Fortinet Blog

https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-...

10 Steps for Protecting Yourself From Ransomware

(/2016/04/06/10-steps-for-protecting-yourself-from-ransomware)
by

Bill McGee | Apr 06, 2016 | Filed in: Industry Trends & News (/category/industry-trends-news)

If youve been listening to the news at all the past

couple of weeks, you have undoubtedly heard of a
number of companies being affected by
ransomware. The recent surge in this form of cyber
attack has many organizations and users
understandably concerned. And you should be.
Ransomware is nasty stuff. But with some careful
preparation, you can significantly lower your risk of
being infected, and reduce the impact on you or
your organization should you get hit.

What is Ransomware?
Ransomware is a form of malware that infects
devices, networks, and data centers and prevents
them from being used until the user or organization
pays a ransom to have the system unlocked. Ransomware has been around since at least 1989, when the PC
Cyborg trojan encrypted file names on a hard drive and insisted users pay $189 to have them unlocked. In the
interim, ransomware attacks have become increasingly sophisticated, targeted, and lucrative.

The impact of ransomware is difficult to calculate, since many organizations opt to simply pay to have their files
unlocked an approach that doesnt always work. But a report on the Cryptowall v3 ransomware campaign,
issued in October of 2015 by the Cyber Threat Alliance, estimated that the cost of that single attack was US
$325 million. (You can read the full report here (http://cyberthreatalliance.org/cryptowall-report.pdf))

Ransomware generally works in one of several ways. Crypto Ransomware can infect an operating system so
that a device is unable to boot up. Other ransomware will encrypt a drive or a set of files or file names. Some
malicious versions have a timer and begin deleting files until a ransom has been paid. All demand that a
ransom be paid in order to unlock or release the blocked or encrypted system, files, or data.

On March 31, 2016, the U.S. Cyber Emergency Response Team and the Canadian Cyber Incident Response

1 of 6

21/09/2016 15:28

Fortinet Blog

https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-...

Centre issued a joint warning about Ransomware following several high-profile infections at hospitals. (see
https://www.us-cert.gov/ncas/alerts/TA16-091A (https://www.us-cert.gov/ncas/alerts/TA16-091A))

According to this alert, infected users often get a message displayed to their devices screen saying something
like:

Your computer has been infected with a virus. Click here to resolve the issue.
Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a
$100 fine.
All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain
access to your data.
In some circumstances, this warning is displayed with embarrassing or pornographic images in order to
motivate the user to get it off their system as fast as possible. But in every situation, systems are taken off line,
critical data becomes unavailable, productivity is halted, and business operations are harmed.

How Do I Get Infected?

Ransomware can be delivered in a number of ways, but the most common is as an infected file attached to an
email. For example, today I received an email claiming to be from my bank. It had the right logo, links to real
bank urls, and my name. The body of the message explained that they have detected suspicious activity on my
account, and that I needed to install an attached file in order to verify my credentials. This seemed like a
legitimate issue. But it wasnt. It was a phishing attack.

The giveaway to me, of course, was that no bank should ever send a file and ask you to install it - certainly not
to validate your credentials. Instead, the attached file was infected with Ransomware, which would have loaded
onto my system if I had clicked on it.

But email attachments arent the only mechanism for infection. Drive-by downloading is another, where a user
visits an infected website and malware is downloaded and installed without the users knowledge. Ransomware
has also been spread through social media, such as Web-based instant messaging applications. And recently,
vulnerable Web servers have been exploited as an entry point to gain access into an organizations network.

What Do I Do to Stop It?

Here are TEN THINGS you need to do to protect yourself and your organization from the effects of
ransomware.

2 of 6

21/09/2016 15:28

Fortinet Blog

https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-...

1. Develop a backup and recovery plan. Back up your systems regularly, and store that backup
offline on a separate device.
2. Use professional email and web security tools that analyze email attachments, websites, and
files for malware, and can block potentially compromised advertisements and social media
sites that have no business relevance. These tools should include sandbox functionality, so
that new or unrecognized files can be executed and analyzed in a safe environment.
3. Keep your operating systems, devices, and software patched and updated.
4. Make sure that your device and network antivirus, IPS, and antimalware tools are running the
latest updates.
5. Where possible, use application whitelisting, which prevents unauthorized applications to be
downloaded or run.
6. Segment your network into security zones, so that an infection in one area cannot easily
spread to another.
7. Establish and enforce permission and privilege, so that the fewest number of users have the
potential to infect business-critical applications, data, or services.
8. Establish and enforce a BYOD security policy which can inspect and block devices which do
not meet your standards for security (no client or antimalware installed, antivirus files are out
of date, operating systems need critical patches, etc.)
9. Deploy forensic analysis tools so that after an attack you can identify a) where the infection
came from, b) how long it has been in your environment, c) that you have removed all of it
from every device, and d) that you can ensure it doesnt come back.
10. THIS IS CRITICAL: Do NOT count on your employees to keep you safe. While it is still
important to up-level your user awareness training so employees are taught to not download
files, click on email attachments, or follow unsolicited web links in emails, human beings are
the most vulnerable link in your security chain, and you need to plan around them.

Heres why: For many of your employees, clicking on attachments and searching the Internet is part of
their job. It is difficult to maintain the appropriate level of skepticism. Second, phishing attacks have
become very convincing. A targeted phishing attack uses things like online data and social media
profiles to customize an approach. Third, it is simply human nature to click on an unexpected invoice or
critical message from your bank. And finally, in survey after survey, users feel that security is someone
elses job, not theirs.

What If I Getn Infected?

