Pub. 5 2016 Issue 2

The CommunityBanker 20 M By Daniel Lindley, Network+, CISA Four Actions to Prevent Ransomware alware is a constant threat to networks. While primarily affecting Windows systems in the past, newer versions of malware can wreak havoc on Linux and OSX systems as well. The malware variant that is becoming increasingly more popular and devastating is ransomware. Ransomware results in the encryption of local and network-mapped files followed by a ransom request to the user. Ransomware affects home users, police departments, banks, and even hospitals, with no sign of slowing down due to the level of anonymity associated with bitcoin, the ease of spreading the software, and the likelihood of payout by infected users. Ransomware can be dealt with in a couple ways: either through mitigating controls to lower both the risk of infection and the damage caused, or by recovering data from backups after encryption has occurred. The best option, of course, is preventing infection in the first place and the controls below can help prevent ransomware from threatening files and ruin- ing your day. 1. User training – As users will always be the weak- est link, there can never be enough user training. While there have been some instances of legitimate websites delivering ransomware, these are rare; the typical delivery vehicles of ransomware are phish- ing emails and insecure websites. Technical controls such as Internet content filtering and email sorting can aid to an extent, but teaching users to be wary of phishing emails and unknown websites should be standard practice. 2. Antivirus or ransomware prevention tool – Anti- virus detection methods are not as effective as they once were, but up-to-date virus definitions can still be beneficial in preventing ransomware from execut- ing. In addition, companies such as Malwarebytes 1 are working on anti-ransomware tools that add an extra layer of security. 3. Least privilege – The idea of least privilege is to prevent access to information a user has no business need to access. In this instance, restricting or remov- ing file access controls so users only have access to the information they need could prevent encryption of sensitive data. If the user does not have access or only has read-only access, then the files in the folder are protected from ransomware as well. 4. Air gapped backups – As mentioned above, net- work-mapped files are just as susceptible to encryp- tion by ransomware as local files. This includes cloud storage drives such as Dropbox and OneDrive and internal network drives the user has access to. Al- though tape backups, by nature, create an air gap for the backup data, the trend of having instant network backups for disaster recovery has led to a decrease in tape usage and an increase in disk drives that can be easily accessed and replicated. As a result, it is ex- tremely important to either keep backup drives from being mapped on the network or to reinstate the tape backup process for secondary backup purposes. If tape backups are too expensive or time consuming, then a dedicated backup through a trusted cloud provider would also be an effective option. What if we’ve already been infected? If ransomware infection isn’t prevented, then recovery or restoration of the data after encryption needs to be addressed. Whether or not to pay the ransom may seem like an easy deci- sion; however, depending on the quality of the backups and the user’s situation, it may become more complicated. Before you make a decision, keep these scenarios in mind: B A N K B Y T E S