen.  Without payment, files remain inaccessible and the attacker will try and extort money (usually cryptocurrency) to unlock the files and stop the stolen files from being made public.  This type of attack is more difficult for small businesses to remediate. 

The best solution, once you've been targeted, may be to simply cut your losses and restore your systems from a regularly updated backup. This highlights the importance of ensuring you have good backup processes in place.

 

WHAT CAN YOU DO TO PREVENT A RANSOMWARE ATTACK?

So having discussed what ransomware is, let’s look at some simple ways of trying to prevent this type of attack.

  • Make regular backups of all your important files, and importantly store copies of your back-ups offsite.  The attackers are known to also encrypt or delete backups that are connected to the computer or network.

  • Document an Incident Response Plan so you know what to do if an attack did occur, which  will allow you to recover in a timely manner.

  • Ensure all your systems and applications are fully updated.

  • cyber securityEnsure your systems are not directly accessible from the Internet, but protected by a firewall, an Intrusion Prevention System (IPS), and Web Application Firewall (WAF) for web-enabled applications.

  • Ensure your critical systems are segmented from other systems particularly user-based endpoints.  An effective strategy here could be for small businesses to have their core systems in the cloud, but care must be taken to ensure they are secured in the cloud.

  • Carefully manage privileged (administrative) accounts.  These accounts have full access to any IT environment and once compromised will provide complete access to the intruder.

  • Limit remote access to your systems directly from the Internet.

  • Enforce strong passphrase/password policies on your IT systems to reduce the risk from brute force attempts at cracking passwords.

  • Implement account lockout policies (account locks if too many false attempts are made) on your IT systems to reduce the risk from brute forcing attempts.

  • Where remote access is necessary, use secure methods such as a Virtual Private Network (VPN), require two-factor authentication (two methods, not just password), and restrict access to only those individuals, systems, and services that really require remote access.

  • Use up-to-date anti-malware software, and consider using different vendors for gateway and desktops/servers.

  • If feasible, implement host intrusion prevention systems (HIPS) and enable personal firewalls on all desktops/servers.

  • Limit the amount of personal information placed on the Internet.

  • Do not provide financial or other personal information to people that you do not know or trust.cyber security lock

  • Never click on links contained within spam or unexpected emails.

  • Implement mail and web content filtering to try and prevent malicious content from entering your network via emails and the Internet.

  • Develop basic guidelines on IT, email, and web security and distribute this to staff.

  • And above all, ensure that all your staff members are aware of the threat, the policies mentioned above, and these basic steps to help prevent infections.

Ransomware attacks are unfortunately likely to keep increasing.  However, the steps above can go a long way towards preventing infection on an unsuspecting victim’s IT systems.

 

NEED MORE INFORMATION? 

Visit our website for more information about our Cyber Security and Resilience Services.