Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics company in Simi Valley, CA, recommends these steps to prevent ransomware attacks:
- Educate staff. They are the first line of defense. No amount of technology or money thrown at this problem will be a substitute for a properly trained staff. A single unintended click on a link in an email can sink the whole ship.
- Inventory and categorize technology assets. Understand what happens if certain technology assets, such as file servers or financial data, become unavailable or are compromised.
- Understand notification obligations. Do not exacerbate the problem by not complying with laws when a breach occurs.
- Create an incident response plan. Make sure everyone understands their roles so people are not panicking, looking for guidance, or stepping on each other’s toes.
- Back up everything. Often. Make sure you have healthy backups you can test and validate on a weekly basis. It is not enough for the IT guy to receive an email notification once a week saying “backups were successfully completed.” Is the organization backing up the right data? Have the data that need to be backed up changed? Can those data be restored successfully? How long will it take? These are questions any small business should ask and be able to answer before an attack.
- Create multiple, different backups. For small businesses, there are a variety of cloud backup providers to choose from. Do not back up data on the same computer on which data live, or on an external network or USB drive in someone’s office, which is susceptible to the same attack, fire, or theft.
- Use antivirus and malware software. They work.
How an Attack Happens
Christopher Gates, principal system security architect with Velentium, a cybersecurity company in Katy, TX, describes how a typical cyberattack of the Ryuk variant unfolds:
- A user opens a phishing email with infected files, containing obfuscated VBA code.
- The VBA code is downloaded and executes the Emotet trojan from a hacked WordPress site.
- Emotet “phones home” to its command and control servers.
- Emotet sends massive amounts of spam with a URL that links to the hacked WordPress sites, looking for others to infect.
- After some time (months), Emotet installs the TrickBot trojan from those hacked WordPress sites to collect sensitive data, including passwords, cookies, and SSH keys.
- TrickBot spreads itself across the health system network.
- TrickBot eventually opens a reverse shell for the attackers.
- Using the reverse shell (and probably an exploit toolkit called “Empire”), the attackers install the Ryuk ransomware.
- Ryuk starts encrypting and renaming files across the network with the .ryk filename extension.
To prevent this kind of attack, Gates advises regularly training employees to identify phishing emails and phishing social media and create a policy and a mechanism for employees and end-users to report suspicious messages.
- Christopher Gates, Principal System Security Architect, Velentium, Katy, TX. Email: firstname.lastname@example.org.