This guest blog was contributed by Mike Loukides, VP of Emerging Tech Content at O’Reilly Media.
Historically, ransomware has been a relatively easy way to make money: set up operations in a country that’s not likely to investigate cybercrime, attack targets that are more likely to pay a ransom, keep the ransom small so it’s easier to pay than to restore from backup, and accept payment via some medium that’s perceived as anonymous. Like most things on the internet, ransomware’s advantage is scale: The WannaCry attack infected around 230,000 systems. If even a small percentage paid the $300 ransom, that’s a lot of money.
Most recently, we’ve seen attacks against large enterprises, hospitals, governments, and critical infrastructure. This move toward bigger targets with more valuable data has been accompanied by larger ransoms. The attack on Colonial Pipeline in June saw a multimillion-dollar payout.
With ransomware becoming more pervasive, more costly, and increasingly more damaging, what can organizations do to safeguard against these attacks? O’Reilly Media recently conducted a survey to answer this very question.
The survey found that only 6% of the respondents worked for organizations that were victims of ransomware attacks. While this is likely because those organizations generally have strong security practices – or they’re too ashamed to admit they have been hacked – the survey also found that there are still many organizations that don’t practice basic security hygiene.
Here are some of the most basic – but most effective – strategies to defend against ransomware.
Require Two-Factor Authentication (2FA): Many organizations have two-factor authentication capabilities, but never require their staff to use it. According to the survey, 76% of the respondents said that their company used 2FA, while 14% said they weren’t sure. Because many people continue to rely on weak and simple passwords that require virtually no time to crack, passwords are simply not enough to keep attackers at bay. With 2FA, biometric authentication or a text message sent to a cell phone are required in addition to a password. This provides an extra layer of security to ensure that the person trying to gain access to an online account is who they say they are. Organizations should not just recommend 2FA; they must require it.
Test Backups: The easiest solution to ransomware is to reformat the disks and restore from backup. However, few companies have good backups or the ability to restore from a backup. While 70% of organizations regularly perform backups, only 48% said they practice restoring operations from backups. In fact, one security expert guesses that it’s as low as 10%. For organizations who follow the FBI’s guidance and refuse to pay a ransom, backups are absolutely essential to recover from an attack.
Expect the Unexpected: While systems are down, organizations must have a solid plan in place that will allow them to continue conducting business while systems are being restored. Chaos engineering, an approach developed at Netflix, is a good way to prepare for this. The idea behind chaos engineering is to experiment on a software system in production in order to build confidence in the system's capability to withstand unexpected conditions. Make a practice of breaking your storage capability, then restoring it from backup. Do this monthly and, if possible, schedule it with the product and project management teams.
Keep Operating Systems Up-to-Date: Unpatched software is as common as weak passwords in the enterprise, and too many organizations have become victims because of a vulnerability that was patched in a software update that they didn’t install. While many organizations seem to be aware of this need, 79% of respondents said that their company had processes for updating critical software, including browsers – it’s a good reminder to apply updates regularly.
Find (and Fix) Vulnerabilities: An alarming fact about ransomware victims is that many face revictimization because they never fully fixed the vulnerability that enabled the attack. Even after paying the ransom, the vulnerability remains, and a few months after the first attack they’re sometimes hit again via the same vulnerability, and often by the same attacker. Regardless of whether an organization pays the ransom, it must find the exploited vulnerability and close it.
Educate Employees: The most common method of introducing ransomware is through a link in an email, text message, or social media post. Ensuring that staff are versed in the most recent security best-practices and training each employee to recognize potential dangers will go a long way in combating ransomware. Additionally, everyone should be aware that the IT department staff will never ask for your password under any condition. This is how phishing commonly works.
Ransomware attacks are on the rise and continue to be a disruptive force to organizations across every industry. Since the start of the pandemic, ransomware attacks have surged 148%. Given the success of ransomware, it’s safe to say that this attack method won’t disappear anytime soon. While many organizations do have good security practices in place, there’s always room for improvement, as the O’Reilly survey shows. If your organization falls victim to a ransomware attack, figure out how the ransomware got in and plug those holes, keep your software updated, use two-factor authentication, practice restoring from backups regularly, and train your team to recognize dangers before they become wide-spread issues.
About Mike Loukides:
Mike Loukides is Vice President of Emerging Tech Content at O'Reilly Media. He's particularly interested in programming languages, Unix and what passes for Unix these days, and system and network administration. Mike is the author of System Performance Tuning and a coauthor of Unix Power Tools. Most recently, he's been writing about data and artificial intelligence, ethics and the future of programming. He's also a pianist, a ham radio operator and a lover of birds.