CryptoWall, Locky, TeslaCrypt. To make sense of today’s tech headlines, you have to learn an entire new vocabulary. But one word sums them all up: Ransomware.
Ransomware is running rampant. Fortinet’s FortiGuard Labs monitors worldwide Ransomware infections and has seen a huge jump in incidences over the past six months. For instance, in Hong Kong, there were 46,172 detected Ransomware incidents in September 2015. In October, that number jumped to 1,008,539. Ransomware has gone from being a nuisance for a few enterprises to a worldwide pandemic and there is no respite in sight.
The bad news
The bad news is that, once your clients get stung, the available antidotes all have significant downsides. But the real bad news is that Ransomware is no different than any other malware and that most organisations should be preventing Ransomware as part and parcel of their cyber-security profile. With few exceptions, Ransomware sneaks in via holes in defence. Close the holes and the odds of getting hit go down significantly.
“We are fielding more and more calls from resellers who talk about their customers being infected with Ransomware,” says Jonathan Fox, General Manager of Advanced Solutions at Ingram Micro, a leading distributor of Fortinet’s cyber-security solutions in Australia. “Invariably the victims, for one reason or another, hadn’t kept their defences up-to-date and, as a result, they got hit. It’s interesting to note that most malware sneaks in and does its dirty work more or less undetected. The only noticeable evidence might be a slower network. But Ransomware, on the other hand, tells the victim immediately ‘you’ve been hit, now pay up!’.”
Staying safe in an unsafe world
Preventing Ransomware takes the same vigilance as preventing any malware. “A Fortigate Next Generation Firewall with internal segmentation, FortiAnalyzer to monitor traffic, FortiSandbox to isolate any detected threats, a FortiGuard Labs subscription service and a well-thought-out and enforced security policy should be enough to keep most Ransomware at bay,” says Fox. “And, with this configuration, even if a mail server or smartphone gets infected, the internal segmentation bulwarks limit the damage.”
Indeed, this is one of the issues that made the ‘Panama Papers’ leak so bad. Once the intruder got inside the corporate network via a compromised server, there were no internal barriers to halt the spread. That, plus the 2TBs of data downloaded with nobody noticing, changed a corporate inconvenience into an international public relations disaster that has seen a Prime Minister resign and offshore tax laws (including our own) undergoing unprecedented scrutiny. “If the law firm in question had made even a modest effort to protect their sensitive data,” notes Fox, “they could have avoided a lot of grief.”
Don’t get hit
So the best bet is not to get stung in the first place. And ensure that your clients are rigorous in their back-up procedures. But what happens if they do get infected? What is the best strategy to clean up the mess?
“They have two options, neither particularly palatable,” says Fox. “Pay up or rebuild their system. But there is no guarantee that paying will end the drama. There might be a hidden payload that will ask for more money (or bitcoin) next month. If your client has been diligent in their backups, then they can simply do a barebone restore and rebuild the new network. But what if there is a hidden payload in the backup files? Before they rebuild, it might pay to get a forensic expert in to find the culprit and delete it before it causes further damage. Either way, it’s not a pleasant exercise.”
What to tell your customers
So what should you be telling your clients about Ransomware? “Firewalls external and internal, realtime network activity monitoring, sandboxing and constant updates,” says Fox. “That, plus user training to keep people from opening dodgy emails or visiting non-essential websites, should keep your clients safe. If you look at the costs of prevention vs the cost of paying a ransom or rebuilding, the numbers make prevention a bargain.”
Fortinet’s recommendation is to have multi-layered defence at endpoints and gateway layers and sandboxing to block and analyse these malware/botnets from entering the network. Fortinet’s advanced threat protection (ATP) helps combat application botnets and adds more control over the network. Rigorous backup is essential.
Fortinet has been putting in a lot of work tracking Ransomware and the effects. Ingram Micro will be happy to talk to you about ‘Ransomware-proofing’ your client’s networks. It’s a conversation you should be having with all of your clients. Start the process now. Before it is too late.