Companies continue to fall victim to ransomware* on a regular basis. According to an IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data” 70 percent of companies who have fallen victim to ransomware, have paid the ransom. The FBI tells us the typical ransom is in the range of $200 to $10,000 paid, with some notable cases of ransome moving well into five, six and seven digit ranges. With a 70 percent success rate, one understands why the cyber criminal community is doubling down on ransomware as the malware of choice.

The FBI requests victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center.

• Date of Infection Ransomware Variant (identified on the ransom page or by the encrypted file extension)
• Victim Company Information (industry type, business size, etc.)
• How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
• Requested Ransom Amount Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
• Ransom Amount Paid (if any)
• Overall Losses Associated with a Ransomware Infection (including the ransom amount)
• Victim Impact Statement
• Don’t Pay a Ransom

IT departments are charged with the ensuring that their entity’s infrastructure is accessible by those who use the systems; data is secure and protected, with access by those who have a need to know; and that the information within the system is trustworthy and accurate. Planning for a ransomware attack is a must.

Don’t Pay Ransomware

But what of the companies/entities who decline to pay a ransom, how do they fair?

The ransomware event certainly creates havoc and expense. In some cases, preparedness and remediation exceeds the cost of the ransom. If you do not have cold-storage of your backups, you may lose your data permanently.

The San Francisco Municipal Transit Agency (SFMTA) recently fell victim to ransomware which impacted over 900 office computers. Once discovered, the SFMTA put into action their crisis management plan, and according to the SFMTA, they turned off the ticket machines (as a precaution), and opened up fare-gates. The SFMTA service was not disrupted, though riders rode for free as the IT team assessed the situation. Once the scope and nature of the event was determined, the SFMTA began restoring the affected devices. The SFMTA did not pay the ransom of $73,000 in bitcoins which was demanded, they had a plan and they executed the plan. (Source: Update on SFMTA Ransomware Attack | SFMTA )

Prepare for ransomware

Put in place a regimented regime with respect to your data and infrastructure. Both the FBI and IBM links provided are full of useful tips on putting one’s house in order. As the Cisco video above details, ransomware is a criminal enterprise and you and your business must be prepared.

In addition, every entity (and individual) should be familiar with “No More Ransom” which is a public-private resource which was initially created by Interpol, Kaspersky and Intel Security, and now includes a number of national Cyber Emergency Response Teams, multiple information security companies and has blossomed into a multi-lingual global resource. There mission is to disarm the cyber criminals. They provide, free, software to remove ransomware from devices, servers, etc.

Here are the recommendations from No More Ransom:

1. Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.
2. Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.
3. Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.
4. Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
5. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
6. If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.

Additional Reading:

IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data”

*Ransomware: Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-initiation) from a compromised Web site. (Source FBI)

Disclosure:  Christopher Burgess is a paid content contributor to IBM’s Security Intelligence Blog