Fourteen months after WannaCry has been introduced to the world, we continue to hear new stories of companies falling for its derivatives and seems like there is no end to the scourge. One way or another firms realize that the installation of an antivirus software is no longer sufficient. Employees make or break the corporate security chain. The moment they get deceived in running arbitrary code without them realizing it, all funds spent on security software all go down the drain.
Ransomware development is obviously a for-profit undertaking, through exploitation and by when the users feel desperate, these victims’ common recourse is just to pay the ransom. Rinse and repeat this process and virus authors have created for themselves a very profitable black-market industry through digital extortion. Employees need to be retrained to enable them to be aware of the security implications of every click and press they do.
In this article we discuss some tips on how to reduce the chance of becoming the next victim of ransomware:
1. Not updating software is unacceptable.
Microsoft patches are regularly scheduled for release every second Tuesday of the month. Network and system administrators must not pass the burden to the future by installing the updates as soon as they become available. Patch Tuesday comes with fixes not just for bugs, but the installation of actual hotfixes to patch known vulnerabilities in processor microcode, Windows, Microsoft Office and Internet Explorer/Edge browser. It is a fact that cybercriminals are known to reverse-engineer the patches, in order to find out what particular areas were fixed. This reverse-engineering produces new exploits and they know very well that not all applies updates, hence the vulnerabilities are still there open for an intrusion.
2. End-users should be running non-administrator accounts.
Virus, trojans, worms and other unwanted software running under the privilege of the user. They inherit the user privilege, which means administrator accounts are not safe to use all the time. Only use a system administrator account to perform a system-maintenance function and use a regular user account for the rest. This way, malware will remain as a non-administrator and the harm it can inflict is limited.
3. Confirm that the backup can be used for restoration.
In the age of cloud backup ranging from free to cheap, it is not acceptable not to have a backup strategy. Backups also need to be verified as being restorable. So please perform a regular restore test in order to certify that the backup is usable. A non-restorable backup is equal to no backup. The easiest way to recover from the ransomware encrypting vital files is to restore the encrypted files using the latest verified backup.
4. Don’t cut corners, spend on employee training.
Companies should stop considering the term “employee retraining” as a cost, it isn’t. The employee retraining program is an investment scheme and helps employees to be more familiar with the tools they do in their day-to-day job. Employees are the front lines of the company’s cybersecurity infrastructure, they cannot be considered as replaceable. An employee will feel empowered when they feel that their employers trust their judgment and give them space to innovate while maintaining their flexibility. The moment companies start not to take care of employees, they in return will not care with the use of the computer, hence more risks of malware infections.
In the unfortunate event that malware penetrates the network and infects one or more computers, it is prudent to be informed of what to do next. Here are our tips:
- Pull the power off from the machine. Doing a normal shutdown, the virus has a chance to write to the hard drive further. Never use the infected machine and by turning off the machine, the less chance the infection will further spread in the file system. Data recovery can be done by booting the computer from a known clean boot USB or DVD and use the OS file manager on that portable storage device to check the files stored on the hard drive. This assures that only user data can be copied over while the virus is not running as the malware only runs and active in memory when the hard disk is booted.
- If the machine infected is not a desktop/laptop but a server, it cannot be turned off by cutting power as the risk of data corruption is much bigger. The mitigating action is to disconnect it from the network, in order to stop it being an active node that can spread the infection further.
- Re-image the machine and restore the data from the latest backup. A new hard drive can even be installed replacing the original drive of the infected computer. That way the PC is assured as clean and antivirus programs can be used against the original hard drive as a portable USB storage.
- In the event of no usable backup exist. The company must audit the data affected by the infection and invest in hiring a professional to recreate the lost data from scratch. The company may then decide to track down the perpetrator of the infection.