From WannaCry to NotPetya to Bad Rabbit to LeakerLocker, it can seem like new ransomware attacks make the news weekly. In fact, those four represent just a sliver of the widespread ransomware attacks that happened last year.
What is ransomware, you may ask? It is malware that typically locks up sensitive data and systems via encryption, and then demands money—ransom—for users to get it back.
The FBI estimates that more than 4,000 ransomware attacks have occurred daily since the beginning of 2016. That’s a 300% increase from the previous year. This is due in part to the thriving sector of “ransomware-as-a-service.” Individuals don’t need to possess a certain skillset, rather malware developers advertise their ransomware on the dark web to be distributed by less sophisticated attackers, and then the developers/advertisers take their cut from the ransom amount paid.
The cyber criminals behind these attacks aren’t necessarily picky; they target big companies, small businesses, government entities and individuals. But the damage they cause to small and medium-size businesses (SMBs) is particularly alarming. A recent report by a security firm last year noted that 22% of SMBs affected by ransomware had to cease operations immediately. One-third had suffered a ransomware attack in the previous year.
“If you haven’t been a victim of ransomware or any other type of computer attack, you have to operate as if it’s just a matter of time before you are—and take the steps to protect yourself and mitigate the resulting damage or loss,” says Sheraun Howard, supervisory special agent with the FBI’s Cyber Division in Washington, D.C.
The FBI notes that ransomware is the fastest growing malware threat. While the names, details, and entry points of each attack vary, the concept remains the same. First, the bad actors deliver the ransomware. This is often done by spearphishing emails— targeted phishing emails aimed at specific employees and containing personal details to perpetuate the fraud. These emails or email attachments will contain an exploit for a particular software application vulnerability that provides the attacker access to your computer. After the attacker has access to your computer, they then typically use additional malware to propagate throughout your network and drop their ransomware on to your environment, as was the case with the WannaCry and Petya/NotPetya attacks last year. Those malware took advantage of a vulnerability in Microsoft’s OS to spread throughout organizations’ computers. Howard notes that Microsoft had released a patch for the particular vulnerability exploited in those attacks.
In other cases, criminals gain access through brute force attacks against open remote desktop protocol (RDP) ports. Once the ransomware has been delivered in one way or another, it then prevents the targeted user from accessing their data or systems by encrypting their files. The targets receive an email, text file, or screen message demanding that they pay a ransom in order to regain that access.
While blanket attacks across many organizations are common, ransomware incidents can also be very targeted to specific companies, Howard says. Cyber criminals sometimes gain access to a business’ network days or months earlier to gather financial information. Then use that insight to tailor the ransom note to the company. The resulting malware attacks, though, are not stealthy and you’ll know immediately when you’re in trouble. “It’s very in your face,” Howard says. “The purpose is to alert the victim that you’ve been compromised and by then it’s too late.”
Given the prevalence of ransomware threats and attacks, Howard and the FBI advise that SMBs take preventative measures to reduce their risk of becoming a victim. Here’s how:
Educate your employees.
Ensure that your employees are aware of the risks of ransomware and how it infects small businesses. Encourage them to never click on links in unsolicited emails and input their information, or to open unknown attachments. The FBI notes that you can also test your employees’ knowledge with simulated emails that look like phishing scams. Only download software from sites you know and trust.
Keep your systems patched and updated.
Because criminals often target vulnerabilities in existing systems, develop a regular plan for updating, encrypting, and patching your software and firmware on any company devices. The FBI recommends that companies consider using a centralized patch management system to streamline this process.
Create a security incident response plan.
These plans include steps for how your organization will respond to a ransom demand and ensure the continuity of your business. Such a plan may include isolating an infected computer, contacting law enforcement, collecting available portions of important files that still exist, securing backup systems and changing account passwords.
Manage privileged accounts.
SMBs need to be aware of who has access to what when it comes to their software applications and operating systems, Howard says. No users should be granted administrative access unless they really need it. He also recommends changing the default passwords on all administrative accounts, which tend to be weak and easily brute forced. Be aware of the external applications your employees are connecting to with their computers by implementing a Cloud Access Security Broker (CASB).
Audit user access.
“One of the most common things we see is companies not auditing themselves properly,” Howard says. For instance, be sure to remove old user accounts for software and other systems created for employees who no longer work at your company. Keeping your list user accounts up-to-date is good practice for preventing data breaches or malware infections in general.
Employ firewalls, spam filters and anti-virus programs.
All of these tools are aimed at identifying, and then protecting your organization from potentially malicious emails and attacks. Setting up firewalls and filters, for instance, provides an easy way to reduce the risk of less-sophisticated ransomware.
If you’ve been a victim of a ransomware attack, contact the FBI to report the incident. Law enforcement may be able to use legal authorities and tools that are not available to most organizations. This can increase the odds of apprehending the criminal, thereby preventing future losses. Cyber attacker communities are growing and reporting an incident helps law enforcement fight ongoing threats and protect other businesses. Pay it forward.
If your business does fall victim to a ransomware attack, Howard says the FBI does not support victims paying the ransom. There is no guarantee the decryption keys will be provided after the ransom is paid and there have been cases where businesses were extorted for additional money after payment. While the FBI does not support paying the ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.
If you’re prepared, ideally you’ll have backups of your systems and data. Howard says that after contacting law enforcement, the next step is to wipe your system and rebuild it. Take the time to learn as much as you can about how your system was compromised and how you can protect your SMB going forward.
Ransomware attacks have been on the rise, and small businesses often suffer the most damage. The FBI recommends SMBs take the following steps to reduce their risk of a ransomware attack.
Ransomware attacks are a disruptive, malicious reality of running an SMB in the modern era. But take the right steps to prevent attacks, and you’ll reduce risk and suffer less damage if you do face a security breach.