Late last week, in an almost unprecedented joint warning by the US and Canadian Governments, we were treated to an almost apocalyptic notice about the latest scourge of the internet, ransomware.
You know what? It is about time. The threat of someone holding your data encrypted and only giving it back if you send them money is thuggery at its lowest. "Nice data youse got there. It would be a shame it sometin' was to happen to it, eh?"
The simple truth is that the entire vector of this particularly venal form of malware is through social engineering, better known as the junction between poor training and simple human error. Nearly every reported instance of ransomware has been invited in by someone clicking on a email attachment. Every one.
Here's the recommendation from the very smart guys at US-CERT:
What this leaves out is that very important protection: user training. It is vitally important that your personnel be trained regularly in security awareness and the many, many methods of social engineering. Once a year, to check off some compliance form is not enough. To be truly effective, there needs to be at least quarterly, interesting, and really scary training that keeps how important maintaining constant vigilance is at the forefront of your users' attention. Supplement this with reminders like calendars, screen savers and posters. Make it a part of the fabric of everyday work flow. Have everyone repeating the mantra that Security is Everyone's Responsibility. Because it is, and it is past time that we stop relying on technical controls and blaming the poor security guy (if we even have one!) when things go seriously south, and some Romanian asshat has locked us out of our system and wants $6000.00 to free us from our own stupidity.US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection: