1. What role does phishing play in ransomware attacks?

Up until a year or so ago, phishing was the primary attack vector for ransomware infections. While phishing is still the predominant method, we have seen an increase in other methods of attack–such as scanning for open terminal services ports, brute forcing accounts, web drive-by/waterhole attacks, and exploiting highly dangerous vulnerabilities (WannaCry via Eternal Blue). Phishing is a tried and true avenue of attack, as there will always be some users that fall for a phish, providing an initial foothold into the network for attackers.

2. How serious of a threat is ransomware?

The answer to this question depends on the business and it’s reliance on technology, data, and information systems to conduct day-to-day operations. For some organizations, the threat is serious, as a major ransomware attack may cripple them. A prime example of this occurs in hospitals. Over the past few years, there have been major ransomware incidents at hospitals, such as Georgetown MedStar and Hollywood Presbyterian, that have caused severe disruptions in medical care and hospital operations. Some hospitals have chosen to pay a ransom to bring operations back to normal. Ransomware is now big business, in 2017 a South Korean paid a record $1M ransom.

3. What are the best ways to prevent a ransomware attack?

• Conduct a cyber risk assessment or hire a third party to conduct one—know your most critical systems/data and protect them appropriately.
• Regularly backup critical files and keep an offline (or extremely isolated) encrypted copy.
• Regularly test data recovery.
• Consider deploying advanced endpoint security product as traditional anti-virus is ineffective.
• Keep software patches and versions up to date.

4. How can an active ransomware attack be contained?

First, the organization needs to be prepared for a ransomware attack. They should follow best practices as described earlier, and they should conduct cyber incident response exercises annually. They should have a well-written incident response plan that should be followed for the exercises, as well as an actual incident. By thinking through the actions, their order of precedence, points of contact, etc. before being hit by ransomware, there will be slightly less chaos during the incident response.

Once a ransomware attack is discovered, it is crucial to quickly understand the ransomware variant that has been used. This information will be essential to determine the extent of the attack, which is vital to determining best courses of actions to contain and mitigate the attack. File servers, portals, and backup systems should be checked first for signs of compromise, and in parallel communications to user groups should occur to determine if they have been infected. Depending on the percentage of systems impacted, decisions will need to be made as to whether to disconnect systems and networks to contain the damage and prevent further infections.The organization should look for signs that active directory administrative or service accounts are being used to spread laterally. If evidence is discovered, the accounts should have their passwords changed and should possibly be disabled.

5. Does it ever make sense to pay a ransom?

Unfortunately, yes. If the business was not prepared for the attack and cannot get their critical information back, they may be forced to pay a ransom. We encourage customers to not pay the ransom if at all possible, as this emboldens the attackers, and furthermore they may not give all the data back without demanding additional payments. If the organization has cyber insurance and their insurance company agrees that the ransom payment is covered, they may assist the organization in brokering payment and data recovery, usually, through a third-party firm, they have contracted with to provide Incident Response/investigations.

6. How is ransomware likely to evolve over the next few years?

The majority of malware today is ransomware. This trend will probably continue. Ransomware has gotten more sophisticated, and attackers have begun to take more time to map networks, data, and backups before starting the encryption process. We have also seen the rise of ‘ransomware-as-a-service’ on the Darknet, offerings on these markets will continue to grow more sophisticated and cheaper. Nation-states have begun to utilize more and more ransomware, in some cases rogue nations (i.e., North Korea) use it to finance illicit activities.