Maksim Kabakou - Fotolia

Security Think Tank: User education is first line of defence against ransomware

What is the best strategy for business to protect against ransomware?

Ransomware has yet again reared its ugly head and despite various security websites issuing warning notices, people are still falling foul of it.  

Ransomware is, in essence, a method of extorting money from an unsuspecting individual or organisation, most frequently by denying them access to their files through encryption of their data or hard drive.

One ransomware attack vector is via phishing or spam emails as the unsuspecting individual may inadvertently open an attachment or follow what they perceive to be a bona fide web link.  The act of clicking on the suspicious attachment or web link results in the initiating of a malware download, which then encrypts the user’s files or hard drive. Once completed, this then requires the user to pay.

Payment is often demanded in Bitcoin to unlock an organisation’s files or hard drive. It has been widely reported by victims that despite paying this “ransom”, they have still been unable to access the encrypted files or hard drive. So it is clear that prevention is better than cure when dealing with ransomware.

Depending on the type and version of ransomware that has been installed, there is a possibility that the user’s files or hard drive have not actually been encrypted, but a small piece of software has been installed that gives the impression that encryption has taken place.

This relies heavily on the emotional response of the victim and the fear that they could be compromised; such a fear is enough to prompt a response and, potentially, payment.

It is impossible to tell from the ‘splash screen’ that appears whether or not it is a genuine ransomware payload and only an attempt to use or recover the user’s files will clarify this.

Numerous strategies

There are numerous strategies for safeguarding against ransomware. The first, and by far the most effective, is user awareness and education, because ransomware does not install itself. For the malware to be downloaded successfully, it needs some form of user interaction, whether via phishing emails or by fraudulent websites that serve up ‘drive-by’ malware. 

Ensure that all your staff, including management, recognise phishing and spam and so do not open suspicious emails or follow links to other websites unless they can be sure they are bona fide links. All users should also be cautious or even suspicious of attachments, pictures or graphics received unexpectedly from known persons, because the sender’s email account may have been compromised.

If in doubt, do not open any email without first confirming its origin by contacting the sender. It is also recommended to switch off any email preview window within a mail program because this may trigger the ransomware download.

Also, spear phishing might be used for a targeted ransomware attack on a specific user. This might make the malicious email hard to spot.

Scan all attachments

Secondly, ensure that any antivirus email program or software is up to date and scheduled to scan all email traffic to identify spam emails or emails that may contain known threats. This software should also be configured to scan all attachments or pictures embedded within emails or instant messaging attachments.

Thirdly, all hardware and software should be correctly patched and updated to the latest version to ensure that all known weaknesses or vulnerabilities have been addressed by the relevant supplier. 

Finally, a good back-up regime is essential in this ever-changing virtual and internet-based environment. Remember, it is not sufficient just to make backups because they need to be tested to ensure they actually work.

In the event of your system being infected with ransomware, don’t give up hope or pay any ransom. There are various products available that can help to recover your files.

It is imperative that organisations take the threat of ransomware seriously. Once infected, the inability to access files or systems may affect other services offered by the organisation. An organisation’s ability to recover quickly from any ransomware infection will be greatly enhanced by having effective business continuity mechanisms available and free from infection.


Mike Gillespie is director of cyber research and security at The Security Institute

This was last published in February 2016

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I agree, education and awareness has to be the first line of defense. But it can't stop there, because even intelligent employees can fall for phishing emails. 
Cancel
Education and training are essential, but they're not a one time thing. The effort to avoid all the constantly changing pitfalls has to be an ongoing thing. A rotten loss of valuable time, but there's not much choice.
Cancel
@ncberns makes a good point that many organizations overlook - training needs to be a continuous process not only for the reason that he points out (evolving threats), but also because people tend to forget or get lax about their security practices. Good security can be a double-edged sword: if the security team is doing a good job of shielding people from the daily barrage of threats those people can be lulled into a false sense of security, and let their guard down.
Cancel
Education, training, scanning, patching and updates will help prevent attack, but to put a good backup regime backup as the final defense is the wrong priority.
Backup is the first and best defense against extortion, but it must be proper backup. Proper backup includes automating, vaulting and versioning  your backup storage, as well as verifying that your backups are valid and done. There is just not enough emphasis on proper backup by writers and consultants.
Cancel
User training and education are also pointless unless you have a method of testing users which in turn keeps them vigilant. search "Infosec Cloud SATT" for details on how you can stop users causing security incidents.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close