First Lines of Defense in Fighting Ransomware
The SANS Institute recently reported the following:
"The past several months have seen a wave of ransomware attacks hit local government organizations in states across the US. Most recently, 22 municipalities in Texas were hit with ransomware in an attack believed to be launched by “a single threat actor,” according to Texas state officials. Lubbock County managed to detect and deal with the infection right away. Other municipalities are working to recover from the attacks. When private companies are hit with ransomware attacks, they are often able to keep the incident quiet. People notice when a municipality’s online presence disappears."
Ransomware remains one of the most destructive and expensive attacks on an organization's infrastructure. Once compromised, a system's files are encrypted and rendered unusable unless the affected organization pays a ransom of tens of thousands of dollars. Regardless if the organization is able to restore their own data or it decides to pay the ransom, the period to restore their systems will often take days to weeks.
Avoiding a ransomware attack requires two important efforts: system/network hardening and user education. While an organization can ensure their systems are up to date and hardened against outside attacks and system compromise, most attacks start directed at users. The reason being is that the easiest way to get into a network is through an individual's PC. What better way to compromise that PC and ultimately their entire network than to entice an employee to willingly launch a malware application.
Having run an IT department for a large corporation, I knew our biggest challenge was not the hordes of attempted attacks on our firewalls and network in general, but our own team members that could invite those attackers in without even realizing it. Carefully crafted emails seeemingly coming from our own leadership would request immediate assistance to ensure a vital transaction is completed. Please open this document, click that link, and what person in their right mind would ignore a request from the CEO himself...
One click and that PC is compromised. Hopefully your antivirus detects and contains...or does it start working its way through your network and file servers become unreachable, mail servers cease responding. My intent is not to frighten, but it is frightening, no?
Your IT department is going to do everything to prevent the worst, but is at a disadvantage if threats come right through the front door. Thus, the first line of defense is your employees. The second line is your processes and establishing a system where any requests, from co-workers within one's department to the highest levels of management, are routed through known processes that no outside hackers will know about and thus, will be unable to compromise.
Educated employees will question a suspiscious email and not act unless they have vetted out through established internal processes. If there's no internal process, even a simple phone call to the CEO to verify an email's authenticity should be okay within a vigilant organization.
The WRX can develop and present training programs and materials for employees, as well as develop internal processes and systems to take the guesswork out of these phishing efforts.