Hopefully, you have a recent backup and you can wipe your device and reload it with an uninfected version.
Here are some other things you need to do:

1. Report the crime

A quick online search will guide you to the site to report cybercrime in your country or region.
In the US, report instances of fraud to the FBI at the Internet Crime Complaint Center.
(http://www.ic3.gov/default.aspx (http://www.ic3.gov/default.aspx))

3 of 6

21/09/2016 15:28

Fortinet Blog

https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-...

In Canada, you can report fraud to the Canadian Anti-Fraud Centre. (http://www.antifraudcentrecentreantifraude.ca/reportincident-signalerincident/index-eng.htm (http://www.antifraudcentrecentreantifraude.ca/reportincident-signalerincident/index-eng.htm))
In Europe, you can locate your countrys cybercrime reporting site here. (https://www.europol.europa.eu
/content/report-cybercrime (https://www.europol.europa.eu/content/report-cybercrime))

2. Paying the ransom is no guarantee

According to the US/Canadian alert, Paying the ransom does not guarantee the encrypted files will be
released; it only guarantees that the malicious actors receive the victims money, and in some cases, their
banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

3. Contact experts
Many operating system, software, and security vendors have security experts on staff that can provide you with
advice on how to respond should your system become infected with ransomware. There are also third-party
forensics experts who can help you get back up and running.

4. Have a Plan B
What do you do if your computer systems or network become unavailable? Do you have a failover plan? Is
there a way to keep things running, even in a limited fashion, while your systems are being repaired? Do you
know how much it will cost your organization per hour if your systems are unavailable? Is this cost reflected in
your IT security budget? This information needs to be included in your security policy.

Conclusion
Cybercrime is a for-profit business generating billions in revenue. Like most businesses, cybercriminals are
highly motivated to find ways to generate revenue. They use subterfuge, extortion, assault, threats, and
enticements to gain access to your critical data and resources.

Ransomware is not new. But its recent rise in sophistication and distribution is the latest in an escalating trend
to find new and unexpected ways to exploit individuals and businesses that operate online.

Now, more than ever, security is not something you add to your business. It is integral to doing business. Make
sure you are partnering with security experts who understand that security is more than a device. It is a system
of highly integrated and collaborative technologies, combined with an effective policy and a lifecycle approach
of preparing, protecting, detecting, responding, and learning.
Security solutions need to share threat intelligence in order to detect and respond efficiently to threats
anywhere across your distributed environment. They need to be woven into your network fabric so they can
protect you seamlessly as your networked environment evolves and expands. They need to be able to adapt

4 of 6

21/09/2016 15:28

Fortinet Blog

https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-...

dynamically as new threats are discovered. And they need to never get in the way of you doing business the
way you need to do business.

For more technical information on ransomware from Fortinets FortiGuard threat team, please see these related
blogs:

https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-whois-behind-it (https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-filesand-who-is-behind-it)
https://blog.fortinet.com/post/nemucod-adds-ransomware-routine (https://blog.fortinet.com
/post/nemucod-adds-ransomware-routine)
https://blog.fortinet.com/post/cryptowall-teslacrypt-and-locky-a-statistical-perspective
(https://blog.fortinet.com/post/cryptowall-teslacrypt-and-locky-a-statistical-perspective)

by

Bill McGee | Apr 06, 2016 | Filed in: Industry Trends & News (/category/industry-trends-news)

Tags:

malware (/tag/malware)

(/tag/locky)

ransomware (/tag/ransomware)

cyber security (/tag/cyber-security)

locky

crytowall (/tag/crytowall)

Next Post: Outsmart the Bad and Safeguard The Good: Data Loss Prevention Strategies (/2016/04/06/outsma

Previous Post: SCADA Security Report 2016 (/2016/04/05/scada-security-report-2016)

0 Comments
Recommend

Fortinet Blog

Login

Sort by Best

Share

Start the discussion

Subscribe

5 of 6

Add Disqus to your site Add Disqus Add

Privacy

21/09/2016 15:28

Fortinet Blog

https://blog.fortinet.com/2016/04/06/10-steps-for-protecting-yourself-...

Corporate
About Fortinet (http://fortinet.com/aboutus/aboutus.html)
Investor Relations (http://investor.fortinet.com)
Careers (http://jobs.fortinet.com)
Partners (http://fortinet.com/partners/index.html)
Global Offices (http://fortinet.com/aboutus/locations.html)
Fortinet in the News (http://fortinet.com/aboutus/media/news.html)
Contact Us (http://fortinet.com/contact_us/index.html)
How to Buy
Find a Reseller (http://fortinet.com/partners/reseller_locator/locator.html)
FortiPartner Program (http://fortinet.com/partners/partner_program/fpp.html)
Fortinet Store (https://store.fortinet.com)
Products
Product Family (http://fortinet.com/products/index.html)
Certifications (http://fortinet.com/aboutus/fortinet_advantages/certifications.html)
Awards (http://fortinet.com/aboutus/fortinet_advantages/awards.html)
Video Library (http://video.fortinet.com)
Service & Support
FortiCare Support (http://fortinet.com/support/forticare_support/index.html)
Support Helpdesk (https://support.fortinet.com)
FortiGuard Center (http://fortiguard.com)
(http://www.facebook.com/fortinet)
/user/SecureNetworks)

(http://www.twitter.com/fortinet)

(http://www.linkedin.com/company/fortinet)

(http://www.youtube.com
(/feed)

Copyright 2000 - 2016 Fortinet, Inc. All Rights Reserved. | Terms of Service (http://fortinet.com/aboutus
/legal.html) | Privacy (http://fortinet.com/aboutus/privacy.html)

6 of 6

21/09/2016 15:28