The number of ransomware attacks have exploded in 2021 — and so, too, have the size of the ransoms. Here are eight actions that companies can take so they do not have to pay a big ransom to get their data back.
The number of ransomware attacks have exploded in 2021. The month of July started out with a big bang when cybercriminals encrypted the data in as many as 1,500 small businesses in one fell swoop. The hackers infiltrate the companies’ IT systems by exploiting a vulnerability in a Kayesa software tool. The cybercriminals are demanding $70 million to restore the data in all of the affected businesses.
It is unknown at this time whether Kayesa will pay the ransom to get the decryption key. Chances are it might based on recent ransomware attacks. For example, JBS USA paid $11 million in June 2021 to get its data back. And in May 2021, both Brenntag and Colonial Pipeline Company paid a $4.4 million ransom.
The situation is getting so dire that four states — New York, North Carolina, Pennsylvania, and Texas — are considering passing legislation that would limit or ban ransom payments. Their hope is that the number of attacks will significantly decrease once companies stop paying the ransom.
In the meantime, it is up to businesses to protect their data. Here are eight actions that companies can take so they do not have to pay a big ransom to get their data back:
- Use But Don’t Rely Solely on Security Solutions
Security solutions detect and block ransomware as well as other types of malware. Thus, it is important to use security solutions to protect your company’s computing devices, including smartphones and tablets.
However, using a security solution does not necessarily mean that your company will be protected from every ransomware attack. An infection might still occur for a number of reasons. For starters, some security solutions provide more capabilities than others. For example, some offer behavior-based malware detection in addition to signature-based malware detection. Plus, security solution providers set their own schedule for releasing updates. Software that is frequently updated will offer better protection than one that is not.
Even the best security solutions cannot protect against ransomware attacks that have not been seen before. Cybercriminals know this, so they continually devise new attacks as well as overhaul existing ones. Therefore, you need to take additional measures to protect your business against ransomware.
- Make Sure Software and Firmware Are Being Updated
To carry out ransomware attacks, hackers often exploit security vulnerabilities to gain access to programs and devices. Updates are typically used to patch known vulnerabilities. For this reason, you need to make sure that the software and firmware are being regularly updated on your company’s devices, including servers, desktop computers, smartphones, tablets, printers, and routers.
Updates are often automatically installed in operating system software and mainstream apps. However, it is a good idea to periodically make sure this is occurring. If updates are not automatically installed, they will need to be manually done.
- Require Two-Step Verification
In some ransomware attacks, cybercriminals use compromised credentials for an Internet-facing app or system to initially access a company’s network. Or they might use credentials they have stolen from the compromised device to access and install the ransomware on other computers (especially hosts and servers) in the network.
Requiring two-step verification (aka two-factor authentication) when logging into business accounts can thwart hackers’ attempts to initially access a network and propagate ransomware in it. Even if an account’s password is compromised, it cannot be used to gain access to the account since an additional form of verification is needed.
It is best to use two-step verification for all types of accounts, including app, service, and administrative accounts. If using two-step verification is not possible, your company should require the use of strong account passwords and implement an account lockout policy to defend against brute-force password-cracking attacks.
- Change the Default Macro Setting
Some Microsoft Office apps (e.g., Word, Excel, PowerPoint) give users the ability to create macros when they want to automate tasks that they perform repeatedly. Once created, users can run the macros anytime they need to perform those tasks, saving time and effort.
Unfortunately, cybercriminals like to create Word and Excel macros that initiate ransomware attacks. Sometimes they attach the macro-laden files to phishing emails and text messages. Other times, they include links to the files in the email and text messages. In the phishing or text message, the hackers try to trick the recipients into opening the files.
By default, the Office apps that support macros are configured to automatically disable any macros in files. However, users are given the option to enable them. If they do so, the macros run and the ransomware is unleashed.
