Skip to content

Protect Against Ransomware by Planning for Ransomware

Amitabh Sinha talks about how to protect against ransomware in your company.

Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but it targets individuals too. One of the biggest dangers of ransomware is that it may end up in your organization not because of anything you did, but because a third-party software you use or a company in your organization’s supply chain got attacked. How do you protect against ransomware when other companies’ security is out of your control? You may not always be able to prevent it, but you can definitely plan ahead and minimize its impact.


See Ransomware: To Pay or Not to Pay with Amitabh Sinha for a complete transcript of the Easy Prey podcast episode.

Amitabh Sinha has a PhD in computer science and over twenty years’ experience in software and computing. He co-founded the company Workspot in 2012, and has just transitioned into their Chief Strategy Officer after being CEO for the past twelve years. Before Workspot, he led the VDI product line at Citrix. While there, he noticed that cloud and software-as-a-service (SaaS) options were out there, and transitioning to those options would help many companies with their legacy systems. That idea was an innovation that drove the foundation of Workspot and is the motivation for the company now.

What Ransomware Is

At this point, most people are aware of what ransomware is and the basics of how it works. (If you’ve somehow missed it: Ransomware is a piece of malicious software that prevents you from using your device in any way until you pay the criminal a ransom to get access back.) The first sign for a company that they’ve been infected with ransomware is that all the devices go down. They will only show a message that says you have ransomware and gives instructions to pay the ransom.

Once that happens, you can’t do anything. You might as well send people home, because they can’t do anything on their computers. The whole organization comes to a standstill until people pay the ransom or figure out how to get away from it. Once it strikes, you’re entirely locked out of your business computers until it’s dealt with.

Ransomware is basically once it happens, you’re locked out of your complete business computing environment.

Amitabh Sinha

The most common entry point for ransomware is on an individual PC. Someone clicks a link that they shouldn’t have clicked, downloads a file they shouldn’t have downloaded, or installs a browser plugin they shouldn’t have installed. A common vector is phishing emails with malicious links. Just today, Amitabh got an email pretending to be from Workspot’s expense management company. They had a similar URL and wanted him to click a link. The attacks can be quite sophisticated. And they work through email clients and browsers – everybody in your organization uses those. So the risk is everywhere.

Protect Against Ransomware Because It’s Coming

It’s not a matter of if your organization will get ransomware. It’s a matter of when. So it’s important to protect against ransomware even if you don’t feel like your company is a good target. One thing Amitabh talks to his customers about is that you don’t always get ransomware because of something you did wrong. A consultant or contractor could do something on your network that exposes you.

[Ransomware] is pretty pervasive because it could be anybody that works for you, with you in any … capacity. It’s very difficult to keep out.

Amitabh Sinha

Your supply chain can also put you at risk. Amitabh has had customers come in with a supply chain of fifty companies that they work with. One company got infected with ransomware, and it took down the whole supply chain. We’re seeing this right now with CDK, the car dealership software. Ransomware took down one organization, and the whole supply chain for cars have stopped.

About 60% of the car dealerships in the United States use CDK. They’re all mostly shut down, not because anybody at the individual dealerships did anything risky, but because ransomware targeted an infrastructure provider. These companies often aren’t thinking about protecting against ransomware, so there aren’t redundancies in place. So when ransomware strikes, everybody is struggling.

When Ransomware Strikes

Amitabh had one company that contacted Workspot on a Friday afternoon. They had ransomware and had to send their 750 employees home. They wanted Workspot to set up cloud-based PCs so they could at least get their people working again. That wasn’t a big deal for Workspot. They set up a standalone environment in the cloud with 750 cloud PCs – basically Windows desktops running in the cloud that the employees could access with the Workspot client on their personal devices. Those 750 users were able to be back to work on Monday from their home computers.

But when they got back in, the old state was gone. The new cloud computers were blank. They had to start from scratch and build everything they had back up again. The company put in a few more applications here, and some data there. All told, it took about six weeks for them to go from a fully infected environment to a fully clean environment.

For Workspot, that wasn’t a challenge. Setting up cloud PCs is easy – the only challenge sometimes is capacity, and with less than 1,000 cloud PCs to create, they had no issue. Everything was set up over the weekend. The challenge was on the company’s end. It was a massive disruption to the employees, suddenly working from home and having a brand new machine with nothing on it. It took quite a bit of time for the virtual machine to start looking like their old one. This company was not prepared for ransomware to strike. A good way for them to protect against ransomware would have been to keep external backups that could have restored much of their data and applications onto the virtual machines easily.

To Pay or Not to Pay the Ransom

Criminals using ransomware do generally unlock your device once you pay. After all, they know if ransomware gets a reputation for not giving your files back whether or not you pay, people just won’t pay. But what many people don’t realize is that there’s a gap between when the ransomware process started and when you get that alert on your device. You often don’t know how far back you need to go to fully recover. Depending on how long that gap is, yesterday’s backup may still be infected. And even if the criminal unlocks your device, you can’t fully recover. In addition, once you’ve paid the ransom once, you get flagged as a target who actually pays. This increases your chances of being targeted again an again.

If you're not prepared to protect against ransomware, you may have to pay the ransom - but that can be dangerous.

If you pay once, you might pay a second and third time. Even if you pay, you might not get all your data back.

Amitabh Sinha

There are also a bunch of caveats here. If it’s not a massive amount and your cybersecurity insurance covers it, that is a valid option. The key is once you’re up and running, you really need to focus on how you can protect against ransomware in the future. This is especially a challenge for smaller companies. Attacks are often more sophisticated than their internal tools. But smaller companies also have the option, like that customer did, of having Workspot just fire up some virtual machines and continuing on. For larger companies, a ransomware attack can be much more disruptive.

Protecting Against Ransomware for Larger Companies

Larger companies often have more strategies to protect against ransomware. Often, they think about networking differently. In the past, devices that the organization managed were considered trusted on the network. This kind of “east-west” internal traffic wasn’t considered suspicious. Organizations in general are better prepared for attacks from outside. But internal traffic is where they get into trouble – they often don’t have a lot of protection from ransomware traveling within an organization. Isolation is one way to protect against this kind of transmission. This strategy of trusting fewer and fewer things often evolves into a zero-trust attitude, which is good.

Another problem in larger organizations is that all the devices often aren’t up-to-date on security patches. You need just 2% of people to be disconnected and so not receive the security updates and it cascades through the organization. One benefit of virtual machines is that everything is always online and so can always be up-to-date. And keeping up-to-date on the latest security patches lowers your odds of ransomware.

If you don’t have the latest software running on your endpoints, the odds of getting hacked are way higher.

Amitabh Sinha

There are a bunch of small steps organizations can take to protect against ransomware. Trust individual machines less; if possible, don’t trust at all. Install fewer things. Limit what browser plugins users can install. Get email security tools that protect from phishing, because that’s a big hacking mechanism right now. Try to keep everything as up-to-date as possible.

Virtual Machines are Easier to Protect Against Ransomware

Having physical devices all over the world is inherently harder to protect than virtual devices running in the cloud or in a data center. Ransomware in the cloud is much easier to reset. Backing up physical machines can be a challenge and takes time and effort. Cloud-based devices can be set up to take snapshots every so often, and the storage is cheap.

There are also a lot more mechanisms to protect against ransomware in the cloud. In addition to your own protection strategies and tools, you’ll get the benefit of your cloud provider’s security strategies. They are probably more capable than most organizations because they have such a big attack surface. They are spending much more money than the average organization to secure themselves.

Amitabh recommends people create isolated networks in the cloud and treat them like a data center isolated from the rest of the organization. Put a firewall between your cloud PCs and the rest of the world, and you’ll get a lot of visibility into that internal traffic coming from PCs. Cloud PCs are also much easier to update and don’t impact the user experience if an update doesn’t go through or has issues. Plus they provide good observability into what’s going on in the machine. You can just do a lot more things with a device when it’s always online.

Virtual Machines as Ransomware Insurance

You can think about making the switch to virtual machines like a form of ransomware insurance. If the total cost of a ransomware attack is X, what would you be willing to pay to not have that happen? Amitabh has done some ROI analyses, and the answer is about a tenth. People are willing to pay one tenth of the cost of ransomware to prevent an attack.

If an attack costs $1 million in lost productivity because a thousand workers can’t work for six weeks, are you willing to pay $100,000 to make sure that doesn’t happen? The ROI math is pretty compelling. But first people have to go through the planning process. If you just have cloud PCs set up but not any of the other stuff, what are you going to do with just a blank machine?

People need to protect their files first, their applications second, and then the third thing is the access devices.

Amitabh Sinha

Small Companies Can Make Ransomware Recovery Easier

Most of the customers Amitabh works with are mid-market and bigger. He doesn’t spent a lot of time with smaller organizations. But that doesn’t mean there aren’t thinks smaller companies can do to protect against ransomware and make recovery easier when it happens.

Smaller companies should have fewer internal systems and use more SaaS applications. With fewer internal systems, there are fewer things for ransomware to affect. You should be able to start from a completely blank machine and get to a functional device much faster. If you use a handful of SaaS apps to do your work, your PC may be compromised by everything else isn’t. You can get a new device or create a cloud PC, install that handful of SaaS apps, and get back to work almost immediately. Larger companies often have internal apps, proprietary systems, and lots of internal data, which means this isn’t an option for them. But for smaller companies, relying on SaaS apps can protect against ransomware by making recovery much easier.

Virtual Machines are the Future of Business

People have used virtual desktops for the last fifteen years for security and compliance reasons. Especially in the government, financial services, and healthcare industries, they have no option – it’s mandated by law. Because of all the risks to physical machines, more companies need to be thinking like that. This is a security problem, and there are solutions.

Virtual machines are a great security solution because they protect against ransomware and reduce the odds you’re going to be seriously hacked. The number of use cases for virtual machines just keeps going up. This is largely driven by security, as well as the fact that it costs about the same for a physical machine as it does for a virtual, cloud-based one. A lot of organizations are moving towards virtual machines because there’s no longer a performance problem, it’s not hard to make the switch, and it enhances security.

