Ransomware attacks are on the rise, hitting businesses and government agencies around the world. Cyber criminals use a variety of methods to gain access to vulnerable systems and, once a target system is breached, the malware disables security features within the victim’s network. Prior to execution of the ransomware all data files are stolen, including those from cloud providers where company data may be archived. Cyber criminals typically request ransom payments of several million dollars, usually in Bitcoin, before releasing the stolen files.
The FBI does not encourage paying ransoms because there is no guarantee files will be recovered. It may also embolden criminals to target additional organizations, encourage more criminal actors to engage in the distribution of ransomware, and/or fund other illicit activities.
The best way to deal with ransomware is to prevent becoming a victim in the first place. The FBI’s Cyber Division recommends taking the following defensive measures:
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
- Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
- Review antivirus logs for indications they were unexpectedly turned off.
- Implement network segmentation.
- Require administrator credentials to install software.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
- Use multifactor authentication where possible.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
- Implement the shortest acceptable timeframe for password changes.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Install and regularly update antivirus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
- Consider adding an email banner to emails received from outside your organization.
- Disable hyperlinks in received emails.
If you suspect that your business may have experienced a ransomware attack, the FBI encourages you to report the suspicious or criminal activity to the nearest FBI field office. Field office contacts can be identified at https://www.fbi.gov/contact-us/field-offices. The report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.
Since 2003 when we started implementing WordPress sites for our clients, we have not lost a single one to ransomware or any other kind of attack. In the rare instances when malware has managed to slip through our defenses, it has been identified and extricated before causing harm.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.