When ransomware criminals lock up files and demand payment to decrypt them, don’t pay, was the advice a consultant gave to a group at SecureWorld.
When there’s no risk of losing crucial data, that’s easy to say, and to make is possible requires planning, says Michael Corby, executive consultant for CGI.
“Plan to have data available in a form that won’t be affected by ransomware – encrypted and stored separately from the production network,” he says. “You need a clean copy of the data in a restorable form. Test that the backups work.”
Restore and recover are the key words, and they should be done keeping in mind that the malware has to be removed before recovering.
While he advocates not paying ransom, he says he knows of law enforcement agencies that think paying is inevitable sometimes as the only way to recover essential data. They go so far as to encourage businesses to get a bitcoin wallet before being hit by ransomware so payments can be made quickly if necessary. Ransomware criminals generally issue tight deadlines for payment.
The first rule of responding to ransomware that all employees should know is: Don’t try to figure it out. When the ransom demand appears on the screen, they should disconnect the device from the network immediately and tell IS. In turn, IS should scramble are response team that includes themselves but also the legal department, public relations, human relations, executives and IT.
The organization should notify the FBI, which is complicated because calling them in means relinquishing control of the investigation and perhaps devices and the data they contain that are needed as evidence.
He has a string of steps businesses should take as best practices against ransomware that also are good general network hygiene:
= Hold awareness programs about malware for end users.
= Patch and update software including security and antivirus software.
= “Decriminalize” being hit by ransomware so fear doesn’t stop end users from reporting it immediately.
= Manage administrative accounts to insure least privilege.
= Disable macros.
= Consider limiting BYOD to an approved list of devices that should then adhere to strict security policies.