#ExpectRansomware

Ransomware events lock users and organizations out of data and infrastructure, and the attackers demand a payment to access data and to not expose affected data. These events can have significant impact – in the worst cases, shutting down operations entirely and risking loss of critical information.  

Due to the pandemic and the overall increase of technology use, successful ransomware attacks have increased significantly over the last year. In recent weeks, this trend has spiked even more after note worthy breaches netted attackers millions of dollars.

Strikingly, a larger number of public organizations such as hospitals, universities, and colleges are being targeted and extorted. For example, in June 2020, a U.S. Research University paid $1.14 million USD to recover research data.

When organizations pay ransom, it increase the incentive for attackers. It is critical for the University of Toronto units and individuals understand the risk and be well prepared to prevent ransomware attackers and effectively respond to limit the impact.

How can we pro-actively reduce the likelihood of a ransomware event?  

There is not one approach that will mitigate all risk. Plans must take into account specific technology, threats, use of data, and ability to enable active protections.

Realistically, it is best to plan equally for protections to prevent a successful ransomware attack and planning in the unfortunate event of a successful attack.

At a minimum, in priority order:

Guidance for Units

Prepare 

Protect Data

    • Ensure there are ransomware resilient backups. This includes testing your backups.
    • Encourage users to use managed data storage, such as Microsoft 365.
    • Review data retention policies. Keep data no longer than needed for business requirements.
    • Perform information risk assessments of all unit systems, starting with systems with high priority research and administrative data to understand specific gaps.

Protect Devices 

Protect Users

    • Promote the use of UTORMFA.
    • Identify users to enroll in Microsoft 365 advanced threat protection.
    • Provide minimum security awareness training for all, and advanced content for expert users, and  simulated phishing for high risk users.

Protect Inter-Connected System

    • If you run your own Active Directory, ensure it is hardened specifically for ransomware attacks.
    • If you run unix-based systems, ensure you are effectively using and managing ssh keys to prevent pivots.
    • Use the least privileged account for any action e.g. limit the use of administrator credentials for non-administrative work. In Active Directory environments, use a Three Tier approach.

Guidance for Individuals

Especially these days of remote work, it is important to treat your personal and professional use of technology in comparable ways.

See detailed guidance at Remote Security Matters.

  • Protect your data
    • Back up your data!
      • Use managed storage services to store your important documents and loved items like photographs.
      • If possible, keep an “offline” copy of files.
  • Protect your devices
    • Use anti-virus software.
    • Ensure all devices are updated regularly for security vulnerabilities.
  • Protect yourself

Resources