How does ransomware infect its targets?As already explained, ransomware damages or destroys computer files, causing loss of business for organisations whilst compromising their information systems. The following are common methods of infection:
- A malicious link in an email attachment, social media message, or text message;
- A pay-per-install income attack, where computers that have already been compromised and are part of a group of infected computers (a Botnet) under the control of criminals (Botmasters-kingpins) are infected with additional malware. In such cases, Botherders, the criminals who look for security vulnerabilities within software, are paid to find these opportunities. This method is based on revenue-sharing and commission where the Botherders use the Botmasters’ resources to infect computers and systems;
- Drive-by downloads, where malware is installed through the user visiting a compromised website.
Why are non-profit firms in danger?Ransomware has become a global cybercrime issue with a high number of targets and victims. No business is exempt from this type of attack. Sector and size are not mitigating factors because attackers are usually purely motivated by money. Organised crime gangs often with an international reach lie behind many attacks and have the single aim of making money. If they can gain access to a system, they can exploit it using ransomware with the minimum of effort for financial profit. Of the 155,000 non-profits registered in the UK, 73% have an annual income of under £100,000. Of these, just under 40% have an annual income of less than £10,000. Faced with this low level of funding, many simply do not have the time or financial resources to keep up-to-date with the latest cyber-security advice, wipe the hard drives of donated equipment, or in some cases even run background checks on volunteers or temporary staff. The UK Comic Relief non-profit, for example, was a target in October 2016 in an attack that forced the charity to take some of their systems off-line for several days while they remedied the situation by restoring backups and installing new security measures. Hospitals and universities have also recently been targeted by ransomware attacks. Out-law.com reported in February this year that 88 out of 260 health trusts in England, Scotland and Wales had experienced a ransomware attack. NHS trusts are a prized target because of the value of their data; hospitals need constant access to their patients’ records so will need to pay up or risk harming patients’ health.
What can be done?The best defence is prevention. There are many layers of protective measures that will help to make an attack harder and reduce its impact. The second-best defence is to have response plans in place in order to react effectively without delay. In terms of prevention, routine and simple technical controls will make it significantly harder for attackers to succeed. We outline our recommendations for best practice at the end of this article. In terms of response plans, a workable and regularly tested incident management and response plan is also critical. Taking simple steps such as disconnecting devices from the network can often prevent more damage being done. These plans should also include a strategy to manage communications with the media and customers in the event of an attack. The Charity Commission has in recent years consolidated its role as regulator to ensure non-profits have sufficient policies in place which are effectively communicated to and understood by staff and trustees. Given the constraints of time and money, however, producing, implementing, and updating these can place a substantial burden on non-profits that may be perceived as less important than the organisation’s core work. The ICO also issued guidance in December 2016, noting that in the case of an attack resulting in a data loss, the ICO’s investigators would need to decide whether appropriate measures had been in place that could have prevented the attack from succeeding. They also signpost organisations to other resources such as the Government’s Cyber Essentials accreditation scheme and guidance from the National Cyber Security Centre. There is no obligation under current Data Protection regulations to notify the ICO of an attack. This situation will, however, change in May 2018 when the new General Data Protection Regulations are introduced. After this, non-profits and other organisations will have 72 hours within which to notify the ICO of breaches. Failure to do so is likely to result in financial penalties and condemnation. The ICO is widely expected to impose more lenient penalties on organisations that can demonstrate they had plans in place. It is therefore crucial to take steps now to introduce simple cybersecurity measures and put plans in place and test them well ahead of time. For organisations with larger budgets, there are many security products on the market. These solutions are costly as they provide off-site backups in three different geographical locations. Kaspersky provides a reputable anti-virus software that ranked as one of the best solutions. Staff should be trained and tested by a contractor for a social engineering test, with companies such as Rapid7 or LIFARS.
Conclusions and RecommendationsThe increasing prevalence of ransomware cyber attacks has heightened awareness and made cyber security a more urgent issue for a wider range of businesses. The impact is particularly severe because of their ability to affect multiple devices silently and speedily. Even with backups available, the clean-up operation takes time and has an associated cost. Even where protective measures are in place, the time spent restoring data and devices is a financial loss to the business. In conclusion, we recommend organisations act in a timely manner to respond effectively to the threat of ransomware and to address the risks to the organisation. We recommend the following minimum technical measures:
- Up-to-date antivirus software should be installed across all endpoints (devices with network or internet access). In addition, a multi-faceted security solution that provides heuristics, firewalls, and advanced behavioural-based threat prevention in a set of protection rules should be used. In addition, Data Leakage Prevention (DLP) and anomaly detection should be established.
- Applying an extensive global patch management system in which all desktop clients are completely patched.
- Regular and off-site backup of data.
- Providing training and awareness programmes for employees and restricting administrative rights. Consider developing an incentive policy to encourage people to report anomalies and behave responsibly.