What does the FBI have to say about ransomware

October 03, 2016, Tom Glaser, Healthcare Solutions Architect, Coalfire

The FBI provided guidance on ransomware at a recent FBI/US Secret Service/ISAC event.  They defined ransomware as a type of malware that is commonly transmitted through malicious email, which is disguised to look normal.  Once the email link has been clicked on, or an email attachment has been opened, the malware installs on the computer.  After installation is completed, files on the computer become locked using encryption and cannot be opened without the key.  A ransom message is then displayed with information on how to pay the ransom.

What do you do if your computer has been infected with ransomware?

  1. There is no guarantee that paying the ransom will unlock the encrypted files;
  2. Check to see if the computer may have a backup copy of the files that have been locked by ransomware;
  3. The FBI recommends to contact the FBI Cyber Action Team for help, and to notify them as soon as possible with the details.

How can you prevent malware?  The FBI recommends the following prevention activities:

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read-only information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over email.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

For more information, visit the FBI Cyber Action Team website:  https://www.fbi.gov/investigate/cyber

Coalfire Labs experts also suggest the following best practices:

  • Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
  • Staff Training: Have we trained staff on cybersecurity best practices?  What about social engineering exercises?
  • Application Whitelisting: Do we allow only approved programs to run on our networks?
  • Incident Response: Do we have an incident response plan and have we tested it in the last six months?
  • Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
  • Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?
Tom Glaser

Author

Tom Glaser — Healthcare Solutions Architect, Coalfire

Recent Posts

Post Topics

Archives