Thus, it is a good idea for your company to change the default macro setting from “Disable all macros with notification” to “Disable all macros without notification” in the Office apps that support macros. That way, employees will not be given the option to enable a macro if a file includes one. Unless macros are routinely used in work files, receiving a legitimate file that contains a macro is rare. If your employees regularly send and receive files containing macros, your company can take advantage of digitally signed macros. In this case, you would change the default macro setting to “Disable all macros except digitally signed macros”.
- Apply the Principle of Least Privilege
To reduce the risk of a ransomware infection starting and spreading in your company’s network, it is a good idea to apply the principle of least privilege whenever possible. In other words, you should limit employees’ permissions and access to company resources to the minimal level that will allow them to perform their job duties. In addition, the access should be in effect for the shortest duration necessary.
The ways in which you can apply the principle of least privilege will depend on your IT environment and employees’ job duties. For example, if the operating system software being used on your company’s desktop computers lets employees connect to and control their machines from a remote device using the Remote Desktop Protocol (RDP), you should limit the ability to create RDP sessions to only those employees who must use them as well as take measures to secure those sessions (e.g., deploy an RDP gateway). If no one needs to access their desktop computers from remote devices, the ability to create RDP sessions should be disabled.
Similarly, you might want to restrict employees’ ability to install and run apps on their desktop computers and any company-provided mobile devices. This will reduce the risk that employees will inadvertently download and install ransomware-infested apps on company devices. Hackers often hide ransomware in pirated versions of popular commercial apps, which they offer for little or no cost to entice people to download them.
- Teach Employees to Be Cautious
Teaching employees to be cautious can go a long way in helping your company avoid becoming a ransomware victim. For starters, you should let employees know about the dangers associated with:
- Clicking links in email and text messages from unknown senders. These links could lead to malicious websites designed to install malware on visitors’ devices or steal the visitors’ personal data.
- Clicking links in strange email and text messages supposedly from people they know. Hackers sometimes hijack a person’s email or text account so they can use it to send phishing messages to the masses. Hackers also use hijacked accounts to send personalized messages to a victim’s contacts. They masquerade as the victim to make the email seem legitimate, thereby increasing the likelihood that the recipient will click the link.
- Checking out clickbait. Clickbait refers to text links (“You won’t believe …”) and thumbnail image links designed to entice people to view content on another web page. While clickbait is typically used to increase page views and generate ad revenue, cybercriminals sometimes use it to send people to malicious websites.
- Scanning quick response (QR) codes in online message boards, forums, and other public sites. Typically, anyone can post messages with QR codes — including cybercriminals — in these venues. The QR code might lead to a malicious website.
- Opening files attached to email or text messages. If the attachments are not expected, they might contain malicious code (e.g., a macro or script) that leads to a ransomware infection or another type of cyberattack.
- Opening a password-protected file (especially if it is a compressed archive file) sent via email or text message if that message includes the password needed to unlock the file. When this occurs, there is a good chance that the file contains malicious code.
- Stress the Importance of Heeding Warnings
Software programs often includes features that help protect their users from security threats like ransomware. For instance, most web browsers flag web content that is a potential security threat. Browsers also block pop-up ads by default since these ads often contain malicious code or links to malevolent sites.
Some employees, though, ignore the warnings. A few even disable the security features. For example, they might disable the pop-up blocking functionality in their web browsers or jailbreak their smartphones. Therefore, you need to stress the importance of letting the security features do their job and taking their warnings seriously. Otherwise, the employees might find one day that their files are being held hostage.
- Perform Backups
Cybercriminals are constantly devising new ransomware variants and new ways to spread them. As a result, an infection might occur despite your best efforts to avoid one. Thus, you need to regularly back up your files and systems on your company’s computing devices, including mobile devices. You also need to test those backups so make sure the files and systems can be restored.
Although having restorable backups will not prevent a ransomware attack, you won’t have to pay the ransom if the attack is successful.
Other Actions
There are other actions that companies can take to defend against ransomware attacks. We can make sure that your business has covered all the bases so that it will be protected from ransomware and other types of cyberattacks.
Ransomware statistics flickr photo by Infosec Images shared under a Creative Commons (BY) license