Ransomware Affects Everything

Ransomware doesn’t just get into your PCs. It can go beyond that and into other company infrastructure. To protect against ransomware and be prepared for ransomware recovery, you need to identify critical systems. This could be file shares, applications, or anything else critical to your business.

Failing to protect against ransomware or plan for ransomware in your supply chain can have huge, far-reaching impacts.

The organizations who have planned the best set up an isolated environment with a protected backup for those critical systems. The next step is to consider how to access that. You may have it all set up, but if all your PCs are useless because of ransomware, how are you going to access it? In that scenario, it’s time to set up a series of isolated cloud PCs that you only run when you need them.

All this stuff is ready and prepared and hopefully never used, but it’s an insurance policy … if your actual physical network got ransomware.

Amitabh Sinha

It’s important to protect against ransomware by setting all this stuff up. Hopefully you never use it, but it’s an insurance policy. If your network gets ransomware, wake up these cloud PCs sitting in the cloud, connect to the isolated backup network, and everything is up and running in a controlled environment. For a larger company, this is what it looks like to be prepared for ransomware.

Ransomware in the Supply Chain

There are steps you can take to protect against ransomware even if you aren’t the one targeted by it. In the CDK situation, car dealerships have a ransomware problem, but it’s not their ransomware problem. Instead, it’s a supply chain network problem – one of the companies in their supply chain has ransomware. In any large organization, including the car industry, there’s a globally interconnected supply chain. If one link gets ransomware, it can cause huge issues.

In the case of CDK, the software that drives part of what dealerships do is down, but the rest is still functioning. Amitabh was supposed to take his car to a dealership for service, but they weren’t able to do anything. They could view his order history and car information, but couldn’t view or order parts. The amount of things affected by one link in your supply chain may be bigger than you think.

How do you plan for things you can’t control? You need to look at your mission critical functions. If you don’t have the tools you use for those functions, how can you do it with different tools or even on paper? Obviously that’s not an ideal situation. But knowing in advance means you don’t have to figure it out on the fly. Every organization should ask this for all their critical software.

It’s very difficult to monitor what others are doing in a supply chain network. In Workspot, every piece of software for employee use has to go through a strict review process. If it isn’t approved by the security team, it doesn’t get used. They’ve rejected great software they can’t prove it’s secure. Having a review process in place can reduce some risk. But you still need to have a plan.

Ransomware is Becoming More Frequent

Ransomware is an equal opportunity problem. With CDK, we saw it affect 60% of the global car network. Whole small cities have been attacked. And these attacks are very sophisticated. Every time a new employee joins Workspot, they will get a phishing message within two days pretending to be the CEO asking them to do something. That’s a high level of sophistication to figure out that a new employee joined and to craft a compelling message. Several employees have fallen for it.

These [ransomware] attacks are very sophisticated right now.

Amitabh Sinha

Some say that the threat landscape is going to get worse before it gets better, but Amitabh isn’t that optimistic. Ten years ago, we spent $50 billion on cybersecurity software. These days we’re probably spending around $300 billion, but the threats haven’t gone down, ransomware hasn’t reduced, and it’s still not under control. Customers are buying computers with more processing power because they need it to run more security software. It’s a huge issue.

That makes it all the more important to protect against ransomware. For smaller organizations, change your work architecture so you don’t get into a mess and recovery isn’t a major challenge. Larger organizations need to be prepared to go back into a pristine environment and get things up and running after an attack. For home users, it’s not a bad idea to re-format your device and start from scratch, because you don’t know what your antivirus might have missed. Preparation for an attack and recovery is essential. Don’t be scrambling in the moment when it happens.

Learn more about Workspot at workspot.com. You can connect with Amitabh Sinha personally on LinkedIn and on Twitter @amitabhsinha.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
Amitabh Sinha talks about how to protect against ransomware in your company.

Protect Against Ransomware by Planning for Ransomware

Ransomware is a huge cybersecurity threat, and it’s only growing. It’s especially a risk for businesses, but…

[Read More]
Private Internet Access

PIA: Private Internet ACCESS

The Private Internet ACCESS VPN will deliver the security, performance, and online access most users want. Behind...

[Read More]
What is spyware? It may be watching you right now...

Everything You Need to Know about Spyware, the Malware that Stalks Your Online Activity

Spyware may sound like something James Bond or another secret agent might use in the latest spy…

[Read More]
Carey Parker talks about how to protect your privacy online and why you should care in the first place.

Easy, Non-Technical Ways to Protect Your Privacy Online (And Why You Need To)

We all use technology at some point in our lives. Sometimes that technology is as simple as…

[Read More]
ExpressVPN

ExpressVPN

ExpressVPN has long had the reputation of being one of the best, fastest, and most secure VPNs…

[Read More]
Gmail Confidential Mode is a step towards email privacy, but it's not a perfect solution.

Gmail Confidential Mode: Useful but Imperfect for Email Privacy

Email is a tool that most of us use every day – sometimes all day. And while…

[Read More]