Ransomware attacks just went big time. In a period of mere hours late last week, a global ransomware attack infected more than 200,000 computers and affected more than 100,000 organizations in over 150 countries. To put this attack in perspective, researchers estimate that there were about 4,000 ransomware attacks per day in 2016. While the latest worldwide attack has been temporarily halted by a kill switch, there are reports that new variants of the malware already have been spotted.
This attack has created systemic failures across a number of critical industries in Europe—including health care and telecommunications—triggering the first-ever use of EU-wide cyberattack response mechanisms. Although the United States appears to have fared far better, now is the time for all organizations to ensure that they have taken appropriate steps to prevent and respond to a ransomware attack directed at networked computers.
A little background on the recent Wana ransomware attack may help. In general, a ransomware attack involves launching malware onto a computer or mobile device that encrypts files on the device (and possibly on any networked devices) unless and until the victim pays a "ransom" for the decryption key to unlock the files. The malware in last week’s attack—known as "WannaCrypt," "Wanna Cry," or "Wana Decryptor"—appears to have been launched onto individual computers at least primarily by spear phishing emails. It then exploited a vulnerability in the Microsoft Windows operating system that allowed it to propagate across computers connected to local networks.
Thus, instead of infecting just one computer, this variant of ransomware infected all computers that were networked with an infected computer—an attack type that is much more dangerous and increasingly common. This is a vivid illustration of the notion that an organization’s cybersecurity is only as good as each individual user. It also proves that cybersecurity budget does not necessarily equate with security if organizations fail to practice basic cyber hygiene—like quickly patching critical vulnerabilities in operating systems.
Organizations evaluating their level of preparedness to prevent and respond to ransomware attacks should consider the following:
-
Train all device users on recognizing and avoiding the most common malware attack vectors. This includes spear phishing emails, other social engineering-based attacks, and drive-by website compromises (where malware 'jumps' through a browser when a user visits a website). Test users’ knowledge and facility at avoiding such an attack.
-
Implement robust anti-malware technical controls, including:
-
Automatically or quickly patching vulnerabilities in operating systems, firmware, software and browsers;
-
Disabling macros networkwide;
-
Sandboxing email attachments to identify malicious files;
-
Deploying intrusion detection and prevention systems;
-
Constantly updating anti-virus and anti-malware software;
-
Limiting software downloads to trusted sites/providers;
-
Enforcing strong password policies;
-
Using multi-factor authentication for remote access;
-
Protecting domain credentials;
-
Restricting user access based on the principle of least privilege; and
-
Encrypting personal data that may trigger notification obligations if targeted by ransomware while in an unencrypted state.
-
Ensure that your incident response plan includes an effective and tested strategy for ransomware attacks. Points to consider include:
-
Training incident responders and users on immediate steps to take upon detection of a ransomware attack. This should include protocols for shutting down devices and networks to avoid propagation.
-
Establishing both internal and external response teams that are experienced in responding to ransomware attacks.
-
Defining thresholds for activating a scalable internal and external incident response team appropriate to the needs of the particular incident.
-
Outlining key containment, remediation, and investigative steps based on scenarios built around known attacks and malware. This should include steps to contain, analyze, and eradicate the malware; identify and log ingress and egress traffic between the malware and command and control servers; remediate vulnerabilities targeted by the malware; catalog all investigative steps and collect all relevant evidence; and restore data, devices, and systems to return to normal business operations as quickly as possible.
-
Creating escalation thresholds for internal notification of different levels of management, the board of directors, business units, employees, partners, and other impacted parties.
-
Creating escalation thresholds for external notification of business partners/supply chain, customers, the media, governmental entities (including law enforcement agencies and regulators), and others who may be impacted.
-
Preparing alternate communications, operations, and investigative protocols and infrastructure for use during an attack that compromises or disables devices, data, or systems. This should include a means of obtaining and implementing alternate hardware, software, communications systems, and work sites to maintain or restore business operations and investigative activities.
-
Defining under what, if any, circumstances your organization will negotiate with attackers or pay a ransom. This should include identifying all necessary decisionmakers, setting amount limits, and establishing a means of obtaining and making payment in virtual currency.
-
Aligning related policies and procedures to account for ransomware-based interruption of operations or services; destruction of data, devices, or other equipment; and preservation of all evidence of the attack.
-
Preparing internal and external communications plans to address foreseeable ransomware incidents.
-
Cataloging all legal obligations and rights under statute, regulation, contract, and common law in the event of a ransomware attack, including notification obligations to regulators and impacted parties.
-
Testing your incident response plan under simulated attack conditions.
-
Irrespective of whether your organization is victimized, incorporate lessons learned for malware-based attacks to improve proactive defenses and incident response.