As we enter the second half of 2016, expect the use of ransomware to proliferate across the public sector. Already, the U.S. Departments of Justice (DOJ) and Homeland Security (DHS) have documented ransomware cyberattacks on federal, state and local governments including schools, hospitals, and police departments. In the federal space alone, the DHS reports that ransomware-related activities have affected 29 different agencies in the last 12 months. With this in mind, how can these government agencies protect sensitive data from this growing threat?
To back up the train for a moment, ransomware is a new form of malware designed to restrict access to the infected computer system or file, which gives the hacker the ability to demand payment or a “ransom” from the victim in order to regain access. The most common types of ransomware are CryptoWall, Torrent Locker, Samas, and Locky. Locky is currently the most active and widely distributed malware, and is usually delivered to the victim as a MS word document.
The audacity of these breaches and the hackers behind them are sometimes hard to believe. A study by one of ForeScout’s partners, FireEye, found that cybercriminals would set up message centers allowing the victims to communicate with them. The cybercriminals positioned themselves as “customer support” and instructed the victims how to acquire Bitcoins to pay the ransom. Once the cybercriminals confirmed the payment, the victims were given the decryption keys to access their files.
For public sector agencies, authentication in government sites is crucial to protect sensitive data from this growing threat. As a top example, government personnel should ignore any message containing the following: “All your personal files have been encrypted! Please click here!” This is the most common approach hackers use to bait officials into making the mistake of clicking or downloading their ransomware.
As this threat continues to gain attention, it can instill fear across agencies creating worry and uncertainty. The good news is there are simple and effective ways to safeguard your network and information.
The first step to developing a ransomware defendable network is to stop it before it begins. This includes addressing proactive measures such as ensuring endpoints are up to date with patches and service packs, validating current and working endpoints connected to the network, and continuous vulnerability assessment scans.
This multi-layer remediation process incorporates identifying infected systems, blocking access to malicious websites, identifying threats through Advanced Threat Defense (ATD) integration, and applying controls. Successful solutions include pre-breach/mitigation, active breach, post-breach, active monitoring, and tuning current configurations. Through continuous monitoring and a scalable approach to security, ransomware can be prevented from abusing a network through multiple layers of protection.
It is imperative to detect the issue before it turns into a problem that can leave your agency at a loss. Key recommendations to help the fight against ransomware are: network monitoring, up-to-date anti-virus, finding open network shares, and ensuring comprehensive back-ups. While ransomware continues to be a growing threat, developing and maintaining a proactive solution will help keep network control where it belongs – in your hands.