By Steven Santamorena
Chief Information Security Officer
The Metropolitan Museum of Art
Has your organization been impacted by ransomware? If not, you likely will be in the near future. Ransomware has been evolving for the several years and its proliferation continues to grow.Understanding the nature of this malware will help you keep your organization from suffering from a major ransomware event. It can be particularly harmful to the intelligence community as data is the lifeblood of the industry. If access to that data is jeopardized, the organization could be greatly impacted.
What is Ransomware?
Ransomware is a type of malicious software designed to block access to a computer system or files until a sum of money is paid. Ransomware has been around for a number of years but there has been a definite surge within the last year. The FBI estimates that 90,000 computers are infected with ransomware each day. In addition to impacting individuals, ransomware has recently had a significant impact on organizations as well. For instance, earlier this year, several hospitals in the US were severely impacted by ransomware.
What does Ransomware do?
The most common forms of ransomware use a strong encryption algorithm to encrypt data files. The malware not only encrypts the files on the computer but files that can be accessed on the network as well. Once infected, the victim will be notified by the hackers with a window similar to the one below.
Typically, the victim is given a finite amount of time to pay the ransom which is usually between $300 and $800, before the files are lost for good. In targeted attacks, the ransom can be more than $10,000. It is recommended that if infected, no attempt is made to pay the ransom.
How does it infect a computer?
There are three primary methods for delivering ransomware to computers; phishing, drive-by downloads, and remote installation.
- Phishing is an email scam by which an e-mail user is duped into clicking on a URL link or to downloading an attachment
- A drive-by download is the unintentional download of malicious software to your computer. This usually occurs on legitimate websites which have been compromised by hackers
- Ransomware can also be intentionally remotely installed on a system compromised by a bad actor in a targeted attack on a system
How can I prevent it or lessen the impact of Ransomware?
There are a few things that you can do to prevent a Ransomware infection in your organization
- Update your software. It is important to stay up to date with critical software patches. Be sure to apply patches when they become available, especially patches from Microsoft and Adobe (Flash and Reader)
- Educate your employees. Train your employees to scrutinize and identify fraudulent email messages. If you can’t be sure of the authenticity of an email, do not open it. If you do open it, do not click on any links or download any attachments
- Backup your data. Should you become infected with Ransomware, it is unlikely that your files will be recoverable. Instead you should plan on restoring the data from a recent backup. Organizations should encourage users to store important files on the network (where hopefully they are regularly backed up).
New Threats: The Evolution of Ransomware
There have been new strains of ransomware that have a slightly different modus operandi than the original versions.
- Some take a copy of the files as well as encrypt them. The hacker then threatens to make the data public if the ransom is not paid
- Some offer to give you your files back without payment if you are willing to help them infect a few of your colleagues
- “Ransomware as a service” offerings have been made available for non-technical criminals that wish to participate their own Ransomware campaign
The threat of Ransomware appears to only be increasing. By taking proper precautions, you should be able to minimize the impact that ransomware can have on your business. Avoiding ransomware-related incidents will help to ensure the availability of business data which could be critical to the success of your organization.
Steven Santamorena is the Chief Information Security Officer for The Metropolitan Museum of Art. He has been a leader in Information Security since 2004 and has managed several departments within IT including messaging, infrastructure, and networking. In Steven's current role, he is focused on developing risk management strategies while delivering appropriate security controls and processes. Steven holds several security certifications including CISSP, CCSP, CISM, and also holds a Master's Degree in Information Assurance from Norwich University.