Ransomware Protection & Removal: How Businesses Can Best Defend Against Ransomware Attacks



What steps should businesses take for ransomware protection? 44 security experts weigh in.

Ransomware is on the rise as cybercriminals turn to increasingly savvy and tougher-to-prevent means of monetizing cyber attacks. For businesses who become victim to ransomware attacks, the consequences can be devastating -- ransomware that lands in some shared locations within networks can literally paralyze an organization's operations. Thus, becoming savvier about preventing and defending against such attacks is vital for every business -- and not just major enterprises, but businesses of all sizes.

But ransomware is notoriously challenging to prevent altogether, leaving many companies to believe that a reactive approach is the only way to go. While knowing how to fight back if your company is attacked by ransomware is critical, taking proactive steps to minimize the odds that your organization falls victim to ransomware is equally necessary. Preventing ransomware attacks in the first place can save your business tens of thousands of dollars -- or perhaps millions -- in losses due to interrupted operations, data loss, and other consequences. To gain some insight into how today's companies are protecting themselves from and defending against ransomware attacks, we reached out to a panel of 44 security pros and business leaders and asked them to answer this question:

"How can businesses best defend against ransomware attacks?"

So how can modern organizations fend off ransomware attacks, and if your business becomes a victim to ransomware, what actions should you take to defend your company? Read on to find out what our experts reveal about what businesses should do to best defend against ransomware attacks.

Meet Our Panel of Security Experts:


Tim BandosTim Bandos

@midnit3sec

Tim Bandos is the Director of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim recently joined Digital Guardian to help build our Managed Security Program (MSP) to deliver advanced threat protection to our global customer base. He brings a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.

"Not a week goes by now where we don’t see a barrage of ransomware related headlines..."

Where an organization, hospital, or business had to cough up a fairly large sum of money to decrypt files that became a victim of the incessant malware. Readers of these headlines will scratch their head in puzzlement as to why anyone would even pay, until of course they're faced with this scenario themselves. The first question that always comes to mind is, "How could we have prevented this?" There are multiple steps that can be taken to defend the enterprise against this species of malware and like anything in cybersecurity, a layered approach is always best.

1. Ensure antivirus is installed and up to date across all endpoints within the business. Keep in mind, AV is based on signatures so new variants may and will slip through the cracks, but this could easily be a first line of defense. Additionally, it’s best to have a multi-faceted security solution that employs additional protective technologies such as heuristics, firewalls, behavioral-based threat prevention, etc. Digital Guardian offers an ‘Advanced Threat Prevention’ module that contains a suite of protection rules against ransomware based on how it behaviorally interacts on the operating system.

2. Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email. I literally ask myself these questions when receiving an email message with a link or an attached file: 1) Do I know the sender? 2) Do I really need to open that file or go to that link? 3) Did I really order something from FedEx?? Phishing is a common entrance vector for ransomware and because most end users never think twice, it’s extremely successful.

3. Backup the data. There are a ton of options here, from backing up to cloud providers to local storage devices or even network attached drives, but each comes with a certain level of risk. It’s imperative to remove the external storage device once a backup has been taken so that if ransomware does infect the computer, it won’t be able to touch the backup.

4. GPO restrictions are an easy and affordable method for restricting not only ransomware, but malware in general from installing. GPO has the ability to provide granular control over the execution of files on an endpoint, so adding rules that block activity such as files executing from the ‘Appdata’ directory or even disabling the ability for executables to run from attachments.

5. Patching commonly exploited third party software such as Java, Flash, and Adobe will undoubtedly prevent many of these types of attacks from even being successful in the first place.

6. Restrict administrative rights on endpoints. I know this is of course a highly political and even cultural request to make, however reducing privileges will reduce the attack surface significantly. End users shouldn’t be downloading and installing games anyway, right?

Ransomware has significantly evolved over the years since it was first introduced back in 1989 as the ‘PC Cyborg’ Trojan and the user had to pay around $189 dollars to repair their computer. Fast forward 20+ years and we’ve seen a myriad of different types of specimens leveraging varying techniques in an effort for the authors or distributors to get paid. With no clear end in sight, we will continue to see these types of attacks, so tightening up the security belt and locking down our PCs is the wisest thing we could do in order to protect what matters most on these devices: the DATA!


Lee MunsonLee Munson

@Security_FAQs

Lee Munson is Comparitech's Security Researcher. Lee is a regular contributor to the Sophos' Naked Security blog and Social Media Manager for Brian Honan's BH Consulting. He is also the proud winner of the Best UK Security Blog and Best European Security Blog at the 2015 European Security Blogger Awards.

"If a business wishes to protect itself against ransomware, it needs to focus on..."

Both technological solutions and, more importantly, its people. One of the most important defenses against ransomware is to have a robust backup strategy in place that includes off-site storage and regular testing of images and other saved data to ensure their integrity.

Other technical solutions such as always showing hidden extensions (ransomware.jpg may actually be ransomware.jpg.exe), filtering out executable files from email servers, and disabling remote desktop connections are all effective in preventing this type of blackmailing code from ever gaining a foothold on a device or network.

But your people are where your main focus should reside. Staff are far from stupid, yet they remain the weakest link in any security system due to a lack of training and awareness.

By educating them about what ransomware is, how it can infect their machines, and what they can do to stop that from happening (by not opening email attachments, being extremely wary of links in emails, etc.) you will drastically improve the most important level of defense within your organization.


Steven J.J. Weisman, Esq. Steven J.J. Weisman, Esq.

@Scamicide

Steven Weisman, Esq. is a lawyer, college professor at Bentley University where he teaches White Collar Crime, author, and one of the country's leading experts in scams, identity theft and cybersecurity. He also writes the blog www.scamicide.com where he provides daily updated information about the latest scams, identity theft schemes, and developments in cybersecurity.

"There are several things companies should be doing to combat ransomware..."

1. The best defense against ransomware is to backup all of your data each day. In fact, my rule is to have three backup copies using two different formats with one off site.

2. While everyone has heard of blacklisting, a good defense against ransomware is the use of whitelisting software that only allows specified programs to be run on the company's computers and therefore blocks malware.

3. Install security software and maintain it with the latest security updates. While this will not protect against zero day exploits, many ransomware attacks use older versions for which there are security software defenses.

4. Limit the ability of employees who do not need the authority to install software and limit the access of employees to data to only that data to which they need access.

5. Most ransomware is delivered by spear phishing. Often the spear phishing is facilitated by information gathered through social media. Have a social media policy in place that limits work-related information, such as job titles from being posted on social media. In addition, have an ongoing education program for all employees about how to recognize and avoid spear phishing.


Paul KublerPaul Kubler, CISSP, EnCE, SEC+, CCNA, ACE

@LIFARSLLC

Paul Kubler is a Cyber Security and Digital Forensics Examiner at LIFARS LLC, an international cybersecurity and digital forensics firm. He's a former employee at Boeing, in the Global Network Architecture division, the nation's largest private cyberattack target. He previously worked at the Flushing Bank, in Network and Systems Infrastructure, protecting valuable financial data at various levels within the network and system. Paul has also performed forensic investigations into mobile devices aiding in the prosecution of criminals.

"In the recent years, we've seen a dramatic increase in the use of ransomware being delivered alongside..."

Phishing emails. They usually send an attachment such as URGENT ACCOUNT INFO with a file extension of .PDF.zip or .PDF.rar, which slips by the unsuspecting victim and delivers the payload. This attack often encrypts the entire hard disk (some of the less damaging forms simply block your access to the computer, but do not encrypt - such as this example), or the documents and requires a bitcoin payment to unlock. Luckily, these groups actually do unlock the data, this way future victims are more likely to pay.

What can you do to minimize the chances of yourself as an individual of falling a victim to these dirty schemes? Here are a few steps you can take:

  • DO NOT open emails in the spam folder or emails whose recipients you do not know.
  • DO NOT open attachments in emails of unknown origin.
  • Use a reputable antivirus software - we recommend Kaspersky, which ranked the highest in our tests.
  • Perform a regular backup to an external medium (external hard drive or the cloud).
  • After backing up, disconnect your drive. Current ransomware is known to encrypt your back up drive as well.
  • DO NOT pay the ransom. The reason why the criminals keep utilizing this form of blackmailing attacks is that people keep paying. To try to get your data back, consult a professional in your area.

