Protecting Your Institution from Ransomware Attacks
Author: Jan Hertzberg
Ransomware is a form of malware that targets your critical data and systems for the purpose of extortion. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016, according to the U.S. Department of Justice (DOJ). That's a 300 percent increase over the approximately 1,000 attacks per day seen in 2015.
The U.S. Computer Emergency Readiness Team stated the latest version of a ransomware variant, known as WannaCry, WCry or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and rapidly spread to more than 99 countries—including the U.S., U.K., Spain, Russia, Taiwan, France and Japan—through a period of several hours.
Ransomware often is delivered through spear phishing emails targeting a specific organization or individual. After the user has been locked out of the data or system, the cyber actor demands a ransom payment. After receiving payment, the cyber actor provides further instructions as to how the victim can regain access to the system or data.
Academic institutions are primary targets for identity theft and ransomware events due to the treasure trove of data available. These data sources often are in great demand by cybercriminals and fetch strong prices from the underground market.
Higher education entities often are highly complex and dynamic in structure. Such an organization becomes difficult to protect in terms of risk management, information governance and internal controls. This environment creates an ideal situation where cyberthreat actors can operate.
The DOJ recommends taking steps now to help prevent the worst effects of a ransomware attack, including:
- Implement a strong cybersecurity awareness and training program.
- Put in place effective technical measures to protect computer networks, such as:
- Enable strong spam filters to prevent phishing emails from reaching the end users and implement technologies to prevent email spoofing.
- Scan incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
- Patch operating systems, software and firmware on devices. Consider using a centralized patch management system.
- Set antivirus and antimalware programs to automatically conduct regular scans.
- Configure access controls—including file, directory and network share permissions with least privilege in mind.
- Implement effective system logging and monitoring tools.
- Regularly back up data and verify the integrity of those backups by testing the restoration process to ensure that it’s working.
- Conduct an annual cybersecurity assessment—with network penetration testing—to identify vulnerabilities.
If systems become infected with ransomware, we recommend these actions:
- Forensically preserve affected systems
- Collect relevant logs and activity
- Maintain chain of custody evidence
- Reconstruct event timeline
- Identify threat actor tactics
- Determine if data exfiltration occurred and, if so, quantify extent of exfiltration
- Determine incident lessons learned and conduct a post-breach cybersecurity assessment to identify the presence of other, possible vulnerabilities
BKD IT Risk Services is dedicated to helping academic institutions assess their cybersecurity risks, improve their cybersecurity protections and respond to a breach. For additional information, read Detecting & Mitigating Ransomware Events.
Contact your BKD advisor if you have questions.