Ransomware is a hostage situation, and you must understand it to combat it

Does your security playbook cover ransomware?

It's the on-screen message every organisation dreads: "Warning! Your files have been encrypted. Failure to purchase the decryption key will result in their destruction. You have 24 hours."

Ransomware attacks are on the rise and becoming more sophisticated, so what should you be doing about that? The answer is, quite possibly, nothing; at least, nothing specific. Ransomware is undoubtedly another nasty weapon in the hands of the cyber-criminal but a gold standard cybersecurity strategy offers protection from all types of attack.

While some simple ransomware locks can be reversed relatively easily, enabling victims to get their files back without paying up, organisations still face potentially paralysing loss of service through the unavailability of data, costly time spent decrypting, and reputational damage.

And the threat is getting nastier, as evidenced by WannaCry, the ransomware that crippled NHS systems in May 2017. Cybercriminals took a nation-state-developed exploit that had been leaked online - the National Security Agency's EternalBlue exploit of Microsoft Windows - and turned it into a devastating cryptoworm.

Weeks after WannaCry, a global ransomware incident dubbed NotPetya caused havoc, infecting computers from Ukraine to the USA.

The surge in value of cryptocurrency Bitcoin means ransoms are rocketing, and at the same time attackers are becoming more devious. Some ransomware only allows decryption if you willingly infect others, and strains such as CryptoWall threaten not only to leave users without access to their data, but to publish it online if demands are not met.

Ransomware-as-a-service (RaaS) is even available to purchase on the dark Web, allowing low-skilled individuals to target systems.

There are three key things to remember about this type of attack.

• Ransomware is usually distributed with a shotgun approach, meaning targets are indiscriminate. The idea is to infect as many sources as possible in order to maximise revenue.
• Backup is not the complete answer. Downtime while systems are restored still costs organisations money, plus new ransomware specifically targets system backups.
• Controversially, sometimes paying the ransom may be the most cost-effective way to decrypt your files, but you will only be able to make an intelligent decision if you have done a return-on-investment assessment in advance. Know what rapid decryption and saving downtime is worth to your business - and be aware that paying the ransom doesn't always result in getting your data back.

Five ways to stay ahead of would-be data hijackers:

1. Backup. Schedule a rigorous back-up routine and adopt a belt-and-braces approach by keeping backups offline as well as in the cloud.
2. Patch. A strong, regular, and thorough patching regime provides effective protection against many threats which exploit known vulnerabilities. WannaCry is a salutary lesson.
3. Disable. Cut down the attack surface available by disabling remote desktop protocol and not giving people system privileges they don't need. Restrict user profiles to the minimum required to do the job, and with it the ability to launch processes and receive .exe files via email.
4. Test. Find out how vulnerable you are to a ransomware attack, and whether your incident response plan works. Some organisations now offer ransomware simulations to test reactions.
5. Train. Give employees proper training in cybersecurity best practice.

All these practices form part of a cybersecurity strategy that, by definition, protects against multiple forms of attack, including ransomware. Putting a robust, multi-faceted cybersecurity strategy in place is the best defensive measure you can take.

Graeme is an IT security professional with over eight years' experience in IT delivery, information assurance and cybersecurity in a high-profile and fluid MoD environment. He now works as a senior consultant at Mason Advisory.