October 14, 2019 — The FBI is warning all businesses and healthcare providers about the threat of ransomware that has been sweeping the country and disabling or totally closing businesses, healthcare systems, industrial companies, and the transportation sector. The October 2, 2019 public service announcement is the second in less than a month on the threat.
The official statement suggests that businesses refuse to pay the ransom and report the incidents to the FBI to help track and apprehend the criminals. That does not address, however, how businesses are to survive if the victim’s backup system is also compromised, essentially losing all company data.
Ransomware typically disables company, government, or transportation computers from a matter of hours to a matter of many weeks unless the ransom is paid. Three hospitals in the southern US are reported to have paid a ransom demand in order to re-open after ransomware forced them to divert patients to other hospitals for a period of days.
There is no assurance, however, that paying the ransom will actually result in a recovery of all of the data. Even if the decryption key is provided after the payment of the ransom, many victims report losing some data. Even if a business pays the ransom, they should coordinate with their cyber insurance company (if insured) and report the incident to the FBI.
Cyber Defense Best Practices
- Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.
- Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on information security principles and techniques.
- Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
- Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
- Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.
- Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
- Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
- Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
- Use virtualized environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.
- Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.
About Back-ups
While using cloud-based services can provide some security that smaller businesses cannot implement themselves, cloud-based systems can be compromised by improper security configurations and by employee error. Some ransomware specifically targets cloud back-ups of data, rendering the business inoperable and with no functional back-ups.
While it is “old school”, having multiple back-ups with one copy off-line (air-gapped) where ransomware cannot reach it is a critical security strategy. Even if the off-line back-up is not as recent as on-line back-ups, it limits the maximum potential loss of data. The more current the back-up, however, the less data the business can lose. With a functional, current back-up, a company may lose some compromised systems, but will be able to return to operation more quickly and without paying the criminals.
For the full FBI announcement, go to https://www.ic3.gov/media/2019/191002.aspx
Story on hospitals, go to https://healthitsecurity.com/news/3-alabama-hospitals-pay-hackers-ransom-to-restore-system