BLOG
|

11 min read

Ransomware Protection and Defense: A Comprehensive Guide

Ransomware attacks are among the most disruptive and costly cybersecurity incidents experienced by healthcare organizations and other businesses. Attackers see a tremendous opportunity to extract large sums of money by holding data hostage. And by preying on organizations that have valuable data, mission-critical systems, and insufficient defenses, these attackers too often succeed.

How can your organization protect itself from ransomware attacks? You need a multi-layered strategy that can address evolving threats, minimize disruptions, and keep your data secure.

What is Ransomware?

The first step in combating ransomware is to arm yourself with information. Understanding what ransomware is, how it works, what forms it might take, and whom it typically targets can help you begin developing your security strategy.

Definition of ransomware and how it works

Ransomware is a form of malicious software that encrypts data, preventing authorized users from accessing it. Attackers demand ransom for providing the decryption key. Today many attackers layer on additional threats.  

Attacks often start with a phishing scheme: Users are tricked into clicking on a link within an email or text. They are taken to a website where they are asked to input network login credentials, which attackers then steal and use to access the enterprise network. Attacks might also begin with a drive-by download, in which hackers send malware to a device without the user’s knowledge. 

For organizations that operate within the cloud, ransomware can also be delivered via applications and data ingestion pipelines that collect data from patients, customers, and partners and upload it into storage like Amazon S3 for use. In some cases, attackers conduct a network intrusion to directly infiltrate an organization’s IT environment. 

Once the attackers or their ransomware enter the network, the ransomware can then spread across systems. It encrypts data or otherwise locks users out of apps and systems.

Types of ransomware

There have been numerous types and strains of ransomware over the years. For example:

  • Crypto ransomware encrypts data, preventing users from accessing the data without the decryption key. Attackers generally demand ransom in cryptocurrency.
  • Locker ransomware completely locks users out of their systems, though it generally leaves files and folders untouched. Users see a lock screen that shows the ransom demand, sometimes accompanied by a countdown clock.
  • Scareware* is delivered as an app or pop-up window that attempts to scare users by claiming that a virus has infected their computer. The app then offers a way for users to pay to resolve the issue.
  • Extortionware* (or “doxware” or “leakware”) threatens to distribute sensitive information online. Individuals might be tempted to pay attackers to avoid embarrassing information from becoming public.


*Scareware and extortionate more frequently target individuals than organizations.

 

 

Ransomware Attacks: Understanding the Threat

The severity of a ransomware attack can depend on multiple factors, including how far the infection has spread and who is the intended target.  

How ransomware spreads

Whether attackers gain network access by stealing login credentials, capitalizing on a software vulnerability, or conducting a drive-by app installation, they might be able to spread ransomware easily across an IT environment. In fact, today’s variants can often self-propagate laterally across a network. Unless an organization has effectively segmented systems and data, that ransomware can quickly find its way from network endpoints to the most sensitive information and applications.

The infection might not stop at the initial target’s network. Because ransomware can potentially infect any devices and systems connected to the network, it could reach into partner networks as well. Attackers might target small or medium-sized organizations, with less robust defenses, to ultimately access larger partner environments, with even more valuable data.

How Ransomware Works

Potential impact on businesses

For healthcare organizations and other businesses, the impact of a ransomware attack can be devastating. At the very least, an attack can disrupt essential operations, which might include providing critical services to patients or processing insurance claims. Depending on the systems infected, and the resolution of the crisis, it could take weeks or months before an organization is fully functional.

The financial costs can be staggering. A ransom—if the attacked organization decides to pay—could amount to millions of dollars. The organization might then need to recover data and restore systems, conduct forensic investigations, and begin to patch vulnerabilities. Moreover, the organization might need to pay regulatory fines and the costs of subsequent litigation with patients. In addition, hospitals and providers could lose revenues from canceled appointments and procedures. A damaged reputation could further affect revenues in the months and years to come.

Disrupted healthcare operations can also put patient health at risk. If individuals are unable to communicate with providers, fill prescriptions, have procedures, or receive emergency care, they could suffer immediate and lasting health effects.

 

 

Ransomware Prevention: Best Practices

How can you best protect your organization from a ransomware attack? A few key strategies can help reduce the odds that attackers will successfully infiltrate your IT environment and hold your data hostage.

Keep software and systems up to date

Updating software and systems is an essential means of thwarting ransomware attacks. Application and operating system vendors have a vested interest in protecting their products. They will do their best to discover vulnerabilities, and quickly release patches and updates. Install those updates promptly, and make sure they reach all of the applicable systems. 

Implement robust backup and recovery strategies

Backing up sensitive data and deploying redundant systems can help significantly reduce the imperative to pay ransoms. If you have a full, up-to-date, and immutable (i.e., unchangeable) copy of data, you might be able to refuse attackers’ demands. And if you can failover to alternate systems during an attack, you can avoid operational disruptions.

Educate employees

Phishing and other social engineering schemes are among the most common ways that attackers gain access to networks and release malware. Employee education is vital in preventing attackers from stealing the credentials that will allow them through the gates. Employees should know how to recognize phishing emails and texts, and understand how to alert security teams.

In addition, employees must integrate cybersecurity best practices in their day-to-day work. For example, they should learn best practices for setting unique passwords, using multi-factor authentication (MFA) tools, and protecting devices from theft. Instilling these best practices in employees as part of a culture of security can play a central role in reducing risks. 

Use antivirus and anti-malware software

Antivirus and anti-malware solutions provide an important layer of defense against multiple types of attacks. Solutions can scan emails for phishing links, examine email attachments for viruses, and block users from accessing suspicious websites. 

Security features built into operating systems can further help protect computers. For example, Windows Security scans for malware, viruses, and other threats. It also helps download patches and updates automatically to keep systems protected for emerging threats.

For organizations that ingest and store data in the cloud, defense in depth is key. Cloud Storage Security’s antivirus solution automates malware scanning for data ingestion pipelines, ensuring that ransomware and other malicious files don’t reach an organization's storage repositories, or even worse their downstream users. For example, a health insurance company could collect and ingest compromised claims data from an insuree into the cloud via an online application. When the time comes to process the claim, an employee could open and consequently detonate the file.

Set up firewalls and network security solutions

Employing network security solutions provides another layer of defense. Firewalls, web application firewalls (WAFs), and intrusion prevention/intrusion detection systems (IPS/IDS) can prevent malware from reaching networks by scanning incoming traffic. These and other solutions can also block suspect IP addresses, prevent unauthorized remote access, and restrict the flow of malicious files. If malware does reach the network, these solutions can prevent those programs from communicating with their external command-and-control systems.

Practice safe browsing habits and email protocols

Individuals should be counseled to avoid visiting un-secured or suspicious-looking websites. They should also refrain from opening any email attachments or clicking on any links in emails or texts received from unknown senders. Scrutinizing URLs and the content of emails can help individuals avoid costly errors: Phishing emails often have misspellings and direct people to websites whose URLs vary only slightly from legitimate sites.

 

 

Ransomware and Mobile Devices

Mobile devices are not immune to ransomware attacks. In fact, smartphones, tablets, wearables, and Internet-of-Things (IoT) devices can be appealing targets because they are typically less protected than desktops and laptops.

Risks of mobile ransomware

If cybercriminals successfully attack a device, they can prevent access to data, install disruptive apps, display threatening messages, steal data located on the device, or completely lock out users. But mobile ransomware engenders an even greater risk to businesses. If attackers can infiltrate the mobile device of one of your employees, they might use that device to gain access to your entire network. One employee clicking on a phishing email or accidentally visiting a compromised site could lead to a full-scale breach of your IT environment.

Best practices for securing mobile devices

Installing the latest security patches and updating software are critical for protecting mobile devices. If you are managing employees’ devices, deploy patches and updates quickly and completely across all devices.

Education will once again be key. Make sure employees avoid clicking on dubious links, downloading apps from sites they don’t recognize, and visiting suspicious websites.

Protecting data on mobile devices

As with desktops, laptops, servers, and other IT systems, backing up data on mobile devices is key. Individual users should consider using cloud-based backup services to protect personal data. Organizations should make sure any corporate data that is accessed or stored on mobile devices is similarly backed up regularly.

 

 

Ransomware and Businesses: Mitigating the Risk

Despite your efforts to protect vectors for ransomware, cybercriminals will continue attacking. How can you mitigate the risks to your organization?

Developing a comprehensive cybersecurity strategy

Healthcare organizations and other businesses cannot afford to be reactive. Your organization should have a comprehensive cybersecurity strategy in place that addresses the potential for ransomware attacks and other types of breaches. That strategy must cover the technologies that can help block attacks; the processes for training personnel, identifying threats, safeguarding data, and restoring systems; and the policies for addressing ransom demands, notifying customers or patients, and contacting authorities.

Business continuity and disaster recovery planning

Organizations should also implement robust business continuity and disaster recovery (DR) strategies. Conducting frequent, regular, and complete backups of data to offsite locations, for example, can help reduce the need to pay ransoms for decrypting primary data repositories. Deploying redundant systems, or running apps in the cloud, can also help healthcare organizations avoid disruptions that can cut into revenues and put patient safety at risk. 

 

 

Incident Response: What to Do if Infected

Attackers might succeed in infecting endpoints, environments or network systems with ransomware. Having a ransomware incident response plan in place is critical for resuming operations quickly.

Signs of a ransomware infection

For individual employees using desktops, laptops, or mobile devices, signs of a ransomware infection might include slow performance, unexpected software crashes, operating system freezes, or reduced storage space. Users might notice that their usual web browser has a new toolbar or URLs are redirecting to odd pages. 

For IT and security teams, one early sign of a ransomware attack is an uptick in spam and phishing emails across the company. Administrators might also see numerous attempts to access network resources, network scanning, the presence of known hacker tools, scrambled file names or contents, attempts to disable access directories and domain controllers, and increased backup activity (since a backup solution might try to backup newly modified files).

Immediate steps to take

If an individual suspects a ransomware or malware attack, the first step is to disconnect from the network. The user should contact the IT or security team using a distinct device. 

When IT or security administrators suspect an attack, they should first identify the systems that might be infected. They must quickly isolate them—by disconnecting them from the network or powering them down—to prevent the ransomware from spreading. Teams can then identify the ransomware and inspect other systems for infections. When they are sure they have found every trace of infection and sufficiently isolated systems, they can then start sanitizing infected systems. Next, they can restore systems and retrieve clean data from backups.

Of course, if attackers are holding data hostage, an organization might need to enact a secondary plan. Unless your company has a failover system and complete backups of data, your IT and security teams might need to wait until they can regain access to data and systems before beginning remediation efforts.

Reporting the incident to relevant authorities

Organizations attacked by ransomware need to report the incident to law enforcement and regulatory authorities. For example, if a healthcare organization subject to HIPAA rules experiences a breach of patient data, the organization must report the incident to the U.S. Department of Health and Human Services (HHS). 

An attacked organization also needs to notify any customers or patients whose data might have been exposed. The organization then needs to offer identity protection services to those individuals for a time after the event.  

 

 

To Pay or Not to Pay: Navigating Ransomware Demands

If your organization is attacked with ransomware, and your data is held hostage, should you pay the ransom?

Pros and cons of paying ransoms

Many organizations are reluctant to pay attackers to regain access to data. The high cost of ransom—which, for healthcare organizations, could amount to millions of dollars—might be sufficient reason to refuse payment. 

Nevertheless, paying the ransom is often the fastest way to restore access to data and systems. When healthcare organizations are attacked, their operations can be severely disrupted, leaving them unable to serve patients and provide critical care. Consequently, healthcare organizations tend to pay ransoms more frequently than companies in other fields.

Legal and ethical considerations

Governments and law enforcement agencies discourage organizations from paying ransoms. The International Counter Ransomware Initiative—which includes members from 48 countries, the European Union, and Interpol—released a joint policy statement saying that governments should not pay ransomware extortion demands. The United States signed, though the U.S. federal government has not banned companies from paying ransoms.

Organizations also have a legal responsibility to protect sensitive data. If a healthcare organization refuses to pay a ransom, and then attackers sell patient data, the organization could be subject not only to regulatory fines but also lawsuits. When presented with an ultimatum, organizations will need to weigh the legal—and financial—consequences of both paying and not paying.

There are also ethical considerations. Paying the ransom rewards criminal behavior. As more organizations give in to attackers’ demands, more criminals will launch attacks.

Alternative recovery methods

Some organizations can avoid paying ransom, or at least reduce the pressure to pay it. Backing up data and implementing redundant failover systems can eliminate the disruptions caused by attacks. If your organization has a complete (or nearly complete) copy of patient data available, and systems that are ready to go at a moment’s notice, you can continue business as usual while you address the ransomware that infected your environment.

 

 

Ransomware Removal and Recovery

If you’re attacked, how can you safely remove ransomware from your IT environment and get back to business? 

Safe methods for removing ransomware

Any infected systems should be disconnected from the network so the ransomware has no means of spreading further. You can then use security software to find malicious files and then delete them with antivirus tools.

Some tools, such as Cloud Storage Security’s cloud-based anti malware solution, automate the discovery and quarantine of infected files in cloud storage (or can or delete the file entirely) to prevent access of those files.

Data recovery

If you pay the ransom, attackers are supposed to provide a decryption key. But in practice, not all these criminals honor their end of the bargain. Of course, you might also decide against paying. In either case, you will be left with encrypted data. Without complete backup copies of data, you would need a decryption tool from a security vendor to unlock those files and regain access.

Restoring data and systems from backups

If your organization implemented a data backup strategy before an attack, you have another option for restoring data and systems. You can wipe clean infected systems (being sure to remove all ransomware), reinstall operating systems and additional software, and then restore data from clean, secure copies of files. Regularly backing up data and software is an excellent method of reducing disruptions and minimizing data loss resulting from ransomware attacks.

 

 

The Future of Ransomware: Emerging Trends

The potential to generate large sums of money by holding data hostage will propel the continued growth of ransomware attacks. As cybercriminals tap into new technologies and devise new techniques, their targets must step up their defenses.  

Evolving ransomware tactics and techniques

Ransomware attacks have occurred for several decades, but tactics and techniques have evolved substantially. Today attackers continue to create new ways to access networks and rapidly spread infections. Meanwhile, they are adding new layers to their extortion schemes, adding the threats of stealing data and attacking partners.

Potential impact of emerging technologies

There’s no doubt that cybercriminals will continue to capitalize on emerging technologies to devise new types of attacks and to improve their success rates. Attackers are already using AI to craft better phishing emails, for example, and tapping into Ransomware-as-a-Service offerings to launch new viruses without having to write their own code. 

 

 

Stay Ahead of Ransomware Threats

How can your organization stay ahead of shifting threats? You need a multi-layered strategy that aims to protect data, prevent ransomware infection, mitigate damage, minimize disruptions, and rapidly return to business as usual. Beyond implementing the right cybersecurity solutions, you should also educate teams and present best practices for reducing risks. Ultimately, the best defense against evolving ransomware threats will be a combination of strategy, technology, and preventive actions, employed consistently across the organization. 

Cloud Storage Security (CSS) is a leading provider of data security solutions for organizations that operate within the cloud. Through antivirus and data loss prevention, CSS enables organizations to prevent ransomware incidents, data breaches, and other similar incidents. Contact us to learn more.

Cloudticity is a digital enablement partner for healthcare organizations generating measurable business and clinical outcomes by unlocking the cloud’s full potential. Through advanced automation and deep cloud expertise, Cloudticity empowers healthcare organizations to create, scale, and deliver next-gen healthcare solutions that are resilient and secure.

For more best practices on how to prevent ransomware ingestion, check out CSS and Cloudticity’s joint webinar Best Practices for Ransomware Prevention, Defense, and Mitigation.

This article originally appeared on Cloudticity's blog.

Tired of Reading?

Want to watch something instead?

Website_Case_Studies_Watch_Video (3)