Protection against cryto-extortion
If 2021 brought us a new wave, it’s not one from a biological virus but that of a digital virus! This new wave is that of ransomware (cryptolockers).
Not a week goes by without a large corporation or government being affected. For example, in May 2021, the Colonial Pipeline company had to spend around $ 5M to decrypt their files, but little is said about the other attacks, too numerous, including for example, the DC Metropolitan Police Department, the railway operator Merseyrail UK, the Whistler Resort Municipality and even QNAP (Qlocker ransomware) devices. In fact, according to the US government (https://www.justice.gov/criminal-ccips/file/872771/download), there are around 4,000 attacks per day.
Basically, ransomware works relatively straightforward: one way or another, malware is launched on a computer. It then encrypts the files on the disk as well as on the shared network folders. Note that some ransomware does not encrypt, but will display windows to scare you in the hopes that you to pay.
To get the software on the computer, several techniques are used: sending phishing emails containing infected attachments, exploiting “zero day” vulnerabilities on a server, or exploiting your web browser by directing you to malicious websites containing exploit code.
Once encrypted, cybercriminals will send you a decryption key only when they are paid, normally in digital currency such as Bitcoins.
Protection
In view of all this, how can you protect yourself adequately? Here are some possible solutions that are part of cybersecurity good practice. Obviously there is no such thing as zero risk, but having these elements in place will allow you to greatly reduce the risk and speed up the restauration of your resources.
1. Educate your staff
Much of your risk will be eliminated if you properly train your staff on ransomware, phishing, and other cybersecurity best practices. Train them to identify the signs of phishing and to contact your IT security department if in doubt.
2. Protect your equipment and your network
Make sure you have adequate security on your network (firewall) and workstations (anti-virus). Choose anti-viruses that identify unusual behaviour (often with artificial intelligence). Also verify that your computers have strong policies to limit user privileges. Remember: only give required privileges, e.g. each user should only have minimal rights to do their job.
In addition, proper segmentation of your network into virtual networks (VLANs), by assigning them well-defined communication privileges, can reduce the risk of damage propagation.
3. Activate multi-factor authentication (2FA or MFA)
A password, no matter how complex, is of no use if it is known to others. There are obviously good practices to be implemented (such as complexity, length and rotation of passwords), but the implementation of an additional factor (generated by a physical token for example) considerably increases the security of a user account. Consider activating it for all users, especially high-privileged accounts!
4. Keep your software and equipment up to date
Patch on your equipment (computers, mobile devices, equipment, firewalls, etc.) regularly. Do not wait more than 14 days before updating your equipment with the patches provided by the OEMs (waiting a few days after their release can be a good way to avoid the installation of faulty software patches).
5. Back up your data
Back up your data so that you can both 1) rebuild your environment from scratch, or 2) restore only a subset of the data. Make sure that the backups are inaccessible from the network (and an offsite backup is ideal).
Then regularly test your disaster recovery plan to ensure that you will be able to rebuild your data if it is lost. Simulate the loss of a server, a database, or an entire building, and try to restore it. These restorations tests must be performed to ensure they will function in case of a real disaster.
6. Reduce your reliance on “classic” files
If we can draw any conclusion so far from ransomware, it’s that they are quite inefficient at encrypting data on web applications: they specialize in encrypting “classic” binary files, such as Word, Excel and PDF documents.
This may be a great reason to start your migration to web applications, such as for managing your projects, document management or centralizing your inventory.
Next Steps
And now what should you do?
It starts with an analysis of your infrastructure, your document warehouses, the applications used and the roles and responsibilities of your employees. By having an adequate portrait of your situation, Techso is able to guide you towards best practices in cybersecurity in order to reduce your risk in the face of ransomware.
Photo by Jeremy Bishop on Unsplash
