Ransomware Q&A With Garry Barnes

ISACA Now recently had the opportunity for a Q&A with Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD and ISACA International Vice President. Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management, and governance, having worked in a number of New South Wales (NSW) public sector agencies and in banking and consulting.

Who is deploying ransomware?
Ransomware is developed and deployed by cybercriminals looking primarily to gain financial rewards. Some ransomware will encrypt your files preventing you from gaining access while earlier types locked your computer by displaying pornography or other images. The ransomware contains a demand payment to obtain the key to unlock your system. These payments are routed through untraceable digital currencies, via SMS, or simply using cash transfer systems.

In its Q1 2015 Threat Report, McAfee cited a new family of ransomware, CTB-Locker, leading to a rise in attacks. This malware is distributed in numerous ways, and its payload is hidden in layered zip files. According to McAfee, it was supported by an “affiliate” program, enabling it to be easily added to phishing campaigns.

Who are they targeting?
Ransomware developers are targeting the desktop and Android phone devices of both individuals and organizations in North America and Europe, where there is a higher likelihood of the ransom being paid. They use a variety of techniques to deliver their payload, including email and web pop-ups. Recently ransomware has been detected in content management systems such as Joomla! and WordPress. The SynoLocker strain of ransomware targets network storage devices.

What is an organization’s chance of suffering this type of attack?
The odds are pretty high that a ransomware attack will occur. ISACA identified ransomware as one of the Five Cyber Risk Trends for 2016, noting that the instance of victimized enterprises—most of them small businesses—agreeing to make ransomware payments increased from 2.9 percent in 2012 to 41 percent in 2015.

What can be done to prevent it?
There are a number of steps you can take to minimize your risk. Technical controls are important, and security awareness is also key. Users need to be vigilant not to click on links, remain cautious with links and attachments in unsolicited emails, avoid clicking on pop-ups on web sites, and have up-to-date antivirus software.

Desktop architecture should include:

• Reputable A/V to scan for malicious payloads
• Firewalls to prevent unwanted services including blocking Tor
• Periodic back up of both data and software
• Disconnection of the backup storage device after successful backup
• Patching of operating systems and applications
• Use of a web pop-up blocker to prevent clicking on infected ads
• Use of cloud backup may also help

What should be done once your organization has been hit?
A quick response by the affected user is needed, hence the value of security awareness training. Once hit, an organization should activate its incident response process. This would include alerting the service desk so they can contain the impact and prevent others in your business from falling victim. They will need to initiate recovery of data from backup and restoration of the operation system and applications from a reliable copy.

Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, past ISACA Board director

[ISACA Now Blog]