What can your company do to prevent being victimized by these types of attacks?

  • Humans need to be trained -- they are the weakest link. Companies should employ at minimum a bi-annual training geared towards each user group (end-users, IT staff, managers, etc.) so that everyone is aware of the latest attacks.
  • Employees should be tested by having an outside party conduct a social engineering test, like something from Rapid7 or LIFARS. These kinds of tests help keep the employee on their toes and more likely to avoid the attacks.
  • Since these attacks are on the rise, a number of new defenses have been developed. AppRiver is a great Spam and Virus email filter that can block a large number of phishing exploits before they even reach the internal servers.

As a last line of defense, Cyphort has a good IDS/IPS solution that can help detect known attacks and how far they managed to get into the network by signature, behavior, and by community knowledge.


Eyal BenishtiEyal Benishti

@IronScales

Eyal Benishti is founder & CEO of IronScales, which provides phishing mitigation and training solutions for organizations of all sizes to protect against traditional phishing, spear phishing, and whale phishing. IronScales focuses on ensuring that people can protect the organization in situations where traditional technology isn’t enough.

"Ransomware has been through several evolutions so far and, as such, requires..."

Careful attention. While the first ransomwares were simply encrypting the local hard drive and asking for money, its latest evolutions are now encrypting network drives. They’re even leaking out the data to make the extortion case even stronger for those using simple restore solutions to overcome the encryption hurdle, by threatening to publish the company data publicly. Since email attachments are the most common way to deliver a ransomware attack inside an organization, you need to take the following important steps:

1. Filter both executable and password-protected files. Make sure your gateway mail scanner does not allow these files to go through without your inspection.

2. Filter macro-enabled files like .docm. Since macros are yet another way to execute code on the victim machine, block them!

3. Apply a patch management system, making sure that all desktop clients are fully patched. Cyber criminals are quick to exploit zero days, so stay ahead.

4. Don’t give employees admin privileges on their machines if they don’t need them.

5. Perform Data Leakage Prevention (DLP) and anomaly detection. Make sure no one is trying to leak data out of the company network. Pay close attention to suspicious outbound connections.

6. Backup. Always keep an up-to-date backup. If you got hit, make sure you don’t restore the Malware together with the data!

7. Train employees to spot phishing emails. This is the main attack vehicle, so make sure your staff is well-trained.

8. Encourage and incentivize people to report back to you when they see suspicious emails. Act immediately. Automate the process. Some people will never learn, and those new to the company may not know the process. Make sure you leverage those who do know and can spot phishing to make up for those who don’t.


Jeffrey LauriaJeffery Lauria

@iCorps_Tech

As Vice President of Technology for iCorps Technologies, Jeffery Lauria is responsible for managing iCorps' client accounts (small and mid-sized businesses) and helping them practice security best practices. Jeffery is an accomplished Information Security Executive whose experience spans over 20 years in all facets of IT. His certifications include CISSP, CGEIT, CISA, CRISC, CCISO, CCSK and MCSE.

"To defend against ransomware..."

There are some relatively straightforward and cost effective steps that all businesses can take. In addition, there are products and services that can provide additional mitigation.

As with all security issues, there is rarely a “silver bullet” or singular step that will fully mitigate the problem. Multiple steps are needed to be able to reasonably defend again ransomware. Some steps are designed to prevent ransomware to begin with, some steps will reduce the impact and ransomware, and some steps will allow recovery from ransomware. Below are quick-hit check-lists for each category outlining appropriate steps.

  • Practice ‘Least Privilege.’ The Least Privilege concept says that any given account should have the least amount of privilege required to perform appropriate tasks. Common places where this concept can be applied, but often is not, include user permissions on endpoints and user permissions on network shares. All users, including IT admin personnel, should log in using a non-privileged account, and escalate privilege as needed using a secondary account. Most of the common tasks any user performs, such as browsing the internet, checking e-mail in Outlook, or editing a document do not require the ability to stop and start services or to edit registry keys – so remove those excess privileges. The key to this concept is that malicious software most often runs using the privilege level of the currently logged in user. If that user is an admin, so is the malicious software.
  • Configure white listing for plugins and add-ins for your browser. Instead of allowing Flash on every site, block it on every site and whitelist only the sites you trust. In addition, install ad-blocking software. Ransomware has been spread in the past using pop-ups and ads that could have been easily blocked. In a famous case in early 2015, CryptoLocker spread using infected ads for a well-known international brand. However, keep in mind that this step will fundamentally alter your web experience.
  • Ensure your antivirus is installed on endpoints, that all options are enabled, that antivirus is up to date, and that tamper protection is enabled. Tamper protection will prevent malicious software from turning off the antivirus application. Antivirus will help catch malicious software before it installs, or can help prevent its spread in the event it successfully installs.
  • User awareness training. Ensure all users are aware of threats and how to avoid them. For example, teaching end users how to identify phishy e-mail and not to click on links in e-mail without knowing they are from a trusted source is a critical step in preventing exposure to malicious software.
  • Enable Unified Threat Management on edge devices such as a firewall. This can offer intrusion detection and prevention, web-site filtering where you block access to known or suspected malicious content, and another layer of antivirus.

Recovering: Here, we review steps to recover from ransomware that do not involve finding a BitCoin ATM and funding the development of more ransomware.

  • Least Privilege is here, again. This time, it is more to point out that nearly all recovery options rely on the least privilege concept in one way or another. If you were logged in as an admin, it may not be relevant that you created backups – the malicious software can likely alter your backups, as well.
  • Ensure that any OS options for automatically keeping previous versions of documents, such as Windows Shadow Copy is enabled. This step will allow you to quickly restore the previous version of any impacted file. Note that most well written ransomware applications will attempt to disable Shadow Copy, but that only admins can actually disable it. If you are logged in as an admin, ransomware will successfully disable this and alter any previous versions you may have had.
  • Daily backup data to an external device using a dedicated backup account. Regardless of which type of backup you use, backing up to an external device or offsite will help protect backups from being altered.
  • In a worst case scenario, file recovery tools may be able to assist in recovering from ransomware provided they are used immediately. Ransomware often functions by encrypting your files. In the process, they typically create a new file and delete the old file. The way hard drives allocate new files and delete old files is primarily using a File Allocation Table, which can be thought of as similar to a table of contents. Deleting a file is similar to erasing the listing out of the table of contents, and creating a new file is similar to adding a new listing to the table of contents. This is obviously a vast oversimplification, but the point is the some of the unaltered data may still exist on the hard drive. Time, however, is of the essence, and this possibility will likely go away as ransomware becomes more sophisticated and begins encrypting slack space on the drive.

Robert SicilianoRobert Siciliano

@RobertSiciliano

#1 Best Selling Author Robert Siciliano, CSP, CEO of IDTheftSecurity.com is fun and funny, but serious about teaching you and your audience fraud prevention and personal security. Robert is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). His programs are cutting edge, easily digestible, and provide best practices to keep you, your clients, and employees safe and secure. Your audience will walk away as experts in identity theft prevention, online reputation management, online privacy, and data security.

"Cyber criminals have been attempting to extort money from individuals and companies for many years, and the latest attempt to take advantage of others is by using Ransomware as a Service, or RaaS. A ransomware virus..."

Infects a computer when a user clicks a link and unknowingly downloads a malicious file. The ransomware virus then encrypts the computer’s files and promises to render them useless unless the victim pays a ransom. The cost varies greatly, and groups sending these out can bring in hundreds of millions of dollars in profits. RaaS makes it even easier for criminals to deploy ransomware viruses. All they have to do is choose a ransomware virus, set a ransom amount and deadline, and then trick their victims into downloading it onto their computers.

What to do if systems become infected with ransomware

If you have been attacked with ransomware, consider the following:

  • Tell the hacker you will pay, but that you need time to get the cash.
  • Gather all correspondence from the hacker.
  • Tell the webhosting provider and maybe call the cops, but expect little. If there is a major loss, reach out to the FBI; just know they might not see it as serious.
  • Delete all infected files and download clean versions from your backup system. Remember: If you have a quality backup system in place, you won’t need to pay the ransom.

