Ransomware-attack: what can you do?
Ransomware encrypts files on computers, rendering them inaccessible and completely unusable. The ‘WannaCry’ virus for example works on a vulnerability in the Windows operating system, which makes infection and fast-distribution of the virus relatively easy. How do you ensure that you and/or your organization are protected in the event of a subsequent cyberattack?
The damage is huge
The impact of the recent “WannaCry” cyber-attack has proven to be enormous: in a very short period more than 270,000 computers in 99 countries have been infected. Hospitals, factories and other organizations have seen interruption to regular operations due to infection with this computer virus.
Distributors of this computer virus are demanding a ransom from their victims to remove the encryption. Payment of this ransom in case of contamination is highly ill-advised, as cybercriminals responsible for this attack do not cancel the encryption after the ransom has been paid. Furthermore, Europol and the National Cyber Security Center (NCSC) also do not recommend to pay the ransom if your systems are infected.
Remarkably enough, Microsoft had just released an update in March to patch up the leak in their Windows operating system. To keep security incidents and calamities like last week’s ransomware outbreak in check, organizations can take a number of measures. Here we can distinguish between ‘Quick Wins’ and more structural solutions.
Quick wins are:
- Ensure that security updates and patches are installed in a timely manner. This prevents cybercriminals from taking advantage of known vulnerabilities in your corporate network and operating system.
- Provide strong awareness within your organization. Train your employees to recognize suspicious emails and especially teach them why not to open those emails. In many cases, human beings are still the weakest link in the information security domain.
- At all times, ensure proper external backup. The most commonly used measure to eliminate ransomware infection is to restore via a backup. Of course, it is important that this backup itself is not infected. By keeping or saving the backup outside the business network, it is less vulnerable to infection if you are affected by ransomware.
Structural measures are:
- Ensure you have a thorough information security policy and plan. Such policies identify threats and measures to counter security incidents, calamities and data leaks. By addressing policy and planning with information security, you reduce the chance of calamities and are better prepared if an unforeseen security incident does occur.
- Regularly carry out a scan on your corporate network and web applications. Such a ‘vulnerability assessment’ consists of a semi-automated scan by specialized software that identifies possible vulnerabilities and leaks. On the basis of such a scan, appropriate measures can be taken to patch up leaks and prevent incidents.
- Segment your network and manage authorizations. By dividing your network into different compartments, also called segmentation, ransomware distribution can be delayed. The compartments form an additional blockade within the network in case of a virus outbreak. In this context, it is also important to restrict the rights of users. The more users have access to data on your network, the faster and more files can be infected. Ransomware exploits user accounts with many write privileges, such as accounts with ‘administrator’ permissions.
- Ensure you have a thorough Service Level Agreement (SLA) with your external IT service provider. The management of IT is being outsourced increasingly often and often to external parties offering so-called ‘managed services’. The security aspect should also be guaranteed in such an agreement. Tasks and responsibilities of both the service provider and your organization must be formulated clearly and preferably measurably.
- Select external IT service providers that are demonstrably ‘in control’. More and more IT service providers are having audits conducted by an independent third party. This demonstrates that their processes and risk management are in order. Ask your external IT service provider to prepare, for example, an ISAE 3402 report or make sure that such ‘in control reporting’ is part of your selection criteria.
Advice for taking measures
Recent events show how important it is to install security updates in a timely manner to prevent minor and major disasters.
Be sure to protect your organization against cyberattacks. Crowe Peak IT Advisory specializes in information security. Contact us for advice on the measures you can take. Or visit our IT Privacy & Security seminars, June 15th in Nijmegen, September 6th in Rotterdam (Dutch spoken).