There were seven people seated around the table in the aftermath of this ransomware infection: the CEO, the VP, the CFO, the Special Agent from the FBI, the business owner, the forensics technician, and the company’s CISO (Chief Information Security Officer).
“Don’t pay” was the CEO’s vote. The VP agreed with him.
“Pay it” was the owner’s response. The CFO nodded in agreement.
“Paying could be a violation of Federal law” stated the FBI representative.
The CISO had a hard time getting words out, as this was the largest ransom that he had dealt with at the time. $1,200,000 was a tremendous amount of money.
“I don’t see another option given the status of our backups. Either we pay the ransom or we begin liquidating the assets of the company. Which is the lesser of two evils?”
The CISO negotiated the ransom demand from the malicious actors down to $410,000. The Bitcoin took several hours to amass, but this data breach required payment. His mind was focused on how he could have prevented the ransomware attack, but it was too late.
The cyber criminals hacked the network via a phishing email, which is a common type of malicious email. The email tries to trick the victim into installing some type of malware, or giving up personal information or other important data. In hindsight, it was obviously a suspicious email, but the victim’s company didn’t have adequate cyber hygiene to protect against ransomware.
The malware wormed its way into the operating system of most of the computers in the network, encrypting files as it went. The cyber criminals delivered a decryption key, but 30% of the victim’s data was gone forever. Some of their hard drives filled up during the ransomware encryption process, and the ransomware software kept running after the drives were full.
Every file encrypted after that point was not retrievable. The total recovery took three months, and the lawsuit to get their insurance company to cover the incident lasted almost two years.
Ransomware prevention includes three key areas: Cyber security hygiene of your employees, proper security software practices by your IT department, and your data backup strategy. Here are 8 ways to prevent a ransomware attack, and 8 ways to recover from an attack if you fall victim to one:
Ransomware Prevention Defenses to Help Prevent Attacks:
Add Multi Factor Authentication (MFA) on all of your email accounts and on all external access to your network (VPN, TeamViewer, WebEx, etc.). Internet security will help prevent a cyber criminal from taking over an email account using a compromised username/password. This is the single most important thing you can do for ransomware prevention.
If your company uses Windows Active Directory, do NOT log in to computers with Domain Admin accounts. There is a cyber criminal attack called “Pass the Hash” that will steal any encrypted (hashed) credentials that get left behind after logging into a computer. If you must log in with a Domain Admin account, change the password immediately after for ransomware prevention.
Patch all of your computers. Ransomware cyber criminals love unpatched computers, as there are cyber threats on them that they can exploit. You need to patch all computers in your environment. Workstations and servers, PCs and Macs, iPhones and Androids, every month without exception.
Patch your computer networking hardware. Firewalls, switches, UPSs, phone systems, etc. Patching firewalls is an extremely important part of ransomware prevention.
Install good antivirus protection software everywhere. All PCs, all Macs, all servers, everywhere.
Geofilter your Internet traffic and emails – if you don’t do business with a foreign country, block traffic and emails to/from it. It keeps out lazy cyber criminals.
If you have many workstations, use the Microsoft Local Administrator Password Solution (LAPS) to randomize local administrator passwords. If you have the same initial local admin username/password for every workstation, then if one machine gets compromised, they could all get compromised.
If your users have local admin credentials, you may want to rethink that. If a cyber criminal compromises a computer, whatever permissions the user for that computer has are what the cyber criminal has. If that user is a local administrator, the cyber criminal is going to use that access to do more damage.
In case you fall victim to ransomware, you need the following. Please note that most of these need to be done before the attack takes place:
OFFLINE backups. These are backups that are kept off of your network. Cyber criminals will try to delete your backups before encrypting your data. If your backups are not on your network, the bad guys can’t destroy them.
Tested restore procedures. If you try to restore your backups only when you need them, you are rolling the dice every time you are in a real bind.
Offline restore methodology. Don’t begin a restore with your network still attached to the Internet. Ransomware cyber criminals often leave themselves backdoors into a network, and they destroy offline backups as soon as they are brought online.
Workstation reimages and Server rebuilds. You need a clean workstation image and server image to restore computers quickly if you suspect they have been compromised.
Involve law enforcement. Reporting ransomware to law enforcement is a great way to make cyber criminals work harder. For ransomware victims in the USA, the website ic3.gov is a great resource for this.
Pre-negotiated incident response team contract. Find a cyber incident response company and get a contract in place. That way you will know how to “call in the cavalry” very quickly as opposed to going through contract negotiations in the middle of a crisis.
Ensure that you have 35% free drive space on all network drives. Ransomware often bloats the data on the drives it encrypts. As soon as a drive fills up, the ransomware process will keep trying to move forward. Every file it encrypts after the drive is full will be unrecoverable, even if the victim pays the ransom.
If you have cyber security liability insurance, call your insurance company ASAP! Some insurance policies have a clause stating that the customer must inform their insurance company within 24 hours of a suspected incident. If you take a few days to confirm that an incident is real, it can be an expensive mistake.
If everyone followed the recommendations above, ransomware prevention would be so strong that most ransomware cyber criminals would become a thing of the past. With proactive action and a good cyber security awareness training program for your employees, cybercrime is a solvable problem!
BRYCE AUSTIN, CEO, TCE Strategy
Bryce Austin started his technology career on a Commodore 64 computer and a cassette tape drive. Today he is a leading voice on technology and cybersecurity. Bryce holds a CISM certification, advises the boards of companies in a diverse array of industries, and has over 20 years of cybersecurity leadership experience. He is the named CISO (Chief Information Security Officer) for many companies, including one listed on the S&P 500.
Bryce speaks to audiences worldwide on how to stay safe from cybercriminals. The #1 goal of his presentation is for you to learn how to bring your cybersecurity risk to a level that is Secure Enough for you. His best-selling book is titled Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.
In his free time, Bryce is a high-speed track driver and coach. He has driven cars from a 65 horsepower Mini Cooper to a 650 horsepower Porsche 911 Turbo. He has had over 100 students, none of whom have died while under his instruction.
BRYCE AUSTIN, CEO, TCE STRATEGY
Cyber Security Expert, Best Selling Author
Bryce holds a CISM certification and is an internationally recognized professional speaker. With over 20 years as a technology leader, Bryce advises the boards of companies in a diverse array of industries. He is the named CISO for many companies, including one in the S&P 500.
Bryce’s best-selling book is titled
Secure Enough? 20 Questions on Cybersecurity
for Business Owners and Executives.