Handling computer viruses

Ransomware isn’t the only type of virus to be on the lookout for. Symptoms of other types of virus infections include programs opening up on their own and a slow computer. Some viruses may send messages from your email account without you knowing about it. Here are some more ways to protect yourself from ransomware and other computer viruses:

  • Use both firewall and anti-virus software.
  • Do not open attachments, links, or programs from an email, including those from people you know, until you check for viruses.
  • Do not use public Wi-Fi connections unless on a virtual private network or using encryption software.
  • Keep security software current, use administrative rights, and use a firewall.
  • Use the most recent version of your operating system and browser.
  • Back up all data.
  • Train employees on security measures for all devices.

Stu SjouwermanStu Sjouwerman

@StuAllard

Stu Sjouwerman is the founder and CEO of KnowBe4, which hosts the world's most popular integrated Security Awareness Training and Simulated Phishing platform. Realizing that the human element of security was neglected, Sjouwerman teamed with Kevin Mitnick to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training.

"Regardless of whether you've been hit with ransomware or not, protecting your network from these types of attacks is now..."

An integral part of any network security framework for both individuals and companies.

Defense In Depth

Protecting yourself from intrusions and attacks requires securing your main layers of defense by utilizing Security Awareness Training and antivirus/anti-phishing software. If you consider a computer network (even a simple one, like your home computer) to consist of a series of layers that any malware or virus needs to penetrate, the outermost layer would consist of your users themselves. After all, it takes a user's interaction in order to initiate or allow a network intrusion. Only AFTER a user has clicked or visited a malicious link/site will your secondary and tertiary layers (firewalls and antivirus) come into play. Thus, the very first layer you will need to harden is that of the human operator. It is only in recent years that the importance of this layer of security has come to be recognized. In the past, software has been relied upon as a catch-all for these types of situations. Software just by itself is not enough anymore, users must be trained to prevent such attacks from happening in the first place.

Security Awareness Training

You need to implement effective Security Awareness Training. Despite evidence to the contrary, users do not come to work with the intention of clicking on phishing emails and infecting their computers! As many IT professionals can attest, a simple knowledge of what red flags to be aware of can make a huge difference in the ability of a user to discern malicious links/software from legitimate traffic. As the methods hackers and malware creators use to trick users are constantly changing, it is important to keep users up-to-date on not only the basics of IT and email security, but also the ever changing attack types and threat vectors. After all, everyone knows that there is no Nigerian prince out there and it's just a scammer right? But what if Becky from the accounting firm accidentally sends you a payroll spreadsheet? Not everyone is going to question the ambiguous origin of a well-crafted phishing email, especially with a juicy attachment like Q4 Payroll.zip. HR may receive 20 resumes a day, but only one of those needs to be malicious to cause an incident. Increasingly, hackers and attacks utilize social engineering to entice or trick a user into installing or opening a security hole. Good Security Awareness Training covers not only software based threat vectors and red-flags, but physical security training as well. User security training is a vital piece of securing your network.

If you are a victim, you can download this free ransomware hostage rescue manual.


Dotan Bar NoyDotan Bar Noy

@ReSecTech

Dotan Bar Noy is the Co-Founder & CEO of ReSec Technologies and has more than 10 years of management experience in technology and software companies. Dotan holds a BA in Economics & Management from the Israel Institute of Technology (Technion) and an MA in Law from Bar-­Ilan University.

"Ransomware is mentioned frequently in the news and it’s not surprising that ransomware attacks are the number one form of malware..."

According to Verizon’s 2016 Data Breach Investigations Report (DBIR), ransomware attacks increased by over 16 percent since 2015. Defending an enterprise against such a threat will require all departments of an enterprise to work together.

Employees should have a basic understanding of what ransomware threats look like so they know when to report something and when not to click on a link or open a file. Some leading companies are offering such measurable employee training that might assist in their education.

High level executives need to fully understand the risk and the potential damages of ransomware attacks. They will then be able to allocate sufficient resources for training the employees and for implementing a solution that can counter such threats.

Cyber criminals are more organized than ever before and new individualized strains of malware are being manufactured constantly to evade the signature and behavior detection solutions that so many enterprises rely on. It is up to the CISO and the enterprise professional to move quickly, assess and deploy adequate solutions to prevent ransomware from entering the network perimeter—all in accordance to the enterprise architecture and risk analysis.

Verizon's 2016 report does offer one very solid recommendation for organizations: It calls to filter your incoming emails and flag suspicious content. All other recommendations (awareness training, etc.) are secondary.

By taking a top-down and bottom-up approach to the human side of security, enterprises will be better prepared for ransomware attacks even as they upgrade their security stack.


Tony AnscombeTony Anscombe

@TonyAtAVG

Tony Anscombe is the Senior Security Evangelist for AVG Technologies. Tony's role at AVG is to bring our growing free user population products and solutions that allow them to enjoy their online experiences while trusting AVG to provide them protection from malware and data loss.

"Ransomware is like digital kidnapping..."

An attacker encrypts the victim's computer, or even individual files, and charges a ransom for their safe return. If the ransom isn't paid the files are destroyed and seemingly lost forever. Individuals, businesses, colleges and government agencies have all been among targets of ransomware. Any institutions or individuals that have critical files or systems are potential targets for ransomware attackers. With smaller companies becoming attractive targets to cybercriminals due to their perceived lower levels of protection, no one is immune to the danger of ransomware. This also means that your end customers will require an increased level of service and expect your immediate response to their security needs. Here in the United States, both the FBI and the White Collar Crime Center advise you to report ransomware threats or events to the agency at www.ic3.gov, and importantly, they advise against paying the ransom! Here are also some basic tips for ransomware protection:

  • Educate yourself and employees about ransomware.
  • Regularly back up your data - and make sure a copy is stored offline.
  • Install and enable antivirus protection.
  • Make sure you keep all your systems and programs up to date.
  • Beware of links, and attachments. If in doubt, do not open it!

As with disease in the real world, prevention is sometimes the best cure in the digital world. It may seem like a bother, but having a preventative strategy could save you pain in the long run.


Eyal GrunerEyal Gruner

Eyal Gruner, or boy security wonder, as Gartner VP Distinguished Analyst Avivah Litan referred to him in her blog, is the co-founder and CEO of cyber security company Cynet. He is also co-founder and former CEO of BugSec, a leading cyber consultancy, and Versafe, acquired by F5 Networks in 2013.

"To defend against ransomware attacks..."

First, businesses should operate under the assumption that they have already been hacked, and unknown threats lie within their systems, waiting to attack. Today's existing protection solutions, many of which operate on a single front - be it networks, files, users or endpoints, frequently miss new and previously unknown threats.

Second, in addition to covering their bases by implementing protection on all fronts, they should implement a detection solution. This is in line with technology research company Gartner's recent recommendations that enterprises move from a security budget spend of a 90-percent protection / 10-percent detection split, to a split of 60-percent protection / 40-percent detection. We recommend that organizations look for a solution that knows how to:

A: Detect ransomware before the payload is dropped, instantaneously killing the process before it can begin encryption.

B: Detect ransomware that has already started to encrypt, eliminating the threat of it spreading further, to minimize the damage.

C: Do nothing and pay the ransom.

Third, within the bigger picture, in order to find and rapidly eliminate ransomware and other malware which have bypassed existing preventions, we recommend an organization follow these best practices:

  • Collect threat indicators from across the organization.
  • Correlate indicators to determine risk ranking, and minimize false positives.
  • Invoke advanced security threat intelligence.
  • Remediate within all potential threat vectors.

Greg EdwardsGreg Edwards

@WatchPointData

Greg Edwards is CEO of Watch Point Data, driven to build a superior, global cybersecurity firm to defend small and medium businesses from the cybercriminals lurking in the shadows of the Internet.

"The best way to defend against ransomware is to..."

Use multiple layers of defense.

1) While AV is minimally effective, at least it will stop the known variants of ransomware.

2) Patch management; patching Windows and all ancillary applications at the desktop level will prevent most ransomware from running.

3) Create Group Policy restrictions to restrict ransomware's ability to run locally.

4) Use ad blocking software within browsers.

4) Use a system to monitor network shares and block actively running ransomware.

5) Verify data backup and business continuity plans. Having a good backup is the last line of defense, if you are hit with ransomware, you can recover and not pay the cyber criminals.


