While most everyone in the digital era is aware of malware, this term covers a number of different threats, but the one attack method that is leading the pack today is ransomware. Ransomware attacks quadrupled in 2016 and will double again in 2017, according to a report issued by Beazley, a provider of data breach response insurance. It’s now the most profitable type of malware attack in history.
Organizations across all industries are at risk of infection via email or web attacks with new ransomware attacks growing each year. The evidence shows that it’s not a matter of if but when your business will be infected.
Ransomware is a business, and as a business, it's going to evolve. Because the encryption keys are often no longer valid due to the many adaptations by hackers, you can’t get your data back, in many cases, even if you pay.
According to a recent CSO article, ransomware damages have risen 15 times in two years to hit $5 billion in 2017. Because payouts from attackers are more about the volume of attacks that add up to real money for them, ransom payouts are the least of all damage cost contributors for businesses.
For businesses across all sectors and types, the real bottom-line costs that can easily reach hundreds of thousands or even millions come from:
- Damage and destruction (or loss) of data
- Lost productivity
- Post-attack disruption to the normal course of business
- Forensic investigation
- Restoration and deletion of hostage data and systems
- Reputational harm
- Increased insurance rates
- Fines and legal action for personal data loss (compliance and regulatory)
As you can see, it’s not only consumers who are being hit by ransomware but businesses and organizations of all types. A single infected endpoint can lead to file encryptions locally and across the network, which affects anyone accessing the file stores, bringing the business to a standstill.
The Rise of Ransomware
While social media, mobile computing, and cloud services have greatly advanced business processes, they have also created new risks and challenges. Malware viruses can lie dormant for months while the attackers probe the system, study internal communications, and wait for the best time to take control of the system. This process is known as footprinting.
As far as finding its way in, everything from email to shadow IT via the cloud has contributed to the rise of ransomware. As ransomware grows and mutates, there are countless variations that pose increasing threats to businesses of all sizes and types:
- The WannaCry ransomware attack stands among the most devastating digital disasters to strike the internet in years, infecting more than 200,000 systems across 150 countries, crippling transportation and hospitals globally. It is also among the most unnecessary, because applying the released Microsoft patches would have plugged the vulnerability.
- The new version of KillDisk encrypts the local hard drives of the machines it infects, as well as any network-mapped folders shared across the organization. The latest variations now target Linux systems, including workstations and servers.
- CryptoLocker utilizes a domain generation algorithm to produce thousands of domains at a time, with several of them being live. Its purpose is to locate and infiltrate command-and-control servers.
- CryptoWall uses a combination of compromised sites and morphed from exploiting the system itself, using various vulnerabilities, to employing the use of exploit kits. CryptoWall can not only encrypt files on the victim’s computer but also any external or shