Held to Ransom

Ransomware - how three IT leaders secure their networks and users.

Read time 6min 30sec
Riaan Lucas, Bidvest Protea Coin.
Riaan Lucas, Bidvest Protea Coin.

South Africans are being hit by ransomware - malware that infects end-users, encrypts their data and charges a ransom for the decryption key. Surprisingly, when the ransom is paid, in most cases, the users get back their data. Of course, as with anything else, prevention is better than extremely expensive cure, so network administrators are having to sit up and take notice.

"It's very real and it's happening," says Richard Broeke, a security consultant with Securicom. "Among our customer base, we've seen more than eight occurrences in the last three months, with demands of between R3 500 and R15 000. My antivirus stopped one recently, which was uncomfortably close."

He says it's vital for every device on a network to have decent, all-round, paid-for, up-to-date antivirus software from a reputable vendor, that is managed as it should be. "Network administrators can't think that because they own the antivirus licence, they are protected, because their staff might not be running it properly. It's human nature for them to delay scans because they're busy or travelling between meetings. It's not a good idea to rely on your staff."

Several layers of security must be in place to pick up infections, he says, and these need to be looked after by people who understand the security landscape. "You need host-based intrusion protection, antivirus, anti-malware, anti-spyware and now anti-ransomware."

And, of course, at the same time, end-users must be educated. "These things get through when people have an error in judgement," says Broeke. "They need to be reminded not to click on suspicious things, or open unusual attachments. If they see something they aren't sure of, they must use a search engine to find out more about it."

He also adds that since many people are bringing their own devices to work, there must be stringent rules for how they can connect to the networks. "BYOD must be managed. The device must have the appropriate security software, and the user must adhere to the company processes for connecting technology."

This, he says, is key to combating the security challenges presented by ransomware. "You need a well-educated user base that understands the processes, with the technology in place to support that."

The threat is real

Riaan Lucas, the ICT manager at Bidvest Protea Coin, had his first encounter with ransomware when he was approached by a friend who had been infected by Cryptowall 3. Because of his awareness of the reality of this threat, he set about insuring that his corporate network was as secure as it could be.

He says you can't just rely on software, because the people writing the ransomware are clever and are playing an elaborate game of chess with IT security companies. "Because of this, you have to do things differently within your internal network. Investigate the threats and put in place non-standard security solutions. Be a bit creative.

We also make use of honey-pot systems where we 'attack' these attacks to learn the methodology so we can counter it.

Liron Segev, Swift Consulting

He says that IT administrators should also get to know their internal infrastructure as every network develops a 'personality'. "If something unexpected happens, you'll be able to react faster than if you're waiting for a piece of software to tell you."

He also advises backing up as often as you can to offline storage, and monitoring how external devices are connected to the network. But one of the biggest challenges is getting users to comply.

"You have to address both the IT system and the user," Lucas says. "Make sure your servers are secure, your users' systems have the right security measures, and that updates are taking place - even at the branches. The real problem is that users sometimes don't understand or follow what you're saying."

He says that for this reason, it's important to teach them not only about processes, but also to think analytically about threats. "If you receive a file with a payroll spreadsheet in the attachment, but you don't work in payroll, don't open that attachment. You have to try to help your users understand broader trends rather than specifics."

User education

Andy Brauer, CTO at Business Connexion, also recognises the threat of uneducated users. "Ransomware is a major threat to unsuspecting users, particularly if they're not IT- and internet- savvy," he says. "Ransomware comes in many different shapes, but the code generally exploits the fact that your data has been encrypted, using your encryption key to lock you out of your own data."

While many vendors offer solutions to recovering from the situation without having to pay the ransom, Brauer advises users to make backups of their data often, in an encrypted form and store them offline, so that they will be able to recover the data without delay, and without having to pay the ransom.

While many forms of ransomware take the shape of malware, either being unsuspectingly loaded from a website or downloaded with an e-mail attachment, social engineering also plays a big part in ransomware infections.

"Another common scam doing the rounds is when users are called by phone, told that there is a problem with their PC and that they need to install software to rectify the problem. Many people have fallen for this scam, resulting in them falling victim to ransomware," Brauer says.

Segmented networks

What to do if your organisation is infected

Stu Sjouwerman, founder and CEO of KnowBe4, and Kevin Mitnick, hacker and security consultant, published the following steps to respond to a ransomware attack in CIO Insight:
1. When stricken, disconnect
2. Determine the scope
3. Inventory for signs of encryption
4. Determine the strain of ransomware
5. Evaluate your responses: restore from a recent backup, decrypt using a third-party decryptor, lose your data or pay the ransom
6. Protect against future attacks by installing antivirus, antiphishing and firewall, and back up regularly
7. Carry out IT security awareness training
8. Phish your employees to see if they've got it

Liron Segev, CEO of Swift Consulting and tech analyst blogger at, has had first-hand experience of ransomware. "A client was duped into installing software that encrypted four computers on her network. Fortunately, it didn't spread beyond those computers and only encrypted the My Documents folder. The client was diligent with backups so they simply recovered the information from backup."

He echoes all the best practices for IT security already outlined, and adds some details about how he manages his own system. "Without disclosing details due to confidentiality, the networks are segmented so outbreaks of viruses can be contained to one segment only. There are active servers in place that monitor rogue traffic on the network. We also make use of honey-pot systems where we 'attack' these attacks to learn the methodology so we can counter it. Of course, we use the usual bought antivirus and firewalls, too."

And finally, as everyone else has, he points out that technology can only do so much. "Hackers use spear phishing techniques to identify connected individuals within the organisations and create e-mails using personal information. This makes it more likely that the e-mail will be opened and links clicked as you are more likely to click on a link that seems to come from your CFO than a random stranger."

It seems that the IT experts surveyed all agree about the key ways that organisations must deal with the threat of ransomware. As security providers struggle to stay one chess move ahead of the hackers who write ransomware code, each individual network must find its own ways to keep the game interesting and their team in the lead.

This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.

See also