GorelikMichael Gorelik

@Morphisec

Morphisec's VP R&D, Michael Gorelik, has more than seven years of experience leading diverse cybersecurity software development projects. Previously, Michael was the VP R&D at MotionLogic GmbH and also served in senior leadership positions at Deutsche Telekom Labs. Michael holds Bsc and Msc degrees from Ben-Gurion University and jointly holds two patents in the IT space.

"The best defense against ransomware attacks is to..."

Not focus on ransomware. Ransomware is the last part in an attack kill chain (the payload, as it's called). The right way to prevent ransomware is by thwarting the attackers' efforts to deliver the ransomware to a user's machine. How? Through a moving target defense (MTD) strategy. Ransomware and other malware are delivered through exploit kits, the hacking tools that search for known vulnerabilities in applications such as unpatched browsers or outdated plugins. MTD uses counter-deception techniques to constantly change the target surface, so that attackers can't get a foothold - forcing the attacker to search for the target over and over again, increasing the likelihood of their discovery and making attacks costly and unfeasible.


Oscar MarquezOscar Marquez

@iSheriffInc

Oscar Marquez is Chief Technology Officer and a founding member of iSheriff, with overall responsibility for world-wide support and the development and delivery of the company's world-class cloud security products.

"The first and foremost step towards protection against ransomware..."

Is awareness. Do not open any email from any unrecognized, sketchy email address. Downloading attachments from such emails may prove costly. And never enable Macros in your Word. If you remain vigilant enough, then you can reduce the chances of such attacks succeeding significantly.

The second, and very crucial step towards protection from ransomware, is keeping your antivirus updated all the time. A patch in such antivirus may prove instrumental in warding off malware, such as Locky. This is one of the basic security measures that a user must always keep in mind. Yes, antivirus software may clog up your memory or make the operation of your system jittery, but it also is the best precautionary step towards malware protection.

Finally, you should always browse carefully. While browsing the internet, carefully check the sites you're accessing. Completely avoid any website which looks sketchy and untrustworthy. You may be lured into clicking on a link on your social media page and unknowingly installing unscrupulous elements. Avoid providing personal information to any website you do not trust.


Steve ManzuikSteve Manzuik

@duo_labs

Steve is the Director of Security Research at Duo Security's Duo Labs where he is responsible for our team of crazy researchers. Steve brings over 20 years of Information Security experience including roles at various product companies, consultancies and research teams.

"Some basic security hygiene tips can help best against ransomware attacks..."

Here are a few expert tips:

  • Make sure the devices on your networks are up to date. With employees bringing their personal devices into the workplace, IT admins have to make sure that those devices are just as secure as their managed devices - they need to see if devices are out of date, rooted/jailbroken, or otherwise posing security risks. Otherwise, they're leaving known vulnerabilities open to hackers.
  • Passwords aren't enough. The most popular password in the world remains 123456, proving the point that passwords are easily guessed and easily bypassed. Instead, use a password manager like Lastpass that automates the generation of complex passwords and stores them so memorization is no longer an issue.
  • Use two-factor authentication. A hacker may steal your passwords, but it's nearly impossible to steal those and your smartphone or token at the same time.
  • Use common sense with your email and train your employees to do the same. Never open email attachments or click on links from a sender you don't know and trust. Phishing and social engineering are ongoing problems that are often the main open door leading to a data breach.

Joseph CarsonJoseph Carson

@Thycotic

Joseph Carson is a cyber security professional with 20+ years' experience in enterprise security & infrastructure. Joseph is a Certified Information Systems Security Professional (CISSP). An active member of the cyber security community, Joe is a Director at Thycotic.

"The best thing businesses can do to defend against ransomware attacks is..."

Educate employees. Recent statistics indicate that one in five employees will open and click on emails containing malware. Security awareness programs can be a very cost effective solution; they not only protect the employees on corporate systems, but also allow the employees to use that same knowledge to protect their own personal systems, information and families from the same threats.

Understanding how hackers operate will give you a cyber advantage. In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization's structure, clients, etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like ransomware and gain access, which, for most attackers, is easily done. Organizations should use similar analysis techniques to identify potential targets for ransomware and use that knowledge to deploy security controls to mitigate the risks.

Password and privileged account management should be a major concern for every organization. Implementing effective security controls can be the difference between a properly defending yourself against a simple perimeter breach or experiencing a cyber catastrophe.

Most ransomware incidents have used known vulnerabilities and exploits to expose weaknesses in systems in order to infect the system with malicious software. By keeping systems' security updates current you will significantly reduce the risks of malicious software exploiting those vulnerabilities.


Anand AdyaAnand Adya

@greenlight_corp

Anand Adya founded Greenlight Technologies in 2004, leading the company from its inception into the market leading provider of cyber governance, regulatory management, and compliance solutions. As an industry thought leader, he is a frequent speaker on the topic of governance, risk and compliance management at major conferences.

"Ransomware is quickly becoming a growing threat to companies and no one is immune..."

Even healthcare facilities such as the Hollywood Presbyterian Medical Center have been hit with ransomware and had to pay to unlock their systems. One of the keys to preventing this type of attack is to educate your employees about the cyber threats that are lurking out there. They need to understand the ramifications if they click on a questionable link (or attachment) in an email and mistakenly download ransomware. From an IT perspective, it's critical to frequently back up data and manage mapped drives. In addition, you must ensure that your software, email filters, perimeter defenses and anti-virus solutions are all up to date. Keep your critical data in segregated or air-gapped networks that utilize additional firewall protection and controlled access from authorized devices / users. Also, content security tools can be put in place to alert you to any file extension discrepancies. For example, an email may contain a file with the .pdf extension but it could actually be .exe ransomware. There are numerous security controls and processes in place and there will always be exceptions, alerts and failures for these controls and it is critical to understand the business impact from each one.


Raymond SuarezRaymond Suarez

@CoreSecurity

As Director of Product Management, Raymond Suarez manages the strategic planning and market development of Core Security's penetration testing and vulnerability management solutions. During his career, Raymond has been involved with delivering security products for networks, databases, server and desktop technologies vital to protecting critical systems and IT services.

"We saw the first major instance of ransomware with the breach of Sony Pictures in late 2014..."

The hackers held information and released it slowly while asking Sony for a ransom in order to stop the leak. Since then, we've seen several more major ransomware attacks which show the power of hackers to not only steal our information but to use it against us. The larger the company, the larger their attack surface. As a result, creating a traditional layered defense for the full attack surface is challenging. Just protecting the perimeter without protecting the inside won't work, and inconsistent patching and outdated software leave organizations exposed. So, what can companies do to protect themselves?

  • Scan to find exploitable vulnerabilities which can open paths to your organization's mission-critical systems and data.
  • Create processes to patch operating systems, with a patching focus on risk to critical assets.
  • Use penetration testing to validate vulnerability and patch management activity.
  • Align information security goals with desired business outcomes and adopt processes that span information security and IT operations.

Ron Schlecht, Jr. Ron Schlecht, Jr.

@btb_schlecht

Ron Schlecht, Jr. is co-founder and managing partner of BTB Security, a provider of cyber security, breach response, and digital forensics services. Schlecht is a Certified Information Systems Security Professional (CISSP) and Certified Computer Examiner (CCE) with 16 years of experience in security risk management and digital forensics. He has an extensively varied background performing jobs in law enforcement and information security/forensics.

"To defend against ransomware attacks, organizations should rely on..."

Commodity protections, like content filtering, spam filtering, anti-virus and awareness training. If they aren't doing holistic monitoring, this may be the issue to drive that necessity. Additionally, they should ensure they have appropriate backups so field machines or even servers can be wiped and re-deployed if and when ransomware hits. Finally, organizations need to write an incident response plan to specifically address ransomware including what steps they need to take when it's detected.


Dylan SachsDylan Sachs

@BrandProtect

Dylan Sachs directs Identity Theft and Anti-Phishing efforts at BrandProtect. He works directly with leading financial institutions, health care providers and Fortune 500 enterprises to help CISOs and security teams deploy better defenses against modern email and identity theft attacks, including socially engineered exploits.

"To better protect against ransomware attacks, and other malware or BEC attacks carried by socially-engineered emails, businesses need to..."

