Ransomware on the rise: What you need to know

Thursday, March 24, 2016

RansomwareRansomware was first recognized almost 25 years ago, and it’s become more and more sophisticated in its execution and potential impact. But what is it and how can it be avoided?

Ransomware is a type of malware that restricts access to files on the infected computer system in some way, and demands that the user pay a ransom to the malware operator to remove the restriction. Most forms of ransomware encrypt the files on the system’s hard drive, which are then impossible to decrypt without paying the ransom for the encryption key. Other forms may simply lock the system and display messages intended to coerce the user into paying.  It’s not cheap to get information back, either. Ransoms from hundreds to thousands of dollars are demanded to decrypt the files, usually in an untraceable form of payment such as the bitcoin.

Ransomware typically spreads as a Trojan Horse, with its payload disguised as a seemingly legitimate file. Computers became infected when users open e-mail attachments that contain the malware. More recently, however, a growing number of incidents involving so-called “drive-by” ransomware infections are being reported. Users, who are often lured there by a deceptive e-mail or pop-up window, unintentionally infect their computers simply by clicking on a compromised website or link. And in 2014, a variant of encrypting ransomware called “RansomWeb” surfaced that is able to compromise and encrypts entire websites.

All types and levels of computers are at risk from ransomware, including computers used at home or for business; and in financial institutions, government agencies, universities, schools, and other organizations. It also threatens America’s critical infrastructure community such as the electrical grid and water and sewer systems.

So how do you protect your hospital, clinic or small practice from this growing threat? 

Because ransomware is often discovered as a “zero-day threat,” meaning no patches or anti-virus software have been developed to recognize and protect against the infection, solutions prove ineffective at containing the damage. Therefore, what is recommended is the implementation of mitigating controls to minimize the impact, and a multi-layered approach to IT security.

Implement a regular backup program

First and foremost, implement a regular backup program that allows your business to recover entire volumes of data. Ransomware-encrypted files are nearly impossible to decrypt, and paying the ransom does not always result in recovery. Having recovery points at least once a day is recommended to minimize lost productivity. Having those recovery files separated from the infected system is critical as well, as is testing backups to ensure they function properly when needed.

“Only three things will save you if you get hit: backups, backups and backups.” — Dr. Peter Stephenson, SC Magazine

Provide only the minimum required security rights to users

The damage ransomware can inflict is dependent on the rights of the user logged on during the infection. Ransomware will be able to encrypt only the files the user has the rights to modify. Therefore, it’s best to provide only the minimum required security rights to users. A user with administrative rights to an entire network can inadvertently cause serious damage. 

Consider disabling Adobe Flash content through a web proxy or firewall

Ransomware delivery mechanisms can be disabled, albeit at an operational cost. The most prevalent means of delivering ransomware is Adobe Flash. Disabling Flash content through a web proxy or firewall can prevent that infection mechanism. The downside is that many websites deliver content through Flash, including computer-based training and news media outlets. The good news is that the inherent vulnerabilities of Flash are being recognized by content providers and many are beginning to migrate away from the technology.

Use application whitelisting to monitor how software behaves

The use of application whitelisting technology, which involves installing software on end-user workstations to monitor how software behaves and interacts with the operating system, can be an effective tool at preventing ransomware damage. If an infected file attempts to deploy malicious code, that behavior will be recognized and intercepted before any damage is done. Application whitelisting is not inexpensive, but organizations with vital systems such as an electronic health records (EHR) system or hospital environmental controls, may decide it’s worth the investment.

Consider cyber insurance

Due to the increase of ransomware threats, cyber insurance is increasingly becoming an industry standard.  Many cyber-insurance policies provide some coverage for cyber extortion, however, you must read the policy carefully and consult with IT professionals and attorneys to ensure you are purchasing the right policy for your needs.

Educate employees about cyber extortion

If they don’t know what it is, they can’t help you prevent a breach. So educate employees and end-users about cyber extortion as it relates to safe email and web-browsing practices. Go further by regularly evaluating their behavior when sent internal test emails tempting them to click.

Ransomware is a new and complex threat that shows no signs of abating. Still, with a coordinated multi-layered security approach and the implementation of mitigating controls to minimize the impact, an organization can become well-positioned to defend against it.


 

Bibliography

Gresham, Thomas. "Mitigating Ransomware." SC Magazine. Haymarket Media, Inc., 01 Feb. 2016. Web. 14 Mar. 2016.

Stephenson, Peter. "Decoding Ransomware- Part 1." SC Magazine. Haymarket Media, Inc., 09 Mar. 2016. Web. 14 Mar. 2016.

Navera, Tristan. "Cyber Attack Hits Dayton-area Organization Miami Valley Regional Planning Commission - Dayton Business Journal." Bizjournals.com. Bizjournals.com, 6 Aug. 2015. Web. 14 Mar. 2016.

Johnson, Lindsay. "Guest Column: Cyber Extortion and Ransomware Are a Growing Cyber Threat to Businesses - Dayton Business Journal." Dayton Business Journal. Bizjournals.com, 7 Dec. 2015. Web. 14 Mar. 2016.

"Ransomware." Wikipedia. Wikimedia Foundation, 14 Mar. 2016. Web. 14 Mar. 2016.

Staff, FBI. "Ransomware on the Rise." FBI. FBI, 20 Jan. 2015. Web. 14 Mar. 2016.

 

 


Writer: Doug Welks, 765-494-0768, dwelks@purdue.edu

Tags: Health IT Security

Purdue University, West Lafayette, IN 47907 (765) 496-1911

© 2014 Purdue University | An equal access/equal opportunity university | Copyright Complaints

If you have trouble accessing this page because of a disability, please contact Purdue Technical Assistance Program taphelp@purdue.edu.