The iDefense Threat Intelligence team of Accenture

Security highlighted a new dynamic in its cyber crime

analysis: ransomware-as-a-service (RaaS). Malicious
actors packaged successful variants of extortive malware
into kits that could enable less-skilled malicious actors
to employ this threat tactic with little effort or technical
knowledge. It is a new take on an age-old problem that
is making the C-suite increasingly nervous.

2 | MANAGING RANSOMWARE: PRACTICAL STEPS TO AVOID FUTURE ATTACKS

Asking for a ransom as a means of coercion can Fast forward to 2017, and the cyber attack
be traced back thousands of years. As its latest scenario was repeated across the National Health
incarnation, ransomware introduces malicious Service in the United Kingdom and many other
software onto a target computer or server to organizations globally. Ransomware is not new,
exploit one or more programmatic flaws and but the size of recent attacks such as WannaCry
gain expanded access to the computer. A few and Petya is “unprecedented,” according to
encryption technologies later, with files “locked” European Union police body Europol.
with an encryption key that only the attacker
Although the technical debriefs following
possesses, the impacted user is asked to pay
such incidents give vital information about
money—often in the digital currency bitcoin—
what has happened, corporate executives
to reinstate access to the encrypted files.
and Board members are often left wondering
Ransomware in itself is not the real risk. The how to understand the real risk associated
risk lies in the impact to the business that is with ransomware and, more important, how to
caused by a service or process that has been identify the best steps to manage or mitigate
suddenly removed. Ransomware can halt such exposure. In reality, ransomware could
manufacturing control systems, potentially have a profound effect on profitability,
shutting down plants, or ransomware can target reputation and shareholder value. C-suite
a bank’s clearing systems and cause a backlog executives should strive to better understand
in the clearing process. In the first half of 2016, the range and depth of their digital agenda
there were widespread reports on the Internet to be able to characterize the complex risks
of new ransomware variants and infections presented by these cyber threats.
affecting various organizations across a wide
Without doubt, ransomware is growing in the
swath of industries in both the public and private
extent of its boldness and veracity. Future
sectors. One well-publicized report concerned
outbreaks are likely to be faster and stronger,
the Hollywood Presbyterian Medical Center
and attempt to inflict more damage to their
ransomware infection in February 2016. In
targets. But technically and tactically, there
addition to turning away ambulances, hospital
are a range of activities that, together, will
staff were forced to manually write down patient
help defend and respond more effectively
information because they had no access to
to ransomware outbreaks. From a Board and
computers, and eventually, the hospital declared
C-suite perspective, understanding their
an internal state of emergency.
organization’s most critical products, services,
business processes and data is crucial.
Protection and end user education are similarly
vital. And being able to respond quickly in an
ongoing way, can also help any defense and
response approach. Fortunately, there are a
number of tactical steps that can be taken to
avoid falling victim to a ransomware attack.
Read on to find out more about the necessary
practices that leading companies are taking to
protect themselves.

MANAGING RANSOMWARE: PRACTICAL STEPS TO AVOID FUTURE ATTACKS | 3

 E-MAIL RANSOMWARE
ATTACKS AND E-MAIL
Many ransomware attacks, with WannaCry
and Petya being notable exceptions, originate
CONTROLS
Ransomware attacks are frequently delivered
as a malicious e-mail. Prevention training and
via e-mail. Strengthening e-mail controls can
awareness programs can help employees
often prevent malicious e-mails from reaching
recognize telltale signs of malicious e-mails
employees. Consider taking the following
and phishing scams and how to handle them.
steps to protect e-mail environments:
Leading programs typically include:
Enable strong spam filters to prevent
Training to help employees suspicious e-mails from reaching end users.
recognize and avoid
Authenticate inbound e-mail using Sender
fraudulent e-mails.
Policy Framework and Domain Keys
Identified Mail to prevent spoofing.

Guidance on how to respond Scan incoming and outgoing e-mails to

if an employee believes he detect threats and filter executable files.
or she is victim of a social
Deploy a cloud-based e-mail analytics
engineering attack.
solution such as Proofpoint or Microsoft
ATP to identify and quarantine known
Frequent tests that assess threats distributed via malicious e-mail.
employees’ adoption of
Configure e-mail in a manner that clearly
the guidance provided.
identifies external e-mail as originating
from outside the enterprise, prompting
employees to be more cautious.

Display file extensions, making it is easier

to spot file types not commonly sent to
employees, such as JavaScript.

Consider installing the Microsoft Office

viewers that do not support macros to
enable employees to see document
content without opening the document.

