SMBs are Big Targets for Ransomware Attacks
Ransomware attacks have turned quite common these days; there are attacks of varying sizes targeting all kinds of organizations/businesses as well as individuals reported from all across the world.
Talking of the targets of ransomware strikes, it’s SMBs (Small and Medium-Sized Businesses) that appear to be the big targets for ransomware criminals.
Security analysts at HackerCombat have always been keeping tabs on ransomware strikes across the world. Our analysis too has led to the inference that SMBs are big targets for those cybercriminals who’d want to mint money using ransomware, the most crippling of all malware.
The Reasons
- That the SMB market is considerably big is the prime factor that attracts ransomware criminals to this area. Though the organization-wise revenue would seem to be very small when compared to what bigger businesses earn, SMBs account for about 99.9% of all companies and contribute to almost half of annual GDP. 47.5% of all jobs are in the SMB sector.
- Most SMBs, though they would have adequate fist lines of defense to prevent cyberattacks, won’t be investing in installing advanced, sophisticated security software. This is primarily because of the limited funds at their disposal. Thus, for SMBs, it becomes difficult to fight effectively against the cybercriminals who come up with all kinds of premeditated, sophisticated cyberattacks.
- Many SMBs, obviously due to limited funds, are likely to be callous as regards taking backups of their data, and hence it’s very likely that once they lose control over their data following a ransomware attack, they’d most probably pay the ransom and move on with their day-to-day activities.
How to prevent ransomware attacks…
There are some basic prevention strategies that would definitely be of help to SMBs in combating ransomware attacks. Let’s take a look at some of them:
* Always keep antivirus software and all other security software updated; this is critical to the security of any business.
* Make it a policy to enable automated patches for the operating systems, web browsers etc.
* Emphasize on having effective, strong identity management and access management and limit local administrative rights.
* Going for a robust kind of network segmentation (splitting a computer network into subnetworks) helps to minimize the impacts of ransomware attacks.
* Ensure that emails that come with .js, .wsf, and .zip extensions and macros are blocked at the email gateway level itself.
* Educate employees on the basics of cybersecurity, train them to avoid and handle cyberattacks.
* Most cyberattacks are launched through phishing scams. Hence, it becomes important that employees are trained in detecting and preventing phishing attacks. Mock phishing campaigns, designed to test and train employees, too would be good.
* It would be advisable to disable common attack vectors like Adobe Flash Player, Java, Silverlight etc.
* Have an intrusion detection system to monitor signs of malicious activities; this is always a wise investment.
* Make it a policy to have a backup of all important data, in a separate, secure location so that it’s not accessible from local networks; update the backup regularly.
* Have an effective response and recovery plan in place.
* Disable autorun/autoplay functionality on the OSs; this prevents malicious software from running in the network.
* Ensure that macro-enabled malware files are blocked from running on MS Office 2016 programs- Word, PowerPoint, Excel etc- by using group policy setting.
Responding to a ransomware infection
If at all there is a security incident and a ransomware attack happens, these are the things that need to be done-
* Identify and disconnect infected machines from the network.
* Assess the extent of infection, try identifying the type of ransomware involved.
* Find out if the infected machine was connected to any network drives, external hard drives, USBs, cloud-based storage etc.
* Check for any registry or file listing that could be created by the ransomware.
* Look for malicious scripts running on the infected machines. Check other systems in the network as well.
* Clean the infected system using effective disinfection tools. If possible, preserve a copy of the ransomware variant/malicious script for future forensic analysis.
* After disinfecting system, re-install the operating system.
* If you have a reliable backup, get all data restored are move on.
* In case you don’t have a backup, check if the ransomware that has been used can be decrypted with any decryption tool. There are many such tools available. But be careful, make sure you are not causing harm to your data using such decryption tools because brute force attacks are difficult, impossible or damaging in the case of many ransomware variants.
* Communicate the cybercriminals involved only from an anonymous email account created exclusively for the purpose. Never provide any additional information about your company.
* Try negotiating with the criminals for a lower price (ransom), buy enough time to ensure you can pay them if the amount is big.
* Never let the criminals know as to what kind of data has been encrypted and how serious the situation is for you. They may ask for bigger amounts as ransom.
* Be cautious while accepting any files from the cybercriminals; decryption keys and “proof of life” (which helps verify that the criminals can de-encrypt the files) might also contain more malware.
* If you need to pay ransom., purchase bitcoin from an exchange or broker and use a credit card or debit card at an exchange outside the United States, for fast processing. Remember, there are risks involved, there are bitcoin exchanges that are not to be trusted.
* If there are physical bitcoin ATMs and if the ransom amount is low, get the bitcoin from the physical ATM. It would help deal with the crisis fast.