Ransomware is a type of malware that encrypts an organization’s data and demands payment as a condition of restoring access to that data. Ransomware can also be used to steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves.
A Ransomware Profile (NISTIR 8374) has been recently published by NIST. This Ransomware Profile identifies the NIST CSF’s security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to manage the risk of ransomware events. Even without undertaking all of the measures described in this Ransomware Profile, there are some basic preventative steps that an organization can take now to protect against and recover from the ransomware threat. These in summary, include:
Educate employees on avoiding ransomware infections:
- Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.
Avoid using personal websites and personal apps – like email, chat, and social media – from work computers. - Don’t connect personally owned devices to work networks without prior authorization.
- Avoid having vulnerabilities in systems that ransomware could exploit.
- Keep relevant systems fully patched.
- Employ zero trust principles in all networked systems.
- Allow installation and execution of authorized apps only.
- Inform your technology vendors of your expectations (in contracts) that they will apply measures to minimize risk of ransomware attacks.
- Quickly detect and stop ransomware attacks and infections:
- Always use malware detection software such as antivirus software.
- Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack.
- Block access to untrusted web resources.
Make it harder for ransomware to spread:
- Use standard user accounts with multi-factor authentication instead of accounts with admin privileges whenever possible.
- Configure automatic account lockout as a defense against automated attempts to guess passwords.
- Allow external access to internal network resources via secure virtual private network (VPN) connections only.
Make it easier to recover stored information from a future ransomware event:
- Make an incident recovery plan. Develop, implement, and regularly exercise an incident recovery plan through simulations.
- Back up data, secure backups, and test restoration. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data.
- Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement, legal counsel, and incident response resources.
Stay healthy, stay secure!