4 | MANAGING RANSOMWARE: PRACTICAL STEPS TO AVOID FUTURE ATTACKS

PROTECTING
INFRASTRUCTURE
Attackers are getting smarter and unsuspecting employees can make mistakes and fail to
recognize malicious e-mails. In these cases, the following actions could be considered to
help protect your infrastructure:

Remove or limit local workstation Regularly patch operating systems and

admin rights, as well as closely monitor applications so that known vulnerabilities
privileged administrator access across are not exploited. Track individual employee
operating systems (Windows Domain Admin and server assets to ensure compliance across
accounts, UNIX root accounts) in SIEM. the enterprise. It only takes one endpoint to
infect others.
Use endpoint protection that includes
heuristic behavior analysis and updates Limit administrator access to only those
signatures frequently. Institute a monitoring “in need.”
program to track endpoints that have not
Configure security, information and event
received these updates on a regular basis.
management (SIEM) solutions to flag incidents
Maintain a workstation security compliance and enable automated cleanup methods.
program to validate that all relevant tools are in
Implement and/or tighten web filters/URL
place and working. This includes content within
blockers. Along with clicking on links within
SIEM platforms to monitor for new, updated or
phishing e-mails, employees introduce malware
removed controls.
by visiting compromised webpages. Web filtering
Segment networks so servers and workstations helps block websites hosting ransomware, as
are not in the same network. Place strong access well as their command and control servers.
control lists between these networks.
Deploy a cloud-based threat reputation tool
Review security systems for appropriate such as OpenDNS, Forcepoint or Palo Alto that
configurations/hardening (virus scanners, blocks traffic from known malicious websites.
firewalls, intrusion prevention systems,
e-mail/Web gateways).

Set default execution commands to “no.”

This helps keep servers secure by identifying
authorized applications and limiting what each
can change and update. It also prevents attempts
to make changes that block ransomware from
contacting command and control servers and
downloading malicious software.

MANAGING RANSOMWARE: PRACTICAL STEPS TO AVOID FUTURE ATTACKS | 5

 A STRONG BUSINESS
CONTINUITY PLAN
Ransomware attacks are not random but rather targeted and intentional. Organizations
should prepare and exercise a crisis management plan well in advance of an incident.
This includes emergency shutdown procedures and instructions for employee
communication, “out-of-band” communications (voice systems may be down during
a cyber attack) as well as having legal and PR teams educated on these responses.

Even with the best defenses in place, successful

attacks may still occur. Having a strong business
continuity plan for recovery could make it easier
to avoid paying ransom. Key components for
a business continuity plan to be effective
against ransomware include:

Alignment of recovery objectives

to the critical tasks within an
acceptable timeframe.

A regular review, update and test

of the recovery plan.

Workstations and file servers

should not be constantly connected
to their backup devices (so that in
the event of a successful attack,
backups will not be encrypted).
In addition, confirm that your
backup solution stores periodic
snapshots instead of regular
overwrites of previous backups.

6 | MANAGING RANSOMWARE: PRACTICAL STEPS TO AVOID FUTURE ATTACKS

Accenture recommends that all organizations
review their current processes against these
leading practices and close any gaps. And
while these recommendations can reduce an
organization’s vulnerability to ransomware
attacks, they may not be fully sufficient as the
threat evolves. So we also urge organizations to
stay informed about emerging threats and the
latest practices required to avoid those threats.

MANAGING RANSOMWARE: PRACTICAL STEPS TO AVOID FUTURE ATTACKS | 7

Find out more about the evolving ABOUT ACCENTURE
cybersecurity landscape and Accenture is a leading global professional services
what you can do to strengthen company, providing a broad range of services and
your defenses. solutions in strategy, consulting, digital, technology
and operations. Combining unmatched experience
and specialized skills across more than 40 industries
CONTACT and all business functions—underpinned by the
Justin Harvey
world’s largest delivery network—Accenture works
Managing Director, Accenture Security
at the intersection of business and technology to
Incident Response & Threat Hunting
help clients improve their performance and create
justin.harvey@accenture.com
sustainable value for their stakeholders. With
Josh Ray approximately 411,000 people serving clients in
Managing Director, Accenture Security more than 120 countries, Accenture drives innovation
Cyber Threat Intelligence to improve the way the world works and lives.
joshua.a.ray@accenture.com Visit us at www.accenture.com.

Uwe Kissmann
Managing Director, Accenture Security ABOUT ACCENTURE SECURITY
uwe.kissmann@accenture.com
Accenture Security helps organizations build resilience
Rick Hemsley from the inside out, so they can confidently focus on
Managing Director, Accenture Security innovation and growth. Leveraging its global network
rick.hemsley@accenture.com of cybersecurity labs, deep industry understanding
across client value chains and services that span the
Gareth Russell
security lifecycle, Accenture protects organization’s
Manging Director, Accenture Security
valuable assets, end-to-end. With services that include
gareth.russell@accenture.com
strategy and risk management, cyber defense, digital
identity, application security and managed security,
Accenture enables businesses around the world to
defend against known sophisticated threats, and the
unknown. Follow us @AccentureSecure on Twitter or
Visit us at http://www.accenture.com/security
visit the Accenture Security blog.

Follow us @AccentureSecure

Connect with us

Copyright © 2017 Accenture

All rights reserved.

Accenture, its logo, and

High Performance Delivered
are trademarks of Accenture.