Five Things You Must Do Now to Protect Your Organization Against Ransomware

By now you know the stories about how ransomware works. Someone clicks on an infected link in an email, and that causes malware to invade a computer system, encrypting important data. The cyber criminals who launched the ransomware then demand a payment, usually in Bitcoin, to provide the key to unlock the encrypted data. All you have to do is pay.

In those simpler times of, say, six months ago, the payment demands were fairly low, and the decryption keys were usually reliable. It was a simple business transaction.

Things have changed. In April, the Washington, DC, Metropolitan Police Department had its systems infiltrated by attackers who took a week to exfiltrate over 250 gigabytes of sensitive police files, including personnel records, records of informants, and details of investigations -- including the January 6, 2021 insurrection. Then they began releasing the data publicly. The attackers demanded four million dollars to keep from releasing all of the information.

Meanwhile, the Colonial Pipeline Company was attacked, and the attackers demanded five million dollars to provide a decryption key that would allow the pipeline to resume operations. The company paid, and because they involved law enforcement from the beginning, they got their money back.

While these ransomware attacks made headlines, thousands more don't, because they involve smaller organizations. Many times, a smaller business falls victim to attack and faces a ransom demand. And even when a decryption key is delivered, it doesn't always work. Some estimates rate the chances of losing at least some data after such an attack at over 70 percent.

Fortunately, even small organizations can take steps to lessen the impact of ransomware, and in some cases, prevent data loss. But you have to be ready before you're attacked.

1. Train your staff to follow good cyber hygiene. This means teaching them to never click on links in email messages, no matter how innocent the email appears. In addition, your HR staff needs to make sure employee login information is kept up to date, and that former employees are removed from your systems as soon as they leave. That Colonial Pipeline attack used the credentials of a former employee. You can also get help with simulated ransomware from security training company KnowBe4.

2. Have good, usable, backups. While most companies have online backups with data located on another server, those backups are not likely to be usable in a ransomware attack, because the encryption will also scramble them. While those backups are useful for other purposes, the backups you need to recover from a ransomware attack will be offline (also called 'air-gapped') and inaccessible to the ransomware attack. In addition, those offline backups need to include several iterations of files, because the most recent backup will likely also be encrypted. 

Once you have that, it's critical that you confirm their usability. That means performing regular test restores. Note that those offline backups can be in the cloud or on physical media, including hard drives or even tape, as long as they're not available as a network asset. If the malware can see it, the malware can encrypt it.

3. Do your own encryption. Cyber criminals can't threaten to expose your data if they can't read it. Dell offers a variety of endpoint encryption methods. In addition, volume encryption is available in Windows and other operating systems. Some devices, including some phones and tablets, include encryption by default. Encrypting your own data has other benefits beyond preventing some forms of ransomware from exfiltrating data. It also helps prevent unauthorized access to your data. Just remember that encryption isn't a silver bullet, because authorized users can still see your data, and those same users can be a threat in themselves.

[Many Dell devices offer built-in security features, such as a hardware Trusted Platform Module (TPM). This commercial-grade security chip is installed on the motherboard; it creates and stores passwords and encryption keys securely. During the boot sequence, the TPM verifies that the computer has not been tampered with and protects your data against external software attacks. Other Dell security features include SafeID, which secures end-user credentials, and SafeGuard and Response, which enables IT admins to manage threats across endpoints, networks, and the cloud. If all this seems daunting, Dell offers a Unified Workspace service where all devices come pre-provisioned, as well.] 

4. Keep all of your systems updated and apply patches immediately. Yes, we know all of the reasons why that doesn't happen. It takes time, it ties up the computers, some applications don't behave well after updates. In a world of rampant malware and dedicated ransomware attacks, though, those excuses no longer hold water. Failing to update is simply irresponsible, and it's an open invitation to ransomware.

5. Start using multi-factor authentication. You can accomplish this through Microsoft 365, through Google Workspace, or through Dell's Remote Access Controller. You can also use physical identity confirmation through smart card readers or fingerprint readers. There are USB devices such as YubiKey that provide a security factor. Any of these would have prevented the Colonial Pipeline attack from succeeding. By now, you're familiar with receiving a six-digit code on your phone when accessing services on the internet, and that's a version of multi-factor authentication.

You'll also note that simply paying the ransom isn't listed. That's because a growing trend among attackers is to simply take the money and not provide an unlock code. Worse, once you've paid the money, the criminal will frequently attack again and demand more. Instead, involve law enforcement immediately to go after the criminals and maybe even get your money back.

Note that none of these steps is expensive, and none requires particularly advanced knowledge to implement. However, they do require a commitment to the security of your network, a commitment to learning how to integrate and use these measures, and a commitment to following through. 

It's also worth noting that all of these steps, taken together, will still cost your organization less than a single successful ransomware attack.