Begin proactively monitoring for threats that exist beyond their traditional firewalls. Take these socially engineered attacks, for example. The most effective attacks originate from a domain that is a close variant of a company's actual email domain. Instead of XYZ.com, they'll register XYZ.biz, or XYZ-finance.net. The criminals are banking on the fact that the targeted individual will skim past the similar domain and not notice that it is illegitimate. It surprisingly easy for the criminals. To turn a cybersquatting domain into a potential spear phishing platform, a potential phisher only has to activate the domain's MX record.

An MX record is a type of resource record in the Domain Name System that specifies a mail server responsible for sending and accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. An active MX record allows a domain to communicate with other emails domains to send and receive messages. Simply put, there is only one reason for a criminal to activate the MX record of a copycat domain, or to acquire a similar domain with an active MX record - to attack.

But CISOs can take advantage of this technical requirement to get ahead of cyberattacks and proactively block them. By proactively monitoring beyond their perimeter for similar domains with active MX records, CISOs can gain a crucial advantage. When an MX record goes active on a similar-looking domain, CISOs can immediately block inbound emails and prevent potential attacks.


Scott Brown Scott Brown

@ryancreektech

Scott Brown is the President of Ryan Creek Technology Associates and Author of "Essential IT Concepts for Small Business" and "Swiss Cheese and Cyber Security."

"Ransomware, or any malicious software, needs to be addressed with..."

Multiple layered security. Think of it like an onion. The essential layers of that onion are identified below in order of precedence.

First and foremost is end user education. End-users without the proper education can defeat the best of technical controls on accident.

Secondly, a good backup system should be in place to enable recovery in case of an infection, because no computer connected to the internet is perfectly safe, regardless of the security in place.

Next, have a business class firewall and/or unified threat management appliance with a virus scanning engine, intrusion prevention, and web content filtering. Restrict user activity to only what is necessary to accomplish the organization's goals.

Run both business class anti-virus and anti-malware applications on the end-user machines and servers. The use of multiple applications will allow a second opinion regarding threats. No anti-virus program is perfect.


Aqib NazirAqib Nazir

@NazirAqib

Aqib Nazir is a father to a beautiful son, husband to an amazing wife, and son to a great mom with a passion for IT. He is an IT consultant, a web developer, and blogger. You can follow his blog to learn more about starting a blog and monetizing it.

"The best way to defend against ransomware attacks is..."

There is this famous saying, "Prevention is better than cure," that absolutely applies in the field of Information Technology. Even major companies like Sony and eBay have suffered serious cyber attacks in the past years. The best way businesses can tackle ransomware attacks is to keep their data backed up regularly. When there is a ransomware attack, you have only two options: You either pay ransom and get the control back, or you don't pay ransom and lose the data. You better understand how much worse it could get when you lose control of your data. Therefore, the best way to defend ransomware attacks is to have regular data backups. You can either set up an automated backup system on the Cloud or just create manual backups on a physical storage device.


Dr. Eli DavidDr. Eli David

@DeepInstinctSec

Dr. Eli David, CTO of Deep Instinct, has published more than 20 papers in leading AI journals and conferences, focusing on applications of genetic algorithms and neural networks (especially deep learning) in various real-world domains.

"Ransomware is growing exponentially, mainly because it is now easier to find this type of malware as-a-service on the Darkweb, so it is no longer confined to..."

Sophisticated hackers. Furthermore, the fact that, many times, victims are willing to pay makes it lucrative. Despite being a threat that is expected to grow according to many projections for 2016, you can protect yourself against it: Apply cybersecurity solutions that can identify and block malware attacks in real-time; keep your systems and applications up-to-date; be wary of unsolicited emails; and back-up your files and keep copies offline to be able to retrieve the files without having to succumb to the ransom. One such solution gaining ground as a method to stop ransomware attacks is using deep learning technology. Using the brain’s ability to learn to identify an object and turn its identification into second nature, deep learning technology can innately learn to detect any cyberthreats and instinctively prevent and block zero-day, APT, and ransomware attacks in real-time.


Lyle LibermanLyle Liberman

@JANUSAssociates

Lyle Liberman is the COO of JANUS Associates, the nation's oldest independent IT security consultancy. Headquartered in Stamford, CT, JANUS provides a full range of information security and business transformation solutions including Information Security Risk Analysis, Penetration Testing, Security Awareness Training, Regulatory and PCI Compliance Assessment, Current/Future State Assessments, Disaster Recovery and Business Continuity Planning, and Data Forensics.

"Ransomware attacks and cyberattacks in general require sound preventative actions including..."

Educating employees, and this starts with offering security awareness training on a regular basis. Security awareness training will help employees spot a poisoned email that may contain a link to a site serving up ransomware. Employees should also be taught never to click on an ad banner anywhere on a web page as hijacked banner ads are another favorite method of delivering all types of malware payloads, including ransomware. A sound security awareness program should include regularly scheduled training once every 90 days. Most organizations only offer training when they on-board a new employee, or once yearly at the most. Studies have shown that the effectiveness of training is long forgotten after 90 days, so it is important to keep reminding your team in short 15-minute sessions of the do's and don'ts of good cyber hygiene. Finally, if a ransomware screen appears on a workstation, the machine should not be shut down as all data may be lost. Instead, the employee should unplug the network cable from the back of the machine or shut down the Wi-Fi connection immediately. This may help prevent the spread of the attack throughout the network.


John PirontiJohn Pironti

@ISACANews

John P. Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is a risk and security advisor with ISACA and president of IP Architects. He has designed and implemented enterprise-wide electronic business solutions, information security programs, and threat and vulnerability management solutions for global clients in a range of industries, including financial services, government, hospitality, media and entertainment, aerospace, and information technology (IT).

"Ransomware payouts are on the rise as cybercriminals have little trouble finding enterprises unprepared to defend themselves against the attacks..."

This threat commonly uses malware to encrypt data files and propagate itself throughout networks to maximize its impact. Attackers then harvest encryption keys to decrypt data and hold it for ransom. Victims receive the encryption keys -- and access to their data -- only after sending payment to the attackers.

Ransomware is among the major cyber threats identified in ISACA's CSX Threats & Controls tool. To limit the impact of attacks and respond effectively, organizations should consider these 5 questions:

1. Pay or No? - When faced with ransomware demands the first question, of course, is whether to pay. Sometimes it makes sense economically or efficiency-wise to pay rather than unilaterally restore data and systems. Enterprises should be cautious, however, because if the payment is publicized, it could set the organization up for future attacks. That is why these decisions should be made before an attack ever occurs. Organizations should determine their ransomware risk appetite, considering factors such as recovery cost, data availability, productivity loss and reputational impact. It should establish thresholds to decide if it is worthwhile to pay the ransom.

2. Negotiate or Not? - If the decision is made to pay, should an organization negotiate with the attacker? Cybercriminals prefer to get some money rather than no money. The enterprise may save money if it negotiates. Organizations should consider the projected cost of remediation, and if the ransom is less, the decision to pay may be an easy one.

3. Simple Ransomware or Something More? - Sometimes a ransomware attack is simply a ransomware attack. Other times, it can be part of a multifaceted attack strategy designed to distract the organization as the attacker tries to escape with data assets or implant malware tools for future use. After a ransomware attack the remediation should include a thorough investigation to determine if the attacker executed other malicious actions or left behind capabilities for future attacks.

4. Are Backups Enough? - When organizations choose not to pay they can recover from a ransomware attack by restoring data from backups, which must be comprehensive, have integrity and be recent enough to be useful to the organization. A key consideration is whether the backups are infected by the original attack. Sophisticated attackers can implant attack capabilities in systems and have them lay dormant for a long period of time to later propagate the ransomware throughout the enterprise's backups. To limit the possibility of re-infection, back up only data files and not system files. The attack code may be in the data files, but an action would have to occur for it to install and operate again. Ideally, the method of exploitation and attack should be identified prior to recovering the backups.

5. Segment or Disable Networks/Systems? - Ransomware malware/attack code often attempts to quickly replicate itself across systems and networks to increase its effectiveness. Organizations often use resources, such as shared storage and network file shares, that are easily leveraged by modern ransomware tools like Cryptowall. It is critical to identify when to segment and/or disable networks and systems to contain an attacker. The conditions and scenarios for doing this should be discussed and agreed upon in advance by business process owners and leaders.


