Hackers who distributed ransomware in 2019 made out pretty big, swindling companies and government agencies for millions of dollars.
According to software security experts at Emisoft, ransomware affected 103 state and municipal governments and agencies. It also hit a whopping 759 healthcare providers and 86 universities, colleges, and school districts. At least some of those affected ponied up the ransoms, usually in the form of bitcoin, to get their systems back up and running.
You would think by now that agencies and companies would be beefing up security, but unfortunately that’s not always the case. Even companies willing to beef up security find themselves lagging behind the hackers; the influx of cash many ransomware hackers are getting with successful attacks helps them to fund the R&D necessary to facilitate increasingly complex attacks on their victims.
Now I’m not going to finish out an article claiming that my little company has the answer – because I don’t. That being said, there are some things companies can do to help protect themselves.
How Are Ransomware Infections Being Spread?
The real crux of the ransomware crisis (and it really is a crisis) comes down to one thing: keep the malicious code from entering your system in the first place. So let’s look at how infections took hold this past year. There are 2 main vectors of attack.
Attack Method #1: Email Attachments
As the years have gone by and worms, viruses, & malicious code come and go, one thing has remained constant: many of them get into a system via an email attachment clicked by an unsuspecting employee. While you can train and train and train, momentary lapses of judgement do happen and if you have a large organization with lots of employees, it’s only a matter of time before someone makes a mistake – so it’s important that your systems spring into action when it happens.
Keep Systems Updated
Keep your systems up to date with the latest patches and have antivirus software running. As new ransomware attacks are found, vendors regularly update their software with patches to close the security holes exploited. This means running Windows Updates (or whatever your flavor of OS is) and keeping your antivirus not just running, but up to date with the latest definitions.
Limit User Rights
Even more important is to remove excessive permissions from employees – specifically remove local admin rights. With the options available today for granular permissions using NTFS, there’s almost zero need for an employee to have local admin rights on their workstations. A virus or malicious script opened by a user with admin rights moves through the system with those rights. It’s also critical to ensure that employees only have access to the network resources they need. As a result of privilege creep, many employees have rights to shared folders on the network they don’t need. These should be audited regularly.
I worked at a company in 2016 that was hit by a ransomware attack. It started with an employee opening an email attachment – the Windows User Account Control popped up warning that the attachment was trying to make changes to the computer, and because the employee had local admin rights they were able to just click ‘Ok’ to proceed. If they didn’t have admin rights, the attack could have been stopped right there before it even started. In addition, the employee had access to lots of network drives they didn’t need and all of the files in those shares were encrypted.
I spent 40 hours straight, with no sleep, restoring files from backups to get the company back into operation. We did not pay (or even consider paying) the ransom. The company loses $20,000 per hour of downtime. A single click, by a user who had rights they didn’t need, cost the company $800,000 in lost production & labor.
Attack Method #2: Systems Connected Directly to the Internet
The next most common method for ransomware hackers to do their damage, is via systems that are directly connected to the Internet. And it’s not just computers & servers. Controllers for HVAC systems, point-of-sale equipment, and manufacturing equipment are frequently connected directly to the Internet with minimal protection. In most cases, these systems are set up so that support vendors have easy remote access to them – but these setups open the systems to penetration attempts by hackers. While these systems may not spring to mind when it comes to ransomware, they can be effective doorways into your main production network if not configured properly.
Change Vendor Default Passwords
No matter how long I work in this business, it still shocks me at how often this step is missed when setting up systems. While new legislation is making it less common, many vendors still ship hardware with a well-known or easily researched username and password. Don’t believe me? Just open google and type in: Cisco default password. It’s supposed to make getting into a brand new device easy for setup, but many times it never gets changed. As it turns out, this is one of the most common infiltration points for hackers.
Move The Systems to an Internal Connection
The most effective way of protecting systems connected directly to the Internet is simply: don’t connect them directly to the Internet. While this may not be possible for many older systems, many newer systems have better options that take security more seriously.
Create Custom Firewall Rules for Each System
Sure it’s a little more administrative overhead to set up for your IT department, but systems that must have external connections should be firewalled so that only the ports absolutely necessary are open. Scrutinize every connection on setup and keep everything else blocked.
You can go a step further by enabling whitelists. If your support vendor only accesses the exposed systems from their office, then create a firewall rule that only allows connections from their office IP address and denies everything else.
Education: From Top to Bottom
One major theme that always comes up, especially for high level IT managers and directors: how do you convince non-technical CEO’s, COO’s, and CFO’s that investing in cyber security is worth the expense? Well, I wish I had the silver bullet answer to that. In most cases it really comes down to your ability as an IT leader to communicate to non-technical people. And even then, you may simply run into a brick wall. One thing is for certain though, after an attack does happen and the company incurs a massive recovery expense, you’ll probably get your way (if they don’t scapegoat and fire you first).