Ransomware is a malicious piece of software that encrypts a user or company’s files. Once encrypted by an attacker it is almost impossible for the victim to regain access to the files without a “decryption” key that is held by the attacker or “file kidnapper”. The “kidnapper” of the file(s) then demands a fee from the company to regain access to its own files. Typically, the attacker, sets a short time span -- usually 72 hours or less -- for the infected user or entity to fork over a ransom. (Attackers do not like to leave digital trails and use temporary servers to accomplish their illicit activity). The ransom is usually payable in Bitcoin – an anonymous currency increasingly popular with criminals. The hackers will display some sort of screen or webpage explaining how to pay to unlock the files.
Attackers use phishing emails, unpatched programs, compromised websites, online advertising and free software downloads to infect a user. However, not only can ransomware encrypt files on a single computer or user, but the software may also be programmed to travel across, say a hospital network, and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt
Clearly for hospitals and physician practices, losing access to information systems can bring clinical workflows to a crawl and result in significant productivity losses. More dangerously it could lead to serious patient safety concerns e.g. if the attacked system manages a radiological image database critical to the operating room.
So what can be done to prevent such attacks from occurring?
- Perform ongoing user-awareness education: Because most ransomware attacks begin with phishing emails, user awareness is critically important and necessary. For every ten emails sent by attackers, statistics have shown that at least one will be successful. Do not open emails or attachments from unverified or unknown senders.
- Keep system patches up to date: Many vulnerabilities commonly abused by ransomware can be patched. Keep up to date with patches to operating systems, Java, Adobe Reader, Flash, and applications. Have a patching procedure in place and verify that the patches were applied successfully.
- Use great caution when opening attachments: Configure antivirus software to automatically scan all email and instant-message attachments. Make sure email programs do not automatically open attachments or automatically render graphics, and ensure that the preview pane is turned off. .
- Use advanced tools that allow for behavior analysis and immediate sandboxing of threats. Such tools include gateway anti-malware engines with real time threat intelligence capabilities. These tools have improved considerably in the last two years and can make a big difference. If you don’t have an adequate approach to detecting such malware before they enter your network, consider improving your defenses.
- Backup your files regularly – ideally in the cloud. This allows you to simply move to a new computer with all your files intact. This is a critical item in your armory to fight ransomware.
- Make sure that you have an incident response plan that takes into account the specific, crippling nature of Ransomware.
If you have been compromised:
- Immediately quarantine the computer or workstation. This will prevent some malware from “hopping” to another workstation. (Some exploits have the capability to “listen” in on a network and then propagate through the network connection.)
- Disable “System Restore” on Windows.
- Run your anti-malware to scan and remove ransomware-related files. Another way to determine the scope of the infection is to check the operating system registry for any file listings created by the ransomware.
- Immediately limit end user access to mapped drives on an as needed basis.
- Note that some ransomware requires extra removal steps such as deleting ransomware files in Windows Recovery Console.
If you are out of options, you may simply have to pay the ransom. It is an unfortunate predicament but it may be the best practical solution you have. If the ransom demand requires Bitcoin, your first step is to set up an account with what is called a Bitcoin exchange and you will need to purchase some Bitcoin. Time will be of the essence as attackers usually offer short time spans to pay a ransom.
Without both a preventative plan and an adequate pre-defined response capability, one is inviting danger. CIOs and Chief Security Officers should assume that ransomware will eventually infect one or more of their computers. A solid plan to prevent attacks and a detailed play-book on how to combat ransomware if infected must be in place to minimize and contain damage.