Aviv RaffAviv Raff

@avivra

Aviv is the Co-Founder and CTO of Seculert, an attack detection and analytics platform. He has over 10 years of experience in leading software development and security research teams. Aviv has published several pioneering security research articles and is a frequent participant and requested speaker at information security conferences worldwide.

"Unfortunately, there is no way to 100% prevent ransomware attacks. Therefore, the best way to defend against ransomware is to..."

Backup the data before the attack occurs. However, this is true only if you’ve configured the backup in a way that ransomware can’t access the files. Also, the backup files might become completely encrypted if you are backing up everything all at once and replace the previous backup. With this in mind, you should do incremental backups (or keep previous versions), and keep the backup in locations with no immediate access (e.g., the cloud).


Justin LavelleJustin Lavelle

@BeenVerified

Justin Lavelle is a Scams Prevention Expert and the Communications Director of BeenVerified.com. BeenVerified is a leading source of online background checks and contact information. It helps people discover, understand, and use public data in their everyday lives and can provide peace of mind by offering a fast, easy, and affordable way to do background checks on potential dates. BeenVerified allows individuals to find more information about people, phone numbers, email addresses, and property records.

"The most effective way to defend against ransomware attacks is..."

Being taken hostage is a terrifying experience, but what if the hostage is your personal or work computer? The latest online threat does just that. Ransomware is used by criminal hackers to take over your computer, rendering it unusable until you pay a ransom for your computer to be “released” back to you.

Ransomware attacks don’t discriminate between PCs or Macs, and unfortunately, there don't seem to be many protections out there, let alone quick fixes, if your computer is taken hostage. In fact, the FBI has suggested that users who have been infected by ransomware “just pay the ransom.”

With that being the case, the best option you have is to avoid ransomware in the first place. The most effective way to do that is to be aware of the classic online malware pitfalls.

Ransomware and other malware that can infect your computer typically come from three main areas:

Infected web sites: Obscure web sites can be set up with the sole purpose of infecting your computer and even mainstream sites can be unwittingly affected. Before you download anything from a web site, be sure the site isn’t known for uploading malware. You can do search uncertain URLs through a search on Sucuri.

Email spam: Ransomware can also be sent to you. Everyone is aware of classic Nigerian prince email scams, but incoming spam emails are getting more sophisticated. As a practice, delete any email from a seemingly suspicious sender before you open it.

P2P downloads: Third party download sites, many of which are illegal or live on the dark web, can also have various strains of malware. That new video game you think you are downloading could actually be a nasty virus. Avoid downloading anything from unknown or anonymous users.

It’s important to keep your antivirus software up to date and not to get complacent as ransomware is constantly mutating into new forms. As mentioned, even Mac computers are susceptible to ransomware attacks. Sophos is a good antivirus option for both Mac and PC computers.


Adrienne JohnsonAdrienne Johnson

@CorpInfo

Adrienne Johnson has worked in the Information Technology field for nearly 25 years. She specializes in closing the gap between engineers and business managers. Adrienne helps business managers understand the business implications of technology and provides insight to help them better select the solutions that are best for their organizations. Adrienne is currently the Communications Manager for CorpInfo.

"The best way to mitigate ransomware is..."

A regular and validated data and systems backup. It is very difficult to control every user and every attack method. While there are excellent suggestions on protecting against malware, including ransomware, the threats are constantly evolving. Criminals are consistently identifying new vulnerabilities and manipulation techniques. The surest protection is to plan an effective response.

While most business think they are backing up data, many may not be aware how ineffective their backup programs are. To protect against ransomware, it is vital to regularly backup data and systems. Eliminating ransomware will require wiping the system, so a system-state backup or snapshot is essential to rapidly recover.

Since ransomware encrypts data on all attached and mapped drives, including mapped cloud storage and USB flash drives, these must be backed up as well.

The more frequent the backup, the less data is lost. So, backup frequency should be determined based on the strategic importance of the data and how much data the organization can afford to lose.

Since any attached device will be encrypted, the storage must be external and not mapped or connected to the device after the backup is completed.

Often the weak link in backup programs is data validation and recovery testing. Files may be corrupted, and tapes and USB connections can and do fail. It is important to validate the backup integrity and to test the recovery process on a frequent and regular basis to confirm integrity.

Business should use caution when using only tape backups. Tapes utilize magnetic media which makes them sensitive to corruption and damage. Even if the backup is properly executed all the segments on the tape are valid, corruption or damage can happen in handling. While the actual percentage is disputed, it is widely accepted that tape backups have a significant failure rate.


Mike BakerMike Baker

@Mosaic451

Mike Baker is Founder and Principal at Mosaic451, a bespoke cyber security service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.

"The best way businesses can defend against ransomware attacks is..."

Business is coming under siege by cybercriminals who aren’t necessarily after data -- they never even access it. Instead, they are infecting computers with ransomware in order to lock down a system and prevent the owner from accessing data until a ransom is paid, usually in Bitcoin.

Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” -- the owner of the data, who is not in a position to negotiate on price.

Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.

Most ransomware does not make its way onto computers through brute-force hacking but via social engineering techniques such as enticing employees to click on phishing emails or insert malware-infected thumb drives into their computers.

Businesses do not get cybersecurity right because they look in the wrong place. If you examine the largest data breaches, phishing scams, and companies held hostage by ransomware of 2015, technology did not protect the vast majority of these companies. In each case, data was breached due to hackers/phishers successfully exploiting humans (i.e., employees). The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is in fact the weakest link. Prime target for ransomware.

Employees must be thoroughly trained on information security practices and security awareness -- and this training must be an ongoing process.

Information security threats are continually evolving. It’s difficult for any organization to keep up with the latest cybersecurity threats and devote sufficient human and technological resources to combating ransomware and other cyberattacks. For these reasons, it’s a good idea for businesses to enlist the services of a professional managed security services provider (MSSP). An MSSP can deploy expert on-site security personnel to work in tandem with in-house IT staff and advise on information security policy, employee training, and proactive security measures, and also monitor the organization’s network and immediately respond to breaches if they do occur.

The good news is that most ransomware attacks can be prevented through proactive measures. If an attack does occur, systems monitoring can intercept the malware before it spreads, and secure backups of both patient data and the system will help an organization get back up and running quickly and without having to cave to hackers’ ransom demands.


J. Colin PetersenJ. Colin Petersen

@JITOutsource

J. Colin Petersen is President & CEO of J - I.T. Outsource, fully managed I.T. support service for small to medium businesses.

"There are only two things you need to do to defend against ransomware..."

1) Control what's coming into your network from the outside.

2) Have a comprehensive backup and disaster recovery plan.

Each of these means of defense include multiple layers. Keep your network safe by getting into place your Unified Threat Management, content filtering, email protection, intrusion detection, and employee phishing training. Don't just back up your data; have it tested so you KNOW that it can be fully restored in the case of ransomware or other disasters.


Greg LaBrieGreg LaBrie

@WEI_com

Greg LaBrie, the Director of Technology Solutions at WEI, drives go-to-market strategy for pre- and post-sales excellence. Partnering with WEI Sales Executives, Solution Architects and Network Engineers, Greg leads the development of practices focused on Data Center Infrastructure, Storage, Backup & DR, Networking & Security, and Cloud & Virtualization .

"Since hacking, malware, and ransomware are rapidly evolving, here are seven commonly overlooked tactics to help mitigate these risks..."

1. Update end-user operating systems and applications.

2. Develop a formal security strategy.

3. Review your service provider’s security policy.

4. Allow users to request new cloud services and applications to avoid shadow IT.

5. Step up monitoring, especially for machine-to-machine communication.

6. Review cloud insurance coverage.

7. Use network segmentation to avoid “putting all your eggs in one basket.”


Strive Technology ConsultingTim Singleton

@striveit

Tim Singleton is the President of Strive Technology Consulting.

"There are two approaches to handle ransomware, both are equally as necessary..."

The first is to prevent computers from being infected. All computers need a full antivirus program and a separate malware scanning program. We recommend Kaspersky antivirus and Malwarebytes to our clients. Viruses and malware are different enough that their respective security programs don't catch the same things, so you need them both. A good content filter protecting the network is also a good idea. OpenDNS and firewall-based content filtering systems work well here.

