In October 2019, the FBI issued a ‘high impact’ cyber attack warning after several state and local governments in the US were attacked by ransomware. Schools and healthcare facilities were also warned as they are considered soft targets for criminal enterprises. Ransomware attacks are not as frequent as they used to be, but they are becoming more sophisticated, so the impact and losses are greater.
There are three major attack techniques: email phishing schemes, remote desktop protocol vulnerabilities and software vulnerabilities. Phishing is the most common vector of a successful attack, especially for small businesses and personal systems. This is because ransomware is essentially malware, or a virus, that can spread in attachments or be downloaded from clicked links. Because phishing schemes have become more sophisticated, attackers have an easier time fooling people, which is why it plays a huge role in the spread and propagation of all malware, including ransomware.
Ransomware is a serious threat. Preventing it follows the same rules as preventing malware, which essentially means that your systems must have regular offsite and gapped backups. You must ensure that your backups cannot be reached by your primary system when backups aren’t actively occurring. If that precaution is taken, then ransomware can be mitigated by simply reformatting the drives or removing them and refreshing the data with backups.
Containing ransomware depends on how it is structured. Most people have the instinct to shut down the system, cut it off from everything else, but that is a mistake. Shutting down the system takes away any chance of recovery, which requires access to volatile memory to try and locate encryption keys. A better solution is to remove the system from the network, unmount any affected drives if possible, and if you can start monitoring or recording what is in RAM, then do so immediately.
If you find yourself or your business under attack, there is always risk mitigation to consider. The FBI will always recommend NOT paying ransom because it empowers criminal entities to continue what they are doing. However, if the damage would be millions of dollars while the ransom is $500, and attempting to recover the data is thousands of dollars, it is worth it to try paying the ransom. In this event, the incident should still be reported. Make sure forensics and law enforcement are aware. Inform your insurance company as ransom is tax deductible. Inform the security community so that security practitioners and law enforcement can try to prevent future attacks.
The biggest keys here are to ensure you have regular gapped backups of your data in a location not connected to your primary systems, and to NOT power down during an attack. Regular gapped backups will save your business from being crippled by an attack, and may in fact prevent you from having to spend any money on recovery. Plus, simply separating the exposed machine or shutting down affected drives will allow you a chance to find the culprit responsible for the attack and prevent further attacks on other businesses.