The Department of Homeland Security (DHS) wants to help small businesses across America protect against ransomware, and the National Cybersecurity and Communications Integration Center (NCCIC) has issued this message:
NCCIC has received multiple reports of WannaCry ransomware infections worldwide. Ransomware is a type of malicious software that infects and restricts access to a computer until a ransom is paid. Although there are other methods of delivery, ransomware is frequently delivered through phishing emails and exploits unpatched vulnerabilities in software.
Phishing emails are crafted to appear as though they have been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.
A commitment to cyber hygiene and best practices is critical to protecting organizations and users from cyber threats, including malware.
In advice specific to the recent WannaCry ransomware threat, users should:
- Be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently (e.g., contact your organization’s helpdesk or search the Internet for the main website of the organization or topic mentioned in the email).
- Exercise caution when opening email attachments. Be particularly wary of compressed or ZIP file attachments.
- Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
- Avoid providing personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
- Avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Be cautious about sending sensitive information over the Internet before checking a website’s security.
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from anti-phishing groups such as the APWG.
You can contact NCCIC 24×7 at (888) 282-0870 and firstname.lastname@example.org(link sends e-mail) and/or email@example.com(link sends e-mail)
You can also get specific information to Ransomware NCCIC has created via the US-CERT website. www.us-cert.gov/ransomware
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world. Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website.
Ransomware can be devastating to an individual or an organization. Anyone with important data stored on their computer or network is at risk, including government or law enforcement agencies and healthcare systems or other critical infrastructure entities. Recovery can be a difficult process that may require the services of a reputable data recovery specialist, and some victims pay to recover their files. However, there is no guarantee that individuals will recover their files if they pay the ransom.
CISA recommends the following precautions to protect users against the threat of ransomware:
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Never click on links or open attachments in unsolicited emails.
- Backup data on a regular basis. Keep it on a separate device and store it offline.
- Follow safe practices when browsing the Internet. Read Good Security Habits for additional details.
In addition, CISA also recommends that organizations employ the following best practices:
- Restrict users’ permissions to install and run software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
- Use application whitelisting to allow only approved programs to run on a network.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA’s Awareness Briefings on Combating Ransomware (2 hour video available) more information.
For recent CISA Alerts on specific ransomware threats, see:
- TA17-181A: Petya Ransomware (NotPetya)
- TA17-132A: Indicators Associated With WannaCry Ransomware
- TA16-091A: Ransomware and Recent Variants
WHAT IS RANSOMWARE?
Ransomware is a type of malicious software cyber actors use to deny access to systems or data. The malicious cyber actor holds systems or data hostage until the ransom is paid. After the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. HOW DO I PROTECT MY NETWORKS? A commitment to cyber hygiene and best practices is critical to protecting your networks. Here are some questions you may want to ask of your organization to help prevent ransomware attacks: 1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident? 2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization? 3. Staff Training: Have we trained staff on cybersecurity best practices? 4. Vulnerability Patching: Have we implemented appropriate patching of known system vulnerabilities? 5. Application Whitelisting: Do we allow only approved programs to run on our networks? 6. Incident Response: Do we have an incident response plan and have we exercised it? 7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this? 8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks? HOW DO I RESPOND TO RANSOMWARE? Implement your security incident response and business continuity plan. It may take time for your organization’s IT professionals to isolate and remove the ransomware threat to your systems and restore data and normal operations. In the meantime, you should take steps to maintain your organization’s essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures. Contact law enforcement immediately. We encourage you to contact a local FBI1 or USSS2 field office immediately to report a ransomware event and request assistance. There are serious risks to consider before paying the ransom. We do not encourage paying a ransom. We understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. As you contemplate this choice, consider the following risks: • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. • Some victims who paid the demand have reported being targeted again by cyber actors. • After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key. • Paying could inadvertently encourage this criminal business model.
- Protect against viruses, spyware, and other malicious code
Make sure each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
- Secure your networks
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
- Establish security practices and policies to protect sensitive information
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies.
- Educate employees about cyberthreats and hold them accountable
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s Internet security policies and procedures.
- Require employees to use strong passwords and to change them often
Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
- Employ best practices on payment cards
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.Are you ready for the shift from magnetic-strip payment cards to safer, more secure chip card technology, also known as “EMV”? October 1st is the deadline set by major U.S. credit card issuers to be in compliance. Visit SBA.gov/EMV for more information and resources.
- Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
- Control physical access to computers and network components
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
- Create a mobile device action plan
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network.. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
- Protect all pages on your public-facing websites, not just the checkout and sign-up pages