The FBI issued a warning regarding “high-impact” ransomware attacks on Oct. 2, stressing the risk they pose to U.S. businesses and organizations.
While the frequency of ransomware attacks has remained constant, the FBI said that the attacks “are becoming more targeted, sophisticated, and costly.” The warning noted that since early last year, “the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information.”
Attacks against state and local governments have garnered significant press coverage, but the FBI said that cybercriminals are also using ransomware attacks to target healthcare organizations, industrial companies, and the transportation sector.
The FBI specifically urged organizations to protect against email phishing campaigns, Remote Desktop Protocol vulnerabilities, and software vulnerabilities. Additionally, if an organization is the victim of a successful attack, the warning noted that the FBI doesn’t suggest paying the ransom because “it does not guarantee an organization will regain access to its data” and said that in some incidents victims who paid the ransom never received the decryption keys.
Ransomware victims, regardless of whether they paid the ransom or note, were urged to report the ransomware incident to law enforcement, including the FBI. The warning explained that doing so “provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”
The warning also provides advice on how organizations can defend against ransomware attacks:
- Regularly back up data and verify its integrity. Ensure backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.
- Focus on awareness and training. Since end-users are targeted, employees should be made aware of the threat of ransomware and how it is delivered, and trained on information security principles and techniques.
- Patch the operating system, software, and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
- Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
- Implement the least privilege for file, directory, and network share permissions. If a user only needs to read specific files, they should not have write-access to those files, directories, or shares. Configure access controls with least privilege in mind.
- Disable macro scripts from Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
- Implement software restriction policies or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
- Employ best practices for use of RDP, including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
- Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
- Use virtualized environments to execute operating system environments or specific programs.
- Categorize data based on organizational value, and implement physical and logical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.
- Require user interaction for end-user applications communicating with websites uncategorized by the network proxy or firewall. For example, require users to type information or enter a password when their system communicates with a website uncategorized by the proxy or firewall.