It sounds easy: never negotiate with terrorists or other criminals. It’s not so simple, however, as the Hollywood Presbyterian Medical Center found out after its communications systems were held hostage by ransomware in February. It fought back for 10 days, but after staff at the 434-bed hospital were reduced to pen and paper, the hospital folded and paid about $17,000 to regain access to its system.
This is shaping up to be the year of ransomware—malicious software that locks up a computer or whole network until a ransom is paid.
As the Hollywood case shows, institutions are targets, but attacks on individuals are the norm. You’re more likely to see employee laptops taken out individually rather than find your whole network taken down. Hackers typically demand their ransoms in Bitcoin because it’s untraceable. The value of Bitcoins fluctuates like any currency. At the time of writing, a single Bitcoin is worth hundreds of dollars.
When it happens to you, it’s not a hostage crisis that law enforcement is going to help with. The FBI’s cybercrime chief, for one, told security experts at a conference, “To be honest, we often advise people just to pay the ransom.”
There’s no excuse for leaving yourself an open target, however.
1. Maintain backups
Ransom Trojans aren’t difficult to remove—some of them even remove themselves. If you’ve got backups, then just remove the Trojan, recover the files from a backup, and hope the user at fault has learned a lesson.
2. Keep software up to date
Some ransom Trojans target user carelessness—click this link, open this attachment. Others exploit holes in software. Patch your software, especially those from popular vendors. They’re the first ones hackers will probe for vulnerabilities because they have the most customers to hold hostage.
3. Filter executables
Ransomware writers love to disguise a program as an invoice, an “urgent” document, or a notification that you’ve missed a delivery. These are often hidden in ZIP archives, so filter those (and executables in general).
4. Show file extensions
Make it harder for the authors of ransomware to hide their intentions because you’ve allowed Windows to hide the file extension. If a file is really called “Invoice.doc.exe,” then you shouldn’t allow it to present itself to the user as “Invoice.doc.”
Forcing Windows to call an executable an executable gives your users at least a fighting chance.
5. Restrict user privileges
One infected user can’t bring down another user if they don’t have access to their machines in the first place. Giving a machine access only to what it really needs makes it harder for your network to fall like a line of dominoes.