How would your business manage if its key systems or data were suddenly taken away, and replaced with a note demanding money for their safe return? Welcome to the world of ransomware, which has become a growing threat in recent years. While it won’t really make your systems disappear, its effect amounts to almost the same thing, encrypting data and rendering devices unusable without the key to recover it.
It’s hard to miss stories of ransomware incidents, and the very name offers a media-friendly label that almost rivals cyber security itself in terms of instant headline-readiness. The underlying idea isn’t a new one, and the basic principle of encrypting the user’s data and then charging them to get it back was a known feature of malware payloads of the past. However, giving it an evocative name has helped to propel it to prominence, and probably served to alert and encourage an even greater population of attackers as a result.
Unfortunately, it’s not all hype. While it would be nice to be able to dismiss it as security industry spin, or claim that the media are talking-up the threat, ransomware is the real deal in terms of the impact. If your business gets hit with it, then your data really is encrypted and no anti-virus package is going to be able to undo the process and recover it. The options at that point are stark – pay up in the hope of getting the data back, or wave it goodbye and manage without it. Clearly neither of these are particularly desirable. Should we accede to the demands and pay the ransom? Well, probably not. Aside from the fact that this means giving in to the attackers, there also seems to be a good chance that it makes no difference anyway. For example, findings reported by Kaspersky Lab suggest that 20 percent of small and medium businesses who paid the ransom still didn’t get their data back! So, how about the option of simply bidding the data farewell? Would that even work? Would the business still be able to operate if key data were just to disappear? It’s clearly not a pleasant thought, but nonetheless it’s one that’s much better to think about in theory rather than have to face it in practice.
Preventing ransomware from getting a foothold
So, given that both of the earlier choices are undesirable, we need to think and plan in advance to ensure there is a third way. We ideally need to prevent ransomware from getting a foothold in the first place, and then also ensure that we have other means to recover if these efforts prove unsuccessful. So, as a self-check, what do you have in place to prevent end systems or servers from falling victim? Do you have up-to-date anti-malware protection as the frontline defence across all systems, and do you have similarly comprehensive backups as the fall-back? If not, it’s really, really worth changing the situation.
Unfortunately, even here ransomware serves to complicate matters more than some other types of threat. For example, it’s not just a question of taking a back-up and storing it on another system; that systems needs to be separated in terms of network connectivity. Attackers are well aware that victims will hope to use backups as a means to avoid paying up, and so their ransomware efforts have become more devious, using the network to find and then corrupt them as well. Only an offline backup, taken prior to infection, will be safe from harm.
To be honest, none of this is rocket-science, or even new advice; it’s things we should be doing anyway, and ransomware is only one of the reasons why. There are many threat scenarios in which having anti-malware protection will prevent an incident, or where backups could become the lifeline (with the latter including accidental events such as system failure, which can cause data to be lost just as effectively as an attack). Unfortunately, however, the evidence suggests that many businesses don’t have the basics in place – or have gaps that still leave them vulnerable – and so the advice bears repeating.
If it sounds like too much trouble, the other possible option is to pretend that the threat isn’t there or that our business is in some way immune. This is quite a low cost and low effort option, and it works very effectively until the point that it dramatically fails to be true. The ransomware threat has already grown significantly, and its shadow has been cast across an increasing range of devices as it extends from desktop systems to mobile platforms and beyond. Businesses that have managed to stay safe until now simply by luck may find themselves caught out as the threat expands. If we choose not to heed the warnings then we may ultimately be left to discover whether the business can live to regret it, even if its data doesn’t.
Professor Steven Furnell is senior member at IEEE.