Information Security Phishing Ransomware

Mecklenburg County Ransomware Attack – 6 Steps to Protect Your Organization

The question is, if your company was compromised via a ransomware attack, would you pay the hackers to get the encryption key that would unlock your data?  The answer may not be that simple, as Mecklenburg County officials found out last week.  The attack on their computer systems served as a wake up call to all companies proving that they need to take a proactive approach to preventing ransomware. If not, the alternative is much worse.

By all accounts, this wasn’t an incredibly sophisticated attack and most likely, the county wasn’t a specific target.  When we are talking with prospects, we often hear, “but, we aren’t a target. We are a small company (insert whatever logical reason you want here) why would they come after us?”  The answer is, you are most likely right, chances are, the bad guys are not targeting your company.  But, if you have vulnerabilities or employees who don’t recognize a phish, they’ll find you.

In the county’s scenario, the attackers went after every company’s most vulnerable asset, their people.  It sounds like a decent phishing email was used, spoofing a
county employee’s email account and then emailing a malicious file to another employee at the county.  That employee made the unfortunate decision to click on the malicious file and basically, and practically instantaneously, the ransomware attack was kicked off.

The attackers essentially locked down, or encrypted about 48 Mecklenburg County servers, causing many county services, websites, and data to be inaccessible.  There are basically two ways to get everything back in order.

  • Give in to the hackers demands and pay the ransom to get the encryption key OR
  • You hopefully have established a solid business continuity/incident response program that includes reliable and tested data backup and recovery.

In many ransomware cases, the hackers tend to request a relatively small ransom amount in hopes that the affected companies pay quickly.  In the county’s case, the 2 bitcoin, or approximately $23,000 value requested, was a fairly insignificant amount for a county government the size of Mecklenburg County.  We’re sure the county seriously considered paying the fee immediately to restore order.  However, there are some downsides to that and the FBI for one, doesn’t recommend paying out in ransomware cases.

  1. Lack of a guarantee that paying the ransom will actually get the encryption key.  In many cases, the attackers went dark after the ransom was paid. Or worse, continued to ask for more to get the keys.
  2. Potentially opens your organization up as a target for more attacks.
  3. Encourages hackers to continue their efforts and target more organizations.

The fact is, ransomware works because many companies do indeed pay the ransom.  Numbers are all over the place, but researches have stated that 40 to 70% of those impacted by ransomware have paid.  And for the hackers, they are just going after low hanging fruit – casting a wide net either via phishing, social engineering or scanning the web looking for vulnerabilities.  Think about it from the hackers perspective – if you are kicking off 10’s of thousands of spoofed emails daily and you get even just a 1% return rate and then 40 to 70% of those pay the ransom, that’s a pretty good living, albeit an unethical one.

Ultimately, Mecklenburg County decided not to pay the ransom, which means they must have had reliable backups they could restore from. We tell our clients all the time, while it’s important to have backups, it’s equally important to test often to ensure they will retore properly when you need them (See Rebyc Security comments in the Charlotte Observer). They are fortunate in that regard, as many companies believe they have good backups only to find when they need them the most, they are corrupted, or otherwise unable to restore. When that happens, they are basically at the mercy of the hackers.

So, what do you do to protect yourselves, your employees and your business?

Below are 6 steps your organization can take to protect itself:

Security Awareness Training

  • Employees should be made aware of the dangers associated with ransomware as well as the possible consequences. While most organization’s conduct annual security training, those that perform security training more frequently and send out monthly reminders perform better against ransomware attacks. The Mecklenburg County issues certainly drive home the need to consistently test your employees ability to identify phishing emails.  This can be done via phishing tools like Knowbe4 and best combined with phishing engagements like Rebyc Security’s offerings where we can customize a social engineering solution to specifically target your company, much like a hacker would.

Spam Filter Testing and Tuning

  • It’s no secret that spam filters aren’t 100% reliable and those in the industry expect some emails to slip through. However, it is beneficial to conduct regular tests against your company’s current spam filter rules to ensure they are effective in stopping some of the latest variants of ransomware attacks.

Web Filter Testing and Tuning

  • Many ransomware attacks attempt to lure users to a malicious website and infect their machine via unpatched vulnerabilities or by having the user download and run a malicious file. Keeping your web filter updated with known-bad websites and maintaining a strict filtering policy, significantly reduces the amount of success a ransomware attack might have.

Principle of Least Privilege

  • Most employees do not require ‘Administrator’ rights or rights to install software, yet most employees have these permissions. Assigning users the least amount of privileges required to do their job can greatly reduce the chances of a ransomware attack being successful. Even if the user is tricked into downloading the malicious file, they will be unable to install it and infect their system.

Application Whitelisting

  • While this method is generally seen as a very labor intensive undertaking, it is also one of the most effective solutions at thwarting ransomware attacks. By allowing only approved, ‘whitelisted’ applications to run in your company’s environment, virtually all malicious ransomware files will be blocked from running. Application whitelisting provides many security benefits when implemented correctly.

Test Your Backups

  • While this does not help in preventing a ransomware attack, it can make recovering from one much less expensive. Typically, attackers will encrypt a user’s files and hold those files for ransom. Having known-good backups can allow an organization to wipe the machine, ignore the ransom request, and restore their data from their backup.

Do you have questions about how you can best protect your organization?  Rebyc Security can help.  We can answer your questions and provide guidance about how to take a proactive approach vs. being the next headline.  You can reach us at or via phone at 704-926-6568 or simply by visiting our contact page.

Keith Haskett – CEO
Rebyc Security