Preparing for Ransomware: Expect to Get Hacked
Businesses all over are making big news – the bad kind. A major pipeline, more than one casino, a meat producer, and a regional hospital have all been news recently for getting “hacked” with ransomware. Some of these organizations have been completely crippled and have suffered permanent damage to their finances and reputation. There are simple ways, though, to ensure that your data, and your organization are safe. As surprising as it sounds, it all stars with expecting to get hacked.
Expect to Get Hacked
It is important to prepare, even for the bad stuff. For example, we all expect to get sick occasionally. We have insurance, save up sick days, we stock our medicine cabinet, and we know where our doctor and hospital are. Getting sick is just a part of life. IT problems like viruses and ransomware are the same. By preparing for the inevitable, when it happens you suffer much less than if you didn’t see it coming at all. To properly prepare, the first rule is: expect to get hacked.
Make Good Backups
For ransomware, and many other threats, the most important preparation is making proper backups. When a user is infected with ransomware, the program goes to work encrypting all the files the user can access. Local files, network files, removable media, etc. are all vulnerable. Because of that, local backups can also be overwritten by the criminals if they’re not set up correctly. On the other hand, backup tape, RAID snapshots, write-only media or no-delete network shares can be safer options. Another good (and low-maintenance) option is using a cloud backup service such as Backblaze or IDrive (these are just two examples), which will upload copies of your files to a cloud server and are not typically vulnerable to being grabbed by ransomware.
Teach Your People to Avoid
Avoiding getting hacked for as long as possible is important, so train your people to avoid common scams. Remind them regularly that they could get infected via email, presented with a fake screen to enter a username and password, or prompted to download a program that is really a virus. The better your people do at identifying these ways of being infected, the safer your organization will be. While you are educating your people, though, remember the first rule: expect to get hacked.
Spend some time teaching your people what to watch for, and how to report the problem as soon as they notice something wrong.
Teach Your People to Detect
Make sure you train your staff how to detect trouble. With ransomware, for example, the first sign that something is wrong is often a message saying that a file is corrupt or inaccessible. Someone may open and Excel document or Word document only to be greeted by a message like “This file is corrupt and cannot be opened”. Often, there will be another file in the same folder called something like “Readme.txt” or “Decrypt_Instructions.txt” that will have the ransom information. There could be a popup screen on the computer stating the ransom demand.
Showing your people the signs to look for will help them quickly recognize what has happened, and allow them to report more quickly.
Teach Your People to Report
Unfortunately, it isn’t always possible to avoid being infected by a virus. Sometimes, criminals can create software that automatically spreads without anyone doing anything wrong. Also, the virus could be embedded in a normal file received from a trusted source. Telling the folks in your organization about the signs to watch for and helping them feel comfortable reporting a problem will go a long way towards quickly resolving problems. Make it very clear what users can do when they see a problem.
Should they call a help line, or send an email? Should they continue working, or shut the computer down, or do nothing until IT can respond?
These are the questions that can be answered in advance and taught to your people so that there is a clear and effective way to tackle the problem. To prevent the spread of the problem to other people in the company, and other file areas, quick response is vital. When the response is underway, it is important not to place blame too quickly. No one is perfect, everyone is vulnerable, and anyone can be infected.
Remember the first rule: expect to get hacked.
Finally, once the problem has been reported, it is important to take quick action. By deciding in advance what to do in certain scenarios, action can be swift and effective. For example, at my firm we have a standard wipe and reimage procedure that we go through for any infected computer. We save the old drive for future analysis, and then place a new drive in the computer and reload whatever operating system and software is needed. Only then do we go to the backups to retrieve user files. Having this procedure helps us quickly begin recovery without making very many on-the-fly decisions.
One of the best ways to make specific plans is through a “table-top disaster exercise”. To do this, you bring the operations people in your organization together at a conference table (perhaps one department at a time) and discuss worst-case scenarios. Which files would be lost if Jill or Dave had a virus? How long would the operation be down if their computer was destroyed? Who else would be affected? How quickly could the backups be restored, and are those backups safe from destruction? By asking and answering these questions in advance, your organization can be ready for the inevitable.
Preparation is the Key
Every organization is different, so the steps for your organization can be different. The key is to do as much as possible in advance. Expect to get hacked, plan accordingly, and you will be ready with good backups, and educated staff, and predefined actions that will prevent your organization from suffering permanent damage.
Happy (and safe) computing!
Chief Information Officer, Finley & Cook
Finley & Cook, PLLC has years of experience auditing accounting, banking, gaming, and regulatory compliance. Our security staff is led by Bobby Simpson, who holds the ISC2 Certified Information Security Systems Professional (CISSP), GIAC Certified Pen Tester, Incident Handler, and Intrusion Analyst certifications.
Our staff can help guide you in preparing your organization to withstand cyber-attacks. Finley & Cook provides a Cybersecurity Review and Readiness Program, which will assess each of the elements on this list in detail and provide a prioritized list of recommendations related to weak areas.