[BreachExchange] Why All Companies Should Have a Ransomware Recovery Plan
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jan 26 18:41:39 EST 2017
http://wwpi.com/2017/01/26/why-all-companies-should-have-
a-ransomware-recovery-plan/
Cyber criminals are not only becoming more and more sophisticated but also
bolder. The most insidious computer crime today doesn’t involve viruses or
stealing credit card numbers. Instead, it comes in the form of ransomware –
rogue programs that hold an entire organization’s data hostage with
unbreakable encryption and demand a ransom for the decryption key.
These attacks are becoming increasingly common. In 2015, there were 2,453
reported ransomware incidents, in which victims paid about $24.1 million,
according to the FBI. Security researchers found that the number of users
who came across crypto ransomware in the last year increased by more than
500 percent from the previous year.
In the past few months alone, new and more powerful ransomware has
appeared, with criminals targeting sensitive entities like healthcare
facilities. For example, MedStar Health, a major healthcare provider in the
Washington, D.C., region, was forced to disable its network for several
days after a ransomware attack early this year, while Hollywood
Presbyterian Medical Center in Los Angeles, California, paid $17,000 in
response to an attack in February.
Ransomware is flourishing for two basic reasons.
First, it’s simple economics. Rather than dealing with the trouble and risk
involved in stealing credit card files and peddling them on the black
market, criminals using ransomware can simply sit back and wait for the
victims to pay. Of course, the criminals don’t always send the decryption
key in return – these are thieves, after all.
The second reason is that a ransomware attack is incredibly difficult to
prevent. It only takes a single click within an email or on a website for
an unsuspecting employee to activate the code that encrypts an entire
system and triggers a ransom demand. Even if an enterprise has the most
updated anti-virus software or access restrictions on sensitive files, it
remains vulnerable to ransomware via just one unsuspecting user.
While it’s difficult for an enterprise to feel completely confident in
preventing a ransomware attack, it can take steps to mitigate the effects
of this new and destructive type of malware – and recover normal operations
in minutes or hours – if the proper precautions and recovery plans are in
place.
The most important recovery element is real-time protection of data, which
means backup copies of all files and data are stored securely in the cloud
rather than local desktops. To be most effective, this needs to be
accomplished automatically, with a copy being synced up to the cloud every
time a file is edited or saved. These backups let a business “roll back” to
the moments before a ransomware attack and recover all its files – even in
cases where the ransomware has affected large numbers of users within the
organization.
It’s also important that the software or service you use to create these
backups is capable of excluding the kinds of encryption files known to be
associated with ransomware – so you don’t wind up restoring the very files
that created the problem in the first place.
Finally, businesses must establish a retention policy. Whether you choose
to retain deleted files forever or for a specified time period, a retention
policy will allow your original files to be retrieved after they are
deleted or encrypted by ransomware. This is a critical part of a recovery
plan as it can allow files to be restored quickly and won’t hold you back
with a time-consuming and expensive recovery process.
Cybercriminals are an unfortunate reality in today’s marketplace, and it’s
easy to fall victim if you’re unprepared. By being aware and maintaining
the right backup strategy, however, your company can minimize the damage
from these attacks and turn the tables on this latest generation of
attackers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170126/63eed0d1/attachment.html>
More information about the BreachExchange
mailing list