It’s no secret to anyone who’s been paying attention to global business news: over the last few months, ransomware attacks have been plaguing organizations across every vertical and nation. Recent examples include events in the healthcare and legal industries in particular, notably the widely reported attacks on the MedStar Health hospital chain. In the case of Hollywood Presbyterian Medical Center, cybercriminals collected $17,000 in bitcoin from the hospital, leaving staff without critical systems for processing patient data until the ransom was delivered while leaving no trace of who perpetrated the attack. Cybercriminals are beginning to target organizations within these industries specifically because of the wealth of sensitive data that they possess, as well as a lack of resources dedicated to protecting those critical assets.
When ransomware attacks first began years ago, malicious parties were targeting ordinary people outside of corporate environments in an effort to make a quick few hundred dollars. Attacks were often structured as generic, mass-delivered e-mails or website pop-ups, and required victims to click a link to download malicious content that would encrypt their machine or sensitive data. Now attackers have seen the weaknesses exhibited by large companies and are taking aim at these “big fish,” in search of a larger reward. Attacks are taking on a human persona, with cybercriminals targeting specific individuals with spear-phishing e-mails that give the appearance of having been sent from a verified person. In some cases, the attacks can also be delivered via drive-by downloads that exploit common vulnerabilities.
Ransomware attackers will often move through various targets within an organization, seeking an open vector for the attack. Rather than taking a scattershot approach, miscreants typically spend some time researching the structure of the organization they are targeting, finding the most vulnerable employees and customizing the attack to be most successful with the target victim. Often, these attacks are untraceable once the ransom has been collected because they are frequently coordinated in bitcoin and hosted on sites only accessible via Tor.
As these types of attacks continue to increase in frequency and sophistication, it is important for organizations to keep in mind the following tips for protecting themselves against ransomware:
• Users are the best defense available – Because cybercriminals are targeting individual users within an organization for these attacks, those users have the greatest power to protect the company’s data. By providing them with simple tools, such as password management tips, or a checklist of what to do if they receive a suspicious e-mail, an organization can help prepare its front line of defense for an inevitable attack. In addition, companies should conduct regular cybersecurity training sessions to keep employees up to date on the latest methods of attack and how to recognize them.
• Practice smart patch management – To truly secure machines, companies must put a process in place and dictate the appropriate steps to take when patches for well-known vulnerabilities become available. Patch management isn’t easy; it’s a never-ending cycle that requires regular maintenance if it’s going to be successful. Organizations must move beyond simple compliance to proactively working to prevent vulnerabilities from being exploited.
• Back up your data – Always conduct regular backups to save your data off-site in a secure location. If you have to wipe the infected machines you can always restore your data with the latest backups.
• Don’t pay the ransom – Suggestions on this point vary, but from my point of view, organizations should never pay the ransom demanded by an attacker, unless they have taken the company’s most critical asset and there is absolutely no way of retrieving it. In most cases, it’s likely that non-critical information can be recovered from backups, or a file that’s been e-mailed between employees (for example, an Excel spreadsheet). Once an organization has paid a ransom, they are flagged as a “payer,” marking them as an even bigger target because attackers know that they will meet demands. Once the ransom is paid, there’s nothing stopping those same hackers from coming back and attacking time and time again, with larger and larger ransoms.
Organizations responsible for sensitive customer or patient data, particularly those in the healthcare and legal space, need to be extremely careful to ensure that they are prepared when an attack comes knocking. Preparing for ransomware attacks may seem difficult or time-consuming, but preventing your organization from succumbing to an attack is well worth the effort. Focusing on the sensitive data that cybercriminals are after is the first step towards keeping ransomware attacks at bay and the company’s critical assets protected.