How 4 key practices can prevent ransomware incidents
You're the CIO of a major healthcare provider. You log in to your computer and see a strange page with a ticking clock and a message that says that your files have been encrypted. You try to open some of your files, but they all appear to be gibberish. And then it hits you: Your hospital has been infected by ransomware.
Ransomware is a form of malware that targets your critical data and systems for extortion. Typically, ransomware encrypts data with a key known only to the attacker until a ransom (usually in a cryptocurrency such as Bitcoin) is paid. After the ransom is paid, the attacker will sometimes provide a decryption key.
Ransomware attacks are increasing in frequency. The FBI reports that approximately 4,000 ransomware attacks occur daily, with a 300 percent increase in ransomware attacks since 2015. In healthcare, in a well-publicized attack in early 2016, Hollywood Presbyterian Medical Center in Los Angeles, Calif. paid $17,000 in Bitcoin to get back patient data and their multimillion dollar HIT system following a ransomware attack. “IDC FutureScape: Worldwide Healthcare IT 2017 Predictions” predicts that healthcare ransomware will only continue to increase over the next two years, with ransomware attacks against healthcare organizations expected to double by 2018.
The financial impact of ransomware on the healthcare industry is huge. It is estimated that each lost record costs providers $355, which is twice the average cost of other industries.
Given the growing threat of ransomware, what can your organization do to help prevent such an attack?
Back up your data. Backups are critical in ransomware recovery and response. If you are infected, backups are often the best way to recover your critical data. In addition to regularly backing up your organization’s significant data, be sure to verify the integrity of your backups and regularly test your backup restoration process; you don’t want to find out, in the middle of an incident, that your backups aren’t working.
Also, ensure that your backups are secured (for example, physically stored offline) and not permanently connected to the computers and networks they back up. Increasingly, ransomware is designed to infect both computers and attached storage devices plus cloud backup services that are mapped to infected computers.
Use behavior-based anti-malware software. Implement behavior based anti-malware (e.g. CrowdStrike, Cylance) on your organization’s information systems rather than signature-based software. Criminals are continually tweaking their ransomware strains and adding “features” such as encrypted or constantly changing code. Increasingly, signature-based anti-malware software, which just looks for known malicious files, cannot keep up. Behavior-based anti-malware software, which watches for malicious behaviors, is often more likely to detect ransomware.
Whenever possible, configure your anti-malware software to block and alert when it detects ransomware rather than just alert. All alerts regarding ransomware should be rapidly responded to.
Have a security incident response plan (SIRP). As unpleasant as it is to think about, you should assume that your organization will be infected by ransomware. Now is the time to prepare. A well-documented SIRP that is specific to your organization will make it easier for you to launch a rapid and well-coordinated response. At a high level, your SIRP should include:
- A description of the roles and employees who are on the security incident response team (SIRT).
- Specific guidelines (for example, when should law enforcement be notified and how backups are secured) and procedures that the SIRT will follow.
- Information about external resources (for example, an identified computer forensics firm) available to the SIRT.
Be sure to test your SIRP at least annually. You don’t want to be trying out your SIRP for the first time during an incident.
Provide phishing education to your employees. Properly trained, employees can be an organization’s front line of defense against ransomware. Cybersecurity is not just an IT issue—ransomware is frequently delivered via phishing emails, so regularly train your employees to carefully assess links in emails and to not open unsolicited attachments. To improve employee awareness about phishing, use a tool like Wombat or Phishme to send simulated phishing emails.
Also, encourage employees to rapidly report suspicious activity that may indicate ransomware. Once in an organization, ransomware can spread very quickly via shared or networked drives, so it’s critical that all employees know when and how to report suspicious activity on their information systems.
Ransomware is a serious threat for which all organizations need to be prepared. Make sure your data backup processes are solid. Use behavior based anti-malware software. Have a well-developed SIRP, and regularly educate your employees about phishing. These key steps will defend your organization against ransomware.