A critical factor in avoiding ransomware attacks is training employees to be exceedingly cautious about clicking on email links.
Experts warn that phishing attacks, which often serve as ransomware’s gateway into companies’ information technology systems, have become more sophisticated and often originate from apparently legitimate contacts.
“You have to train your staff to be vigilant. It all relates to preparation from the boardroom down,” said Richard J. Bortnick, senior counsel at law firm True Lieberman Strauss & Shrewsbury L.L.P. in Red Bank, New Jersey.
Make sure there is a password management system in place, keep up with system upgrades and maintain updated antivirus programs and high firewalls to eliminate some of the initial phishing, said Matt Chmel, Chicago-based team leader of Aon Risk Solutions’ professional risk solutions team. In addition, introduce segmentation around data and restrict who has access to it, he said.
On key systems, firms should also consider whether it is appropriate “to use some form of whitelisting,” where the computer is given a list of executables, which are files capable of being run as a program in the computer, that employees are authorized to run, said Alan Brill, senior managing director at Kroll Associates Inc. in Secaucus, New Jersey.
Data backups are critical, say experts.
“It’s all about backups,” said Brett Anderson, Atlanta-based breach response services manager with Beazley P.L.C.. It minimizes the damage ransomware can cause “if you can restore your system.” Experts stress that backup systems should be kept offline. If it is online, the malware “kills that, too,” said Mr. Brill.
Furthermore, the backup should also be configured so “it doesn’t take a great deal of time” to restore the system, said John Riggi, Washington-based managing director in BDO Consulting’s technology advisory services practice and head of its cyber security and financial crimes unit.
If a company does get hit by malware, one of the first steps that should be taken is to isolate the problem. “You want to make sure that the ransomware is not going to spread through your enterprise,” Mr. Brill said. “It’s bad enough to have a machine hit with ransomware. It’s considerably worse to have 500 machines.”
“You need to find out what the attack vector was, how did this ransomware attack get into your system,” because trying to remediate the situation without finding that out first means “you can be hit again,” said Bret Padres, CEO of the McLean, Virginia-based Crypsis Group, a cyber security services firm.
He said he has seen situations where companies recover with a backup and “then the backups often become corrupted by additional ransomware” because the ransomware attack’s full scope was not initially discovered.
In addition, “You want to find out if the ransomware that has hit you is one that has been previously analyzed,” said Mr. Brill, adding that in some cases cyber security firms have developed programs “that will crack the ransomware.”
Experts advising businesses on ransomware demands say they generally leave it up to the business to decide whether to pay ransomware.
Mr. Riggi, who is a former FBI agent, said at the agency “we would never encourage paying the ransom, because that encourages that type of behavior, and you’re funding the criminal organization,“ which could be involved in more serious crimes.
“That being said, the FBI understood it’s a business decision that the company has to make,” Mr. Riggi said.
But there are no guarantees paying the ransom will work.
“Some organizations that pay get a decryption key. Others will pay and not get a decryption key, so it’s a judgment call,” said Mr. Brill.