Hands typing on keyboard
Risk & Fraud

Ransomware: How to Prevent or Recover from an Attack

By: Gene Fredriksen, Security Strategy Consultant

It’s Monday morning. You hit the office early, logging in to your computer expecting to get a jump on the day. However, this time something is different. Your computer is slow, error messages are popping up, and, finally, it is all replaced by a red screen reading “All Your Important Files Have Been Encrypted.”

You check with your co-workers and the story is the same. Finally, you call the help desk and find out the grim truth — your financial institution has been infected with ransomware. In this scenario, you would be in good company, as the FBI’s Internet Crime Complaint Center (IC3) received 2,474 ransomware complaints in 2020.

What is Ransomware?
Ransomware is a form of malware that encrypts files on a victim’s computer systems, making them unusable. Cybercriminals demand a ransom in exchange for providing the key to decrypt the victim’s files.

Ransomware attacks are becoming more targeted, sophisticated and costly, even as the overall frequency of attacks continues to decline. Since early 2018, the incidence of broad ransomware campaigns has fallen sharply, but the losses from ransomware attacks have increased significantly, according to complaints received by the IC3 and FBI case information.

How Does Ransomware Infect Its Victims?
Cybercriminals use a variety of techniques to infect victims’ systems with ransomware. Additionally, cybercriminals upgrade and change their strategies to make their attacks more effective and prevent detection.

  • Email phishing campaigns: The cybercriminal sends an email containing a malicious file or link, which deploys malware when a recipient clicks the link.
  • Software vulnerabilities: Cybercriminals can take advantage of security weaknesses in widely used software programs to gain control of victims’ systems and deploy ransomware.

How Can I Protect Myself Against Ransomware?
There are two critical defenses for any organization against ransomware. The first is having a recent backup to restore, which could prevent a ransomware attack from crippling your organization. The second is having a robust, well-rehearsed response plan, which will enable your organization to respond quickly and consistently. As ransomware techniques and malware continue to evolve and become more sophisticated, even the most robust prevention controls are no guarantee against exploitation. Contingency and remediation planning is crucial to business recovery and continuity, and plans should be tested regularly to ensure the integrity of sensitive data in the event of a compromise. Below are several best practices to help protect your financial institution against ransomware attacks:

  • Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up – physically store them offline. Backups are critical in ransomware — if you are infected, backups may be the best way to recover your necessary data.
  • Focus on awareness and training. Since end-users are targeted, employees should be aware of the threat of ransomware and how it is delivered, and trained on information security principles and techniques.
  • Patch the operating system, software and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. Then, make the process more robust through a centralized patch management system.

If My System Is Infected, Should I Pay the Ransom?
If you ask the FBI, they do not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In fact, in some cases, victims who paid a ransom were never provided with decryption keys. However, the FBI understands that executives will evaluate all options to protect their shareholders, employees and customers when businesses are faced with an inability to function.

Your first call should be to your cyber-insurer, who will help drive the decision to pay or not. After that, your legal department should be involved with any calls to law enforcement.

Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law and prevent future attacks.

Ransomware is one of many tools that our cyber-adversaries use to disrupt our businesses and make money for their organizations. This constant battle is a war of attrition. There will be no massive victories or game-changing events to make our jobs less challenging. To provide the best protection for our organizations, we need to do our jobs diligently every day, remaining aware of our adversaries’ new and emerging threats.

As always, we address security issues with “people, processes and technology” – “people” through education and awareness to stop ransomware from entering the organization, “process” through the creation of an incident response plan, and “technology” through the implementation of robust backup and archival systems. Together, we can significantly reduce our vulnerability to malware.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT CUSO. He has previously held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

Fredriksen served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.