If you were within an earshot of current events in the last few weeks, you didn’t escape the news coverage of the high stakes ransomware attack known as WannaCry. While it may have felt like a Y2K– “The Sky Is Falling” – sequel for a couple of days, in the U.S., we managed to avoid the brunt of the latest major exploit that affected much of the globe.
The ransomware exploitation, known as WannaCry, started in May and affected hundreds of thousands of users in government agencies and private businesses around the globe.
An unexpected kill switch was found over the first weekend and that limited the U.S. impact on business Monday. The U.S. avoided the wrath that affected the National Health System in the United Kingdom, as well as Germany’s rail system, Renault and Nissan factories, FedEx,Spanish telecom Telefonica.
Ransomware like WannaCry isn’t new. Rooted in a simple hacker tactic, ransomware has morphed into a remarkably effective exploit, motivated by profit potential. In the past, hackers might steal data to sell for pennies on the dollar. With ransomware, cyber criminals can command fees that are hundreds or thousands of dollars per instance, making it a much more appealing and rewarding pursuit.
Plenty has been written about WannaCry and I won’t rehash the many tech centric articles recounting this particular ransomware or its interesting US National Security Agency (NSA) origins in this article. The Atlantic wrote a solid story that does a great job chronicling this exploit.
The more relevant and less sexy story here is the reminder of the ongoing security susceptibilities that persist for organizations of all sizes, but particularly small organizations. Ransomware is a uniquely effective threat to small businesses and nonprofits, mostly because many of these organizations haven’t entirely shielded themselves from the morphing threats. This shortfall isn’t due to lack of desire but usually tied to the realities of economics, adequate knowledge or priority on the TO DO list.
To combat the sense of unease that intensifies during these high-profile security exploits, a non-technical understanding of what ransomware is, why it is a big deal and how to offset exposure to future attacks is most critical for small businesses, nonprofits and smaller organizations.
The creativity with how exploits continue to evolve (think Chipotle’s recent credit card breach) doesn’t mean we should give undue energy to the increased anxiety or fear. Acknowledging the potential for exploitation and taking some prudent steps for predictable recovery will go a long way to reducing elevated concern.
What is WannaCry
WannaCry is in a category of malware known as “ransomware,” a malicious software that generally infects a computer to prevent normal usage while encrypting the documents and files to prevent access to saved data. Ransomware can prevent you from accessing network shares and stop programs from running. Those who were infected with WannaCry found their computers locked, with hackers demanding a $300-$600 ransom – hence the name Ransomware — to unlock a device and its files. WannaCry is the noisiest example of the Ransomware problem to date.
Why does ransomware work so well?
Ransomware is the digital extortion. And like most budding exploits, money is the motive. Unlike hackers who silently steal data, the ransomware class of criminals prey upon basic human emotions. Because emotions can elicit immediate calls to action, this has proven to be very effective. Ransomware motivates a user to complete an action out of fear or embarrassment, which in the case of most ransomware exploits, starts the process of encrypting the data files or files shared on a network. A few examples of some of the easiest routes to exposure:
- A person gets a troubling message that they have somehow violated Internet protocol by visiting inappropriate or illegal sites and must pay a fine by clicking a link or downloading a file.
- An employee receives an email from a trusted friend or work colleague. They are told to download the attached file or click on a link.
- A person receives an email masquerading as a purchase, credit card statement or well-recognized online store invoice with excessive amounts listed as due. Links or attachments files are included that bait the user into trying to learn more.
After following the initial instructions, the user may receive an ominous message that they violated internet protocol by visiting inappropriate or illegal sites and are prompted to act by paying up. If they don’t pay up, they will lose their files due to the encryption step. Sometimes, users are threatened with having the files published on the internet. It sounds real. It looks real. And contacting the IT department before opening an email is unlikely, so employees are often easily tricked into this scenario.
With so many threats, as a small organization, how do I keep up?
Budget and resource limits are ever present for smaller organizations. Those limitations may have you perpetually questioning how you can possibly avoid the exploits and affect your security and technology backbone favorably if those with many more resources and larger budgets – larger organizations – have so much trouble. The clichéd “less is more” favors the small organization. As a smaller organization or business, you have an advantage in nimbleness that larger organizations are challenged to match where security and redundancy are concerned. Where larger companies have a much larger footprint to maintain in equipment, data, software, end users, training etc., smaller organizations are arguably more nimble and easier to manage. Less to manage is a huge advantage.
Having a smaller footprint allows you to have control of your security and technology setups in a way that can be monitored and maintained efficiently – so you can sleep at night knowing you can recover in short order.
Regardless of whether you work with an IT advisor/consultant, or whether you handle in-house, plan around the usual catastrophes (fire, theft, disaster) and give equal weight to suffering an exploit like ransomware. What does that look like at every level for your organization or staff to maintain continuity?
Starting from there, focus on a backstop that includes best practices minimums to protect and recover your business to normal operations. Broadly speaking, these practices include creating and maintaining regular backups, training employees to avoid being baited into infection, patching applications and operating systems, and limiting administrator privileges.
Below is a simplified checklist to protect and remediate after a Ransomware exploit:
- Whatever your level of IT complexity, approach IT as if you will encounter an exploit or hack. Have a clear, tested plan in place to remediate systems, recover data and resume normal business operations in a timeframe commensurate with your particular needs.
- Back up your files and computing environments regularly. The only way to ensure that you can immediately handle a ransomware or other exploit is to mandate a backup process and schedule so your company can get access to the files and data it needs without dealing with the cybercriminals. The Cloud gives increasingly flexibility to automate backups – recovering in short order and should be part of any IT roadmap.
- Test and verify your backups on schedule appropriate for your business (monthly, quarterly). There are times when something can damage your files. Be sure to check regularly that your backups are in good shape by testing recovery timeline and reliability.
- Automate your operating systems and applications patch routine. Cybercriminals tend to exploit vulnerabilities in software to compromise systems.
- Protect against phishing attacks. Cybercriminals often distribute fake email messages that look like an official message from a vendor or bank, luring a user to click on a download or malicious link and download malware. Train staff to avoid attachments from an unknown sender or even suspicious attachments from a friend in case they have been hacked.
- Walk lightly with web links (hyperlinks) by verifying the source. Malicious links can be sent by your friends or your colleagues whose accounts have been hacked. Let employees know that if they receive something out of the ordinary from a friend, they should call that person directly to verify that they sent it and find out if their accounts have been compromised.
- If you still use older — legacy antivirus/anti-malware programs, check with your IT solutions provider and consider a managed security model that includes end-point protection, or newer behavior-based approaches to protect your system from ransomware.
- If ransomware or a suspected exploit hits… Cut off your internet connection immediately. If you discover Ransomware, shut off your internet connection immediately.
- If your files become encrypted, don’t pay the ransom. By paying criminals, you’re giving them an incentive and the means to develop better ransomware. This is where your approach to Best Practices and a solid backup rountine comes into play.
The bottomline: by accepting the potential for exploit, planning, implementing and testing for a predictable recovery, smaller firms can be surprisingly nimble in combatting the possibly of compromise, remaining assured of any recovery if needed.
There is an abundance of tools and services to accomplish these tasks and they aren’t hard or expensive to implement. A simple, high confidence plan is the surest way to remove future anxiety and the perpetual dread associated with the certainty of additional highly visible exploits to come.