The second thing you need is to assume your data will be caught and encrypted by ransomware. Don't pay the ransom; you can't trust the criminals here. They may give you the decryption code; they may not. The best thing to do is to delete the data, clean your systems, and restore from backup. If your company generates a lot of data throughout the day, take backups more often.


Areyo DadarAreyo Dadar

Areyo Dadar is the community manager for noidentitytheft.com. As a victim of identity theft, he wants to help others avoid what he went through. Areyo received his BA in Economics from San Diego State University and spent 5 years managing US Bank in La Jolla, CA.

"The best thing for businesses to do to defend against ransomware is..."

Ransomware is software that criminals use to lock you out of your computer. Bad guys encrypt your computer's files and hold them hostage until a ransom is paid.

The best way to protect your business from ransomware is by installing File Level Encryption. This is a form of encryption where individual files or directories are encrypted by the file system itself.

As a business owner, you've likely taken measures to secure and backup sensitive company information. But when a ransomware attack occurs, hackers can gain access to your secure information and expose your company and customers to a massive data breach.

Recovering from a ransomware attack can cost $1,000s (direct cost to fix, fines, or contract violations), but that will be nothing compared to the indirect costs. This will be the most expensive blow to your business. Since customers will have lost faith in your business, you'll begin to lose them, which in turn causes you to generate less revenue moving forward.

The National Cyber Security Alliance has estimated that 60% of small businesses hit by cyber attacks end up going out of business. File Level Encryption is an investment every business owner cannot forgo.

This secure technology turns the tables on would-be cyber crooks. If ransomware does make its way to your private network, your encrypted files will look like gibberish and the thief won't be able to read any of the information they just hijacked.

The hacker will have wasted their time and effort and you can go back to running your business.


Kevin ParkerKevin Parker

@Tympaniinc

Kevin Parker is a senior level solution architect/sales engineer at one of the fastest growing IT Consulting firms in the Chicagoland area, Tympani, Inc. With over 15 years of experience in the technology sector, he has a proven track record of exceeding expectations and growing revenues at Value Added Resellers (VARs)/integrators and enterprise consulting firms.

"In cyber security, there are no quick fixes or silver bullets. Protecting your environment is a process, not a product. However, ransomware attacks often..."

Begin through email and network breaches. Any proper security strategy must begin with a next-generation firewall and intrusion prevention system.

Most firewalls act as a barrier and gatekeeper for your network. Some files they let in, while others are denied entry, but this only protects against one phase in the attack continuum.

Once ransomware or malware breaches the firewall, your strategy must also include an intrusion prevention and advanced malware detection system, which will identify, isolate, and remediate the malicious files before they ever reach the end user. Even after the attack is complete, the work is not yet done. You must integrate a solution that will analyze the threat, understand the spread of the breach within your architecture via file trajectory/fuzzy finger printing, and ensure the same attack can never breach the firewall again. The most important aspect of this security strategy is your system’s ability to learn from its mistakes. The hacking industry is in a perpetual arms race with security professionals. Therefore, our security systems must be able to grow and leverage internal and external sources of threat intelligence to keep pace.


Dave DavenportDave Davenport

@motherGuardians

Dave founded MotherG in 2006 with the belief that no business should accept inferior technology when it is so critical to effective business operations. This is even more true today. Under Dave’s leadership, MotherG has perfected its Light-Switch Technology model which delivers the highest value in managed services in Chicagoland. MotherG has been recognized as an Inc. 5000 Fastest Growing Business for several consecutive years; Chicago'’s Best and Brightest Companies to Work For ® by the National Association for Business Resources (NABR) and one of 25 winners of the 2016 Channel Partners 360° Business Value Awards for the past two years.

"While these attacks are most prevalent on employee laptops, ransomware is now targeting departmental file servers and other critical infrastructure. But, there are steps you can take to better protect your company and reduce the risk of ransomware infections..."

Let'’s start with what to do you when are attacked. You have two options. First, you can pay the ransom to get your files unlocked. While not ideal, this will work because if it didn'’t, the ransomware organizations would be out of business.

Two, if you have a good backup system in place -- one that backs up frequently -- you will be able to recover your files. You will lose productivity due to the down time to recover the files, and the work that was done after the most recent back-up, but this is a viable option.

To prevent being a victim in the first place, make sure you have good, solid, security systems in place. Run security sweeps and have strong spam filters, firewalls, and malware protection.

Firewalls and antivirus solutions can stop attacks, but they can'’t detect and prevent all threats against your network. In reality, no single solution can stop 100% of security threats. Hackers are always working to defeat the latest defense. A multi-layered approach is recommended for optimal security.

Use tools such as DNS Open File to do the filtering. Keep patches current on your operating systems and software. Doing so will make it extremely difficult for even the most sophisticated ransomware to access your operating systems and software.

On top of using all these technologies, the best way to minimize your risk is employee awareness and training. For example, have a policy in place to limit what you users have access. This will mean fewer areas ransomware can attack.

Also, make sure you train users to know what an attack looks like and how to act if they receive a suspicious email. These often lure people in by reading something like “there are irregularities” on your computer, click here for a free analysis.” Don'’t!

Note that it makes no difference if your information is stored on-site or in the Cloud. Today'’s ransomware is very sophisticated and can now not only access computers but also laptops, notebooks, cell phones -- any device your users use to store and access data. But if you have the right security systems in place, ransomware cannot be installed automatically without users having to click or do anything. So a combination of the right security and user training is the best way to avoid becoming a victim. Just as a castle is fortified with a moat, walls, and guards for security, businesses must also implement a layered approach to security.


Greg KelleyGreg Kelley

Greg Kelley is CTO for Vestige, Ltd., a company the performs computer forensic services and data breach response for organizations.

"Defense against ransomware attacks is a multi-layered approach..."

The first step is to verify that you have good backups of your data. Verify means that you have restored data from your backups. If you are just relying on your backup program to tell you it worked properly, you are setting yourself up for a big disappointment. The only way to know that you have good backups is to restore some of the data. Good backups also mean that you are backing up all of your critical data and backing it up in a time frame that fits your business needs. If you back up critical data once a month and you get hit by ransomware, any changes to that critical data since the last backup will be lost. Therefore, a company must consider what is an acceptable period of time to lose critical data and configure their backups accordingly.

The next step in defending against ransomware is employee education. Employees should be educated to understand that opening up every attachment sent to them is not a good thing. If the attachment is coming from an email address or name that is not recognizable, it should be discarded or provided to IT for review prior to opening. Of course, the final layer is practicing proper patch management and anti-virus scanning (including over email) but quite often ransomware gets past these safe guards hence the reason for proper backups and employee education.


Daniel RozzenDaniel Rozzen

@HelloTech

Daniel Rozzen is a Senior Technician at HelloTech.

"Protecting ransomware attacks on businesses starts with..."

Increasing network security. Network security consists of hardware and software protection including antivirus software on all computers and devices in addition to hardware firewall protection. There are many types of antivirus and malware protection software, but we recommend ESET, VIPRE or Kaspersky. Other hardware components can include business class routers, wireless access points with firewall features for protection. Migrating business email accounts to a cloud platform, such as Microsoft Office 365 or Google Apps, will help minimize vulnerabilities to the local network and increase network security. Protecting internet traffic can reduce malware penetrations into the network. Using a third party DNS provider can protect your internal network increasingly.

Here are some ways you can decrease the possibility of being infected with ransomware:

  • Have an Antivirus that is up to date on all computers that have connections to the business.
  • Never open up any unknown email, ransomware is mostly past through emails so keep an eye out.
  • Make sure all your data is backed up. A ransomware attacker will encrypt your files and/or disable your permissions to open these files and request a fee to unlock those files. If you have all this data backed up, you won't need to worry since those files will be saved elsewhere.
  • Using decryption programs might make the situation worse by damaging your files, so be sure to back up everything important.
  • Also, if you ever do get infected with ransomware, do not comply with any of their requests -- usually money.
  • If infected with ransomware, you will need to reformat your computer to ensure complete removal of infection.This means everything in your computer will be wiped out.

Benjamin CaudillBenjamin Caudill

@RhinoSecurity

Benjamin Caudill is the Founder and Principle Consultant at Rhino Security Labs. An expert in cybersecurity and hacking, Benjamin has worked as a penetration testing (ethical hacker) and digital forensic examiner, with clients ranging from defense contractors and governments to financial institutions and more. He has presented research at conferences such as Defcon and has been featured on CNN, Wired, Washington Post, CNET, and others.

