What is Ransomware?
Ransomware is a type of malicious software (malware), which denies access to systems or data and/or exfiltrates data.
How Ransomware Works
Typically, the malware displays an on-screen alert advising the victim that their device is locked, or their files are encrypted. In some cases, after an initial infection, ransomware attempts to spread to connected devices and systems.
Non-encrypting ransomware locks the screen and restricts access to files. Encrypting ransomware restricts access to targeted and valuable files. Leakage or “extortionware” exfiltrates data. Mobile device ransomware infects cellphones through drive-by downloads or fake apps.
How Ransomware is Used:
Cyber actors hold systems or data hostage until a ransom is paid for a decryption key. Cyber actors also threaten to publish exfiltrated data or sell it on the dark web. Increasingly, cyber actors request virtual currency transfers as a ransom payment method.
Incident Response (IR) Planning
The U.S. Secret Service developed a Preparing for a Cyber Incident - Introductory Guide, which describes what actions organizations should take to cultivate an understanding of the technological and regulatory limitations, responsibilities, and resources available to them, and how to apply the acquired knowledge to their operations.
Paying Ransom Demand
Paying the ransom does not guarantee regaining access. In some cases, a decryption key was not provided in return to a paid ransom. In other cases, additional ransom was demanded.
Contacting Law Enforcement
Reach out to law enforcement before contacting the cyber actor. Include law enforcement in your response plan. Contact the local U.S. Secret Service Cyber Fraud Task Force.
Ransomware Prevention Tips
Update operating systems, software, and firmware on devices with the latest patches. Consider using a centralized patch management system.
Restrict user permissions for installing and running software applications. Apply the principle of least privilege to all systems and services.
Scan all incoming and outgoing emails to detect and filter threats, such as phishing and spoofing emails, and executable files (used to perform various functions or operations on devices). This will prevent them from reaching end users.
Configure your firewalls to block access to known malicious IP addresses.
Use application whitelisting to reduce the risk of execution of malware, and unlicensed and unauthorized software. An application whitelist is a list of applications and application components that are authorized to execute on a host.
Implement a training and awareness program for all employees.
Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations (temporary folders supporting popular Internet browsers, compression/ decompression programs).
Consider disabling Remote Desktop Protocol (RDP) if it is not being used.
Virtualization and Separation
Execute operating system environments or specific programs in a virtualized environment (multiple simulated environments). Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
Have cold storage backups and test restoration of backup files regularly. This prevents the ransomware from infecting network-connected backup files.