Ransomware is the most profitable type of malware attack in history–and attacks will only get worse in the future, according to Cisco Systems’ midyear report on the state of cyber security, released Tuesday. It’s now important for employees to understand the different phases of an attack and best practices to prevent them.
Ransomware is “weaponized encryption,” said James Scott, senior fellow and co-founder of the Institute for Critical Infrastructure Technology, and co-author of the 2016 Institute for Critical Infrastructure Technology Ransomware Report. Attacks involve malware delivered through spear phishing emails that lock up valuable data assets and demand a ransom to release them.
Hackers who previously used ransomware only to secure money from individual users are now looking to steal data from larger hospitals and corporations and sell it on the Dark Web, Scott said.
“Ransomware is the new DDoS,” Scott said. “You have experienced, sophisticated hackers using ransomware as the upfront distraction that sets the organization into chaos and occupies the time of their IT people. It allows for the mercenary to go in, map the network, find vulnerable devices and set up beachheads for future attack.”
SEE: How to avoid ransomware attacks: 10 tips
Preventing an attack
Companies should hire an information security team to train employees and find and patch weaknesses in the system, Scott said.
“The weakest element is the human element,” Scott said. Training can help employees avoid common user mistakes, such as clicking on a malicious link, checking social media on a work computer and company email on a home computer, and sharing flash drives between work and non-work machines.
Scott also recommended performing ongoing penetration testing, and using behavioral analytics to detect usage abnormalities, as some attacks may come from inside the company.
“It comes down to cyber hygiene and a layered defense,” Scott said. “There is no silver bullet solution.”
SEE: End user data backup policy (Download) (Tech Pro Research)
Steps of defense
Ryan Sommers, manager of threat intelligence and incident response at LogRhythm Labs, recommended the following five steps of defense against ransomware:
1. Preparation: Patch aggressively so vulnerabilities are eliminated and access routes are contained. Protect endpoints with tools that can automatically detect and respond to infections.
2. Detection: Use threat intelligence sources to block or at least alert you to the presence of anomalies in your network traffic. Screen emails for malicious links.
3. Containment: If infected, ensure you have an endpoint protection system that can detect the execution and kill the process. Block and isolate the local host from the network to prevent additional files from being encrypted.
4. Eradication: Replace machines affected by ransomware. You can also clean network locations such as mailboxes or file shares, removing the malicious message. If you chose to clean rather than replace, continue to monitor to prevent the same attack from reemerging.
5. Recovery: Restore from a backup if you have one. Investigate what specific infection vector was used against the system, and how to protect it next time.