All data, applications, systems and networks are valuable information systems for an organisation as they allow it to execute daily operations. The unavailability or inaccessibility of one of those systems due to a cyber-attack could thus have serious consequences on an organisation’s business continuity. This article gives best practices on how to protect from a specific attack in this context: a ransomware.

What is a ransomware?

A ransomware is a specific malware cybercriminals install on an organisation’s device through various possible means, such as downloading a virus or through a phishing attack where the victim clicks on a malicious link or opens an infected attachment. After successfully installing the ransomware, they encrypt information and/or information systems to block all the organisation’s accesses and then demand a certain amount of money to give those accesses back. The organisation thus loses all power over its computers and can’t execute any operations. In addition to making the information unavailable, cybercriminals can also threaten the organisation to make all the data they accessed publicly available. This causes a serious problem, especially for company dealing with sensitive information.

How to identify a ransomware?

The goal for cybercriminals when launching a ransomware on a device is to gain something in exchange, usually money. In that sense, they will make it obvious that they have taken control and want something in exchange, often by displaying a clear message on the screen of the infected device.

How to protect from a ransomware?

Cybercriminals usually evaluate the efforts it will take them to be able to install the ransomware against the benefits they can earn. It is thus important to ensure that the defence in place makes it as hard as possible for them to get access to the organisation’s environment. There are several controls that can be implemented:

1. Update your devices and software as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

2. Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be

enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

3. Enforce antivirus and local firewalls on devices

There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network with an antivirus software upfront.

In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.

4. Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first

To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:

  • Is it unexpected?
  • Is it urgent?
  • Do you know the person who sent the e-mail?
  • Do you find the request strange?
  • Where does the link you need to click on lead to? (only hover on it with your mouse, do not click)
  • Is there a QR code in the message?
  • Are you being personally addressed?
  • Does the message contain many linguistic errors?
  • Is the message in your Spam / Junk folder?
  • Is someone trying to make you curious?
  • Are you asked to make a payment?

5. Only use official websites and platforms to download applications and software

Pirated applications and software are usually infected with malware so only look for installation and download of official ones, through vendors’ official platforms and websites.

6. Limit the actions that can be executed with an admin account

Limit the number of administrator or privileged accounts to the bare minimum. No one should have administrator privileges for day-to-day tasks. Giving the privileges that admin accounts have, it will make it easier for cybercriminals to take over the device or install a ransomware.

7. Regularly backup your critical resources

Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

8. Control software installation on corporate devices by establishing a list of allowed software

A collaborator looking for a specific software and with little to no knowledge about cybersecurity is less likely to second guess the offers found on the internet. It is thus important to make sure that all downloaded software is approved by the IT Responsible from a security and performance point of view. In addition, the IT Responsible can establish a whitelisting: a list of software that collaborators are allowed to install on their corporate devices.

What to do if your device gets infected with a ransomware?

  1. Report the incident immediately to your IT responsible
  2. Isolate the infected resources from the network to prevent the ransomware from spreading even more
  3. Do not pay the ransom
  4. Set up a separated communication channel
  5. Set up a crisis management team
  6. Immediately report the incident to the local police.
  7. Gather all the necessary information: the type of support for the data, the operating system, the infection mode, the name of the ransomware, the mean of payment, and if possible, screenshots of the infected systems.
  8. Change all the passwords that were given (if any) on all the accounts they are being used.
  9. Scan your devices with an antivirus
  10. Identify all the vulnerabilities that were used to get access and remediate them as soon as possible.
  11. Try to decrypt the encrypted files if a solution exists (the website Accueil | The No More Ransom Project gives decrypting solutions that can be helpful)
  12. If needed, contact official (external) security specialists that can help you get your resources back through decryption.

Paying the ransom is not recommended as it does not guarantee to solve the ongoing problem. In addition, it makes ransomware profitable which can convince cybercriminals to keep on pursuing this malicious activity.

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.