Ransomware has been in the news regularly recently due to the ‘WannaCry’ attacks and more recently the Petya attacks that begun on the 28th of June 2017.
The Petya malware was delivered as an infected Microsoft Word file that is sent attached in an email, disguised as a job offer, an invoice, or relevant documentation. As per our usual advice, if an email seems suspect or too good to be true, delete it.
Data loss can be embarrassing and expensive due to business interruptions,time spent rectifying the problem and the associated revenue loss.
It can also negativelty effect the businesses reputation resulting in a loss of customers. It is important to keep in mind the new Privacy Amendment (Notifiable Data Breaches) Act 2017 which make it mandatory for organisations to report data breaches.
Patches are the main preventative measure to address ransomware attacks, so make sure that all your software is up to data and if possible make sure it is is set up to auto check and update on a regular basis.
Failing patches or other controls, backups remain the other main source of protection against ransomware and ensuring that data is protected.
To help minimise the risk of ransomware, organisations should have a recent Business Impact Analysis (BIA). A BIA identifies the systems and processes that are critical to the operation of the business that need to be managed and restored quickly in an event of an outage.
It is important to set the organisations Recovery Point Objective (RPO). In simple terms, RPO is how often you choose to back up. For example, every hour, day or week. This will be dependent on how often and how much data changes in the system over time. This will affect the Work Recovery Time (see below).
Organisations should determine its Maximum Tolerated Downtime (MTD). The MTD is the sum of the Recovery Time Objective (RTO) and the Work Recovery Time (WRT). RTO is how quickly the business can restore critical systems and WRT involved re-keying in the data lost while the system was down.
In summary, to prevent ransomware and avoiding data loss we at Agilient also recommend:
- Having a clearly defined BIA to ensure the business is aware of its critical processes and how long they can be off-line before damage or catastrophic damage to the business is incurred.
- Mitigate known vulnerabilities by installing patches promptly when released. Particular patch operating system and applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers. In terms of the recent attacks, the Microsoft security update patch MS17-010 should be installed.
- Disable untrusted Microsoft Office (and other) macros.
- Restrict administrative privileges to operating systems and applications based on users duties.
- Have a properly configured firewall. Consider Application whitelisting or blacklisting. A whitelist only allows selected software applications to run on computers. A blacklist prevents selected software applications to run on computers. Also, install antivirus software on each PC.
- Educate staff about social engineering exploits used by hackers and what to do if they encounter suspicious correspondence both online or through other means. Agilient have recently seen a lot of social engineering exploits being undertaken by phone, so be aware of suspect callers. Interestingly, social engineering remains one of the biggest weaknesses in an organisations cyber security system. Agilient provides industry leading training in this area.
- Perform regular backups of data as backups are the main protection against ransomware and other threats such as hardware failure.
- Ensuring that backups are kept in more than one location e.g. onsite, offsite and cloud backups.
- Perform regular testing on backups to ensure all data is restorable and to calculate an expected RTO.
- Archives of backups should be kept and stored in case of the most recent version of data backup is compromised. Keep in mind if you backed up yesterday or last week and there was ransomware embedded in the backup it will also be compromised.
For further information on information IT backups and recovery see: ISO/IEC 27031:2011 – Information technology, Security techniques and Guidelines.
If you are infected by this ransomware:
- Immediately turn off the computer. This will prevent the ransomware from attempting to spread across the network.
- Do not attempt to contact the threat actors of the email, either by replying to the email or any other means. Do not open any attachments or click on any hyperlink.
For further information on the impact of Ransomware and services we provide to help mitigate all types of Malware do not hesitate to contact Agilient.
The Agilient Team