Security Think Tank: User education is first line of defence against ransomware

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.computerweekly.com/opinion/Security-Think-Tank-User-education-is-first-line-of-defence-against-ransomware

Ransomware has yet again reared its ugly head and despite various security
websites issuing warning notices, people are still falling foul of it.

Ransomware is, in essence, a method of extorting money from an unsuspecting
individual or organisation, most frequently by denying them access to their
files through encryption of their data or hard drive.

One ransomware attack vector is via phishing or spam emails as the
unsuspecting individual may inadvertently open an attachment or follow what
they perceive to be abona fide web link.  The act of clicking on the
suspicious attachment or web link results in the initiating of a malware
download, which then encrypts the user’s files or hard drive. Once
completed, this then requires the user to pay.

Payment is often demanded in Bitcoin to unlock an organisation’s files or
hard drive. It has been widely reported by victims that despite paying this
“ransom”, they have still been unable to access the encrypted files or hard
drive. So it is clear that prevention is better than cure when dealing with
ransomware.

Depending on the type and version of ransomware that has been installed,
there is a possibility that the user’s files or hard drive have not
actually been encrypted, but a small piece of software has been installed
that gives the impression that encryption has taken place.

This relies heavily on the emotional response of the victim and the fear
that they could be compromised; such a fear is enough to prompt a response
and, potentially, payment.

It is impossible to tell from the ‘splash screen’ that appears whether or
not it is a genuine ransomware payload and only an attempt to use or
recover the user’s files will clarify this.

Numerous strategies

There are numerous strategies for safeguarding against ransomware. The
first, and by far the most effective, is user awareness and education,
because ransomware does not install itself. For the malware to be
downloaded successfully, it needs some form of user interaction, whether
via phishing emails or by fraudulent websites that serve up ‘drive-by’
malware.

Ensure that all your staff, including management, recognise phishing and
spam and so do not open suspicious emails or follow links to other websites
unless they can be sure they are bona fide links. All users should also be
cautious or even suspicious of attachments, pictures or graphics received
unexpectedly from known persons, because the sender’s email account may
have been compromised.

If in doubt, do not open any email without first confirming its origin by
contacting the sender. It is also recommended to switch off any email
preview window within a mail program because this may trigger the
ransomware download.

Also, spear phishing might be used for a targeted ransomware attack on a
specific user. This might make the malicious email hard to spot.

Scan all attachments

Secondly, ensure that any antivirus email program or software is up to date
and scheduled to scan all email traffic to identify spam emails or emails
that may contain known threats. This software should also be configured to
scan all attachments or pictures embedded within emails or instant
messaging attachments.

Thirdly, all hardware and software should be correctly patched and updated
to the latest version to ensure that all known weaknesses or
vulnerabilities have been addressed by the relevant supplier.

Finally, a good back-up regime is essential in this ever-changing virtual
and internet-based environment. Remember, it is not sufficient just to make
backups because they need to be tested to ensure they actually work.

In the event of your system being infected with ransomware, don’t give up
hope or pay any ransom. There are various products available that can help
to recover your files.

It is imperative that organisations take the threat of ransomware
seriously. Once infected, the inability to access files or systems may
affect other services offered by the organisation. An organisation’s
ability to recover quickly from any ransomware infection will be greatly
enhanced by having effective business continuity mechanisms available and
free from infection.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.