1. Is ransomware as big a threat as the media claims it is?Ransomware is a variant of malware that we are seeing as the next wave of quick compromise attacks. What that means is quick entry and quick exit. No longer do the bad guys need to hover around on networked devices and perform complicated breaches only to get sensitive information or data. Then, that sensitive information or data needs to be sold somewhere and a payment needs to be collected. A lot of stuff could go wrong, and it's a lot of work for the hacker. Many attackers would rather just cut out the middle man and go right to instant collections. Ransomware has not even remotely hit its maturity curve on the effectiveness for a hacker to utilize it as a major threat.
2. What types of organizations are the most likely targets?You have to figure that most ransomware campaigns are spray-and-pray. They target massive lists of organizations and their employees hoping for the best. A targeted ransomware attack is going to be the future. Think like a hacker; you need a victim that has money and relies on uptime as one of the most important factors of their business. Critical infrastructure is one of those industries. Hospitals and other time sensitive industries are in line because every second counts. The time wasted to decide over paying a few thousand dollars is not worth the loss of life. This is the hacker’s mindset on choosing victims for more targeted ransomware campaigns. It’s inevitable that we will see more targeted ransomware campaigns.
3. How should an organization begin planning ransomware defense strategy?You cannot learn how to defend against something that you do not know. Therefore, if you don’t have a baseline on your current response to ransomware, you won’t know what you need to do to improve your strategy. The best way is to simulate a mock ransomware attack. You can learn everything about your organization such as response times, reporting techniques, process gaps, and ultimately how your entire organization can come together in a coordinated effort. From there, you can start to build your long-term strategy.
4. What are the key elements in a ransomware defense plan?Training - It starts with security awareness training. Preventing a ransomware attack is more time, cost, and resource effective then recovering from one. A strong security awareness program enforces the critical thinking component of security and doesn’t just pummel your employees with unreliable messaging. Response - How quickly you can respond to a ransomware attack is the difference between success and failure of a ransomware campaign. Your organization holds the keys to protecting itself by being self-aware and prepared for an attack. The faster you can report and get your incident response teams on a situation, the better the chance you have of avoiding a company-wide catastrophe. Backups - It is important to not only have backups but to also learn how to use them! Too many times, people expect their backup process works or that they even have them until it is too late. Run through your backup processes to see where the gaps are. Practice - As mentioned before, practice makes perfect. After you have all these processes and procedures in place, it is time to test them and see what happens. From there, you can always improve on what you find.
5. How can employees be trained to react appropriately to a ransomware attack?Simulated phishing training is a great start. But that is only a test. The real answer comes to the quality of education that is delivered to your employees before and after the tests. Just telling them about ransomware and saying don’t click in an annual email is not going to cut it. Compliance check the box PowerPoint presentations will not cut it. You need to have a continuous, ongoing educational theme supporting security in your organization. Ransomware is a major outcome of a successful social engineering attack. Employees should be well aware of who to report ransomware to, when, and be able to prevent simple social engineering tactics with a successful security awareness program.
6. How can an active ransomware attack be contained?Isolation is a tough part of the incident response plan. Many vendors exist out there that can help with the containment part of the process, but the eradication puzzle is so important to ensure the ransomware is not going to come back when systems are brought back online. If this happens, the efforts that went in to response open up a whole new can of worms.
7. Does it ever make sense to negotiate with a ransomware attacker?The honest answer here is always it depends, but it should never be “yes we always pay the hacker.”
8. How is the ransomware threat likely to evolve over the next few years?As I mentioned before, we only see the ransomware variants progressing in both difficulty and scale. The variants of delivery are going to continue to rise on the social engineering front using every available medium possible. Targeted, sophisticated phishing emails will grow as a delivery method to point your employees to malicious websites and attachments. The best way to prevent ransomware is to be prepared, practice mock incidents, and implement a preventative security awareness training program to build a culture of security within your organization.