The Federal Trade Commission (FTC) recently issued guidance for both businesses and consumers on defending against ransomware, both of which are based on lessons learned from the FTC’s recent ransomware workshop, with panelists that included security researchers, technologists, law enforcers, and business leaders. Ransomware is a form of malicious software that infiltrates computer systems or networks. Typically, ransomware involves encrypting the victim’s data or denying access to the victim’s data, to hold data “hostage” until the victim pays a ransom. It has become one of the most serious online threats facing businesses.
If You Are a Business: According to the FTC, a business needs to know the risks associated with ransomware, how ransomware is delivered, how to defend against ransomware, and how to respond if it falls victim to ransomware. While criminals deliver ransomware in a variety of ways, 91% arrive through email phishing campaigns, according to a panelist at the FTC workshop. In addition to phishing emails, other ransomware campaigns involve drive-by downloads (where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user’s computer); “malvertising” campaigns (where malicious code is hidden in an online ad that infects the user’s computer); and exploitation of server-side vulnerabilities (where ransomware is delivered to networks that that have unpatched and known vulnerabilities).
To defend against ransomware, the FTC and its workshop panelists recommend the following:
- Training and education. A business should implement education and awareness programs to train its employees to exercise caution online and avoid ransomware attacks.
- Cyber hygiene. A business should practice good security by implementing basic cyber hygiene principles, such as proactively identifying the scope of potential exposure to malware by assessing the computers and devices; identifying technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection; and implementing procedures to keep security current, such as updating and patching third-party software to eliminate known vulnerabilities.
- Data backups. A business should also back up its data early and often. In doing so, a business should identify business-critical data in advance and establish regular and routine backups; and keep backups disconnected from its network so that it can rely on them in the event of an attack.
- Plan. In security, there’s a saying: “it’s not a matter of if, but a matter of when.” Thus, a business should prepare for an attack, by developing, implementing, and then testing incident response and business continuity plans.
Should a business fall victim to ransomware, the workshop panelists urge that a business consider implementing its incident response and business continuity plans; contacting law enforcement; and containing the attack by quickly disconnecting any infected computers from the network. Most of the panelists do not condone paying the ransom because it does not guarantee that the business’ data will be returned and, in some cases, the criminals end up increasing their demands.
If You Are a Consumer: The FTC provides similar recommendations to consumers to defend against ransomware. These steps include updating anti-virus software, thinking twice before clicking on links or downloading attachments, and backing up important files. The FTC also recommends that victims disconnect their infected devices and contact law enforcement. Interestingly, on the question of whether to pay the ransom, the FTC notes that law enforcement does not recommend doing so, but that it is ultimately up to the consumer to determine whether the risks and costs of paying are worth the possibility of getting the files back.
What are the Next Steps?
A business should take steps to ensure that it follows the FTC and the workshop panelists’ recommendations on how to handle ransomware. We have summarized the following key points:
- Train! Awareness is key to not falling for ransomware in the first place.
- Plan & Test. Preparation is the other key to containing any damages brought on by a ransomware attack. A business should have incident response and business continuity plans in place that have been tested.
- Secure Data and Networks. In addition to the above administrative and procedural safeguards, a business should implement reasonable security and technical measures to protect against ransomware. These can be based on industry best practices or accepted security frameworks, such as ISO and NIST.