"Every security model revolves around prevention, detection, and response – and handling ransomware is no exception..."

Traditional security implementations, such as anti-virus and firewalls, are common basics but are easily circumvented when social engineering and technical expertise are used to target an unexpected user. When malware is embedded in macros, uses PowerShell to hide its malicious commands, or is just encrypted to evade antivirus, additional protections must be used.

Effective ransomware prevention includes anti-virus, but doesn’t end there. Host-based intrusion detection/prevention (HIDS/IPS), and file integrity monitoring (FIM) are also critical components. While effective when configured correctly, these tools can develop a strong tie between prevention, detection, and response methods. Utilizing an intrusion detection system (IDS/IPS) creates another layer of defense, identifying malicious behaviors antivirus may overlook. File integrity monitoring helps in a similar way, identifying when data is changed or manipulated. ​Simply by preventing changes to these critical files, some ransomware infections can be stopped before they begin.

Traditional protections, such as antivirus and firewalls, are not enough to protect your systems and users from ransomware and similar malware. However, with a depth-in-defense strategy on your network and endpoints, you can keep from being the next victim.

While defense-in-depth acts as a successful overall strategy to mitigating ransomware attacks, a managed security provider is the means behind such an intuitive and interconnected strategy. A managed security provider can help monitor and ensure your active defense strategy meets compliance needs as well as protects assets on your network so no one is surprised by ransomware or scareware attacks.


Carl MazzantiCarl Mazzanti

@emazzanti

Carl Mazzanti is the founder and CEO of eMazzanti Technologies, a premier IT security consulting firm throughout the NYC Metro area and internationally. A frequent business conference speaker and technology talk show guest, Carl has often contributed at Microsoft-focused events, including the Microsoft Worldwide Partner Conference (WPC).

"The best defense against ransomware is to..."

Use a cloud-delivered network security service that observes Internet infrastructure before attacks are launched to prevent malicious Internet connections. Organizations stop up to 98 percent more attacks than firewalls and antivirus alone by pointing DNS traffic to such a service. It continuously observes new relationships forming between domain names, IP addresses, and autonomous system numbers (ASNs). This visibility enables it to discover, and often predict, where attacks will emerge before they launch.


John PenlandJohn Penland

John Penland is the owner of InfoTech and has first hand experience dealing with the ransomware virus. When one of his customers was affected by this virus, InfoTech was able to recover the data and remove the virus with only one hour of downtime to the client and no data loss.

"Businesses today are threatened by not just their competitors, but a far worse threat that can literally bring a business to its knees in five minutes called ransomware, and if you don’t think your business is a target due to its small size..."

You’re wrong…dead wrong. Ransomware does not care about the size or status of your business, it cares about one thing: How much money are you willing to pay to get your data back?

Being prepared for ransomware goes far beyond buying the most expensive firewall and antivirus. In order to be prepared for a ransomware attack, you have to be prepared to restore your data, because the virus will always find a way in. It’s the IT Admins' jobs to get the virus out and minimize its destruction. Being prepared means having compartmentalized data access (no one user should have full control of your data) across your domain and having backups not be synced with your domain. This prevents the virus from corrupting all your data and including your backups. Most companies under 200 employees have or still use an external hard drive connected to their servers as a backup solution. Ransomware will encrypt these companies and their backup data, rendering them helpless until a fee is paid to get their data back.

To be prepared, companies need to have the following items in place: Firewall with strict web filtering and block foreign ip addresses outside the US if possible, on site and cloud based backup solutions not synchronized with their current domain (i.e., their backups need to keep separate copies of the data and not linked copies), domain admins never need to access the internet while logged in to their accounts, email filtering and scanning and end users need to be educated on the threat and not to open attachments from unknown senders.

Having all these factors covered will help ensure that when (not if) you are attacked you can quickly and effectively contain the outbreak and recover your data with out paying a ransomware fee to these cyber terrorists.


Cosette JarrettCosette Jarrett

@teamHSI

Cosette is an ISP and cyber security expert at HighSpeedInternet.com. She is also a regular contributor to several tech publications where she provides advice and insights on broadband, IoT, consumer tech, and online security.

"There are a few key ways companies can defend against ransomware attacks..."

1. Keep company-owned devices off of public Wi-Fi. Six million internet users were attacked by malware in 2015. Public Wi-Fi has consistently been a key contributor to these attacks over the years. If your employees take company laptops, tablets, etc. out of the office, be sure to warn them to either avoid or at least use caution on public Wi-Fi networks. More specifically, be sure that your employees avoid unencyrpted Wi-Fi connections and ask them to stick to HTTPS sites as they browse.

2. Ensure that security software is up-to-date. According to our recent survey, 82.5% of respondents ignored prompts to update their software. The longer you run company devices without updating their security software, the more vulnerable your company information becomes to potential attacks.

3. Require strong passwords for company databases. Keeping track of a variety of strong passwords can be a bit difficult, but it's definitely worth while when you consider the cost of potential attacks. One of the best ways to keep sensitive information safe is to require strong and varied passwords for employee access all company databases. PC World offers up an excellent guide to help employees securely store passwords.


Ray WalshRay Walsh

@BestVPN_com

Ray is a freelance journalist and blogger from England who writes for BestVPN.com. He's highly interested in politics, in particular the subject of International Relations, and an advocate for freedom of speech, equality and personal privacy.

"To defend against ransomware, businesses should..."

Businesses should engage in a minimal privileges approach, where staff are given the least authority in company systems as is possible. A method for banning staff from going on unnecessary web pages is also advisable. Backups should be done regularly, either with an online option or on an offline unconnected system. Restore options should also be staggered and go back in time, so that there is always a back up available from before the infection.

Next, businesses should ensure that security software, the operating system, and any other software used is completely up to date. An old version of an antivirus is as bad as having none at all when you understand how quickly new versions of malicious software surface. A layered approach with email scanning will detect malicious files before they get onto your system. Intrusion prevention software can also stop unwanted executables from launching and should be strongly considered.


Andy FeitAndy Feit

@checkpointsw

Andy Feit is Head of the Threat Prevention Product Line for Check Point with overall responsibility for strategy, positioning and go-to-market activities. Before joining Check Point, he was a co-founder and CEO of Enlocked, an email security company focused on small- to mid-size businesses. He has also held several executive positions at information management software companies including MarkLogic, Verity, Quiver, Inktomi and Infoseek, as well as serving as director and principal analyst for market research firm Gartner.

"There are 2 significant factors that are making ransomware much tougher to stop today..."

1. Aggressive use of social engineering. The hackers are conducting more and more research into their targets, and they are specifically targeting enterprise customers, not just random consumers or end-users. The phishing emails with ransomware in attached documents that we are seeing today are incredibly sophisticated. They are spoofed to appear to come from a legitimate service provider or supplier to the target company, they reference recent activity the company has likely had with the 3rd party, and the attachment appears to be quite relevant. These are a far cry from the poorly-written blanket SPAM of past year's campaigns.

2. Leveraging exploit kits and other tools to avoid detection. The recent Verizon Data Breach Investigations Report found that most malware was only seen once, and the life span of 99% of malware was only 58 seconds, and then it was never seen again. This means that the majority of attacks will not match signatures used by simple anti-virus solutions.

To fight these unknown variants of ransomware, organizations need to block malware the first time it is seen. One of the most powerful prevention techniques is sandboxing, but it must be deployed in full blocking mode. Sandboxing opens files (email attachments, or web downloads that were linked in the email or hosted on a watering hole site) and then runs them in a virtual environment watching for malicious behavior. If the file is deemed safe it can then be released to the user.

The challenge for organizations with this technology is that it can take several minutes to get a verdict on a file from sandboxing, so how do you allow users to work without introducing a delay? One solution for this is threat extraction technology that can create clean, reconstructed versions of documents that remove macros and scripts, allowing the user to immediately view the document, and then get access to the original once it has been fully evaluated.

Nate Lord

WHITEPAPERS

Stopping Cyber Threats: Your Field Guide to Threat Hunting

Nate Lord

Nate Lord is editor of Data Insider.

Free Trial 2017 Gartner DLP MQ Contact Us