By Bryce Austin, CISM
Seven people were seated around the table: the owner, the CEO, the vice president, the chief financial officer (CFO), the company’s chief information security officer (CISO), a special agent from the FBI, and a forensics technician.
“Don’t pay!” was the CEO’s vote. Same for the vice president.
“Pay it,” was the owner’s response. The CFO nodded in agreement.
“Paying could be a violation of federal law” cautioned the FBI representative.
The CISO had a hard time getting words out, as this was the largest ransom he had dealt with at the time: $1.2 million was a lot of money. “I don’t see another option given the status of our backups. Either we pay the ransom, or we begin liquidating the assets of the company as soon as possible. Which is the lesser of two evils?”
The CISO went on to negotiate the ransom down to $410,000 and amass the requested bitcoin. The cybercriminals delivered a decryption key, but 30% of the company’s data was gone forever: some of their hard drives filled up during the ransomware encryption process, and the encryption software kept running after the drives couldn’t hold any more data. Every file encrypted after that point was irretrievable. The total recovery took three months to ensure that no backdoors were left in the company’s systems; the lawsuit to get the insurance company to cover the incident lasted almost two years.
This was certainly a nightmare scenario. Before encountering such an unenviable position for yourself, understand that the best way to thwart ransomware attacks are before they happen. Stopping ransomware generally includes three key areas: Cybersecurity hygiene of your employees, proper practices by your IT department, and your data backup strategy. Here are eight ways to prevent a ransomware attack, and eight ways to recover from an attack if you fall victim to one.
- Add multifactor authentication (MFA) on all your email accounts and all external access to your network (VPN, TeamViewer, WebEx, etc.). This helps prevent a cybercriminal from taking over an email account via compromised username/password.
- If your company uses Windows Active Directory, do not log in to computers with Domain Admin accounts. There is an attack called “Pass the Hash” that will steal encrypted (hashed) credentials left behind. If you must log in with a Domain Admin account, change the password.
- Patch your PCs, workstations, and servers every month. No exceptions. That includes conference room PCs, loaner PCs, HVAC computers, etc.
- Patch your networking gear, including firewalls, switches, phone system, etc.
- Install good antivirus software on all PCs, Macs, and servers. Everywhere.
- Geofilter your internet traffic and emails. If you don’t do business with a foreign country, block traffic and emails to and from those countries. It keeps out lazy cybercriminals. It won’t keep out the cybercriminals that VPN into your country before attacking you, but it is surprising how many cybercriminals don’t take the time to do that.
- If you are part of a company with many workstations, use the Microsoft Local Administrator Password Solution (LAPS) to randomize the local administrator password on all PCs. If you have the same initial local admin username/password for every workstation, then if one machine gets compromised, it’s easier for them to all get compromised.
- If your users have local admin credentials, rethink that. If a cybercriminal compromises a computer, they normally inherit the permissions of the user for that computer. If that user is a local administrator, the bad guys are going to use that access to do much wider damage.
If you should fall victim to ransomware, you will need the following:
(Note that most of these need to be done before an attack takes place.)
- Offline backups. These are backups that are kept off your network. Cybercriminals will try to delete your backups. If your backups are not on your network, the bad guys can’t destroy them.
- Test restore procedures. If you try to restore your backups only when you need them, you are rolling the dice every time you are in a real bind.
- Offline restore methodology. Don’t begin a restore with your network still attached to the internet. Ransomware cases often unfold where the cybercriminals still have hooks into a company’s network, and then they destroy the used-to-be-offline backups as soon as the restore process begins.
- Workstation reimages. You need a clean workstation image to restore workstations quickly if you suspect they have been compromised.
- Server rebuilds. You need a clean server image to recreate your servers quickly.
- Prenegotiated incident response team contract. Find a cyberincident response company and get a contract in place. That way you will know how to “call in the cavalry” quickly rather than going through contract negotiations in the middle of a crisis.
- 35% free drive space on all network drives. Ransomware often bloats the data on the drives it encrypts. As soon as a drive fills up, the encryption process will keep trying to move forward, and every file it encrypts after the drive is full will be unrecoverable.
- If you have cybersecurity liability insurance, call your insurance company ASAP! There are many stories of insurance policies with a clause stating that the customer must inform the insurance company of a suspected incident within 24 hours of the initial discovery. If you take a few days to confirm that the incident was real, it can be an expensive mistake.
If all companies followed the recommendations above, ransomware cybercriminals would become a thing of the past. With proactive action and a good cybersecurity awareness training program for your employees, cybercrime is a solvable problem.
Bryce Austin, CISM, is CEO of TCE Strategy in Lakeville, Minn., a professional speaker on technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. For more information, please visit www.BryceAustin.com.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.