Ransomware is all over the news at the moment following the global WannaCry attack, which affected over 60 NHS organisations. Attacks like this may seem like a rarity – and on this scale, they are – but at Falanx Cyber Defence, we deal with cases of ransomware regularly. It’s something that affects small businesses every day, so make sure you know what it is and how to combat it.

What is ransomware?

Ransomware is a piece of malicious software which is designed to extort money from organisations or individuals. Malicious software in the ransomware category operates by encrypting files on corporate devices and file shares. The information required to decrypt these files is then offered in exchange for a monetary payment, normally via cryptographic currency, such as Bitcoin. It is not possible to recover these files without this decryption information and there is no guarantee that you will receive this information even if a ransom is paid.

How do you get infected?

Infection occurs through a corporate user opening the malicious software on their computer. This software is commonly delivered through targeted emails that either have the malicious file attached, or referenced in a clickable link, but it has been known to be delivered on removable media like USB thumb drives.

How do you prevent or mitigate infection?

The prime delivery method for ransomware is via email, so it is recommended that the following controls are implemented:

  • If you’re using Windows, ensure that the MS17-10 patch is installed on all Microsoft has a helpful guide to the MS17-10 patch here.
  • If you’re a Mac user, ensure Apple’s own malware protection feature, XProtect, is enabled and up-to-date.
  • Maintain regular backups that are kept isolated from the network.
  • Turn on email attachment anti-virus scanning and anti-spam filtering
  • Disable support for Microsoft Office document macros (embedded code) across the estate.
  • Ensure that all operating system and third party security patches are applied.
  • Make sure all users have awareness training against social engineering, which encompasses cyber attacks such as ransomware and phishing.

What do you do if you get infected?

All ransomware infections will prompt the system operator with a demand for payment and will rename files to indicate that they have been encrypted. If this occurs, or you suspect an infection, immediately:

  1. Disconnect the computer from the network, but keep it powered on.
  2. Contact a Cyber Defence incident response team, such as the expert team at Falanx.
  3. Ensure that staff are made aware that an incident has occurred.
  4. Do not make any payments for decryption information.

If you would like more in-depth technical advice about WannaCry, we have prepared a technical summary below.

Read our Technical Summary

 

Author:

Tim Wright is Head of Penetration Testing at Falanx Cyber Defence, who protect and defend businesses against global security threats.

References:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

http://searchsecurity.techtarget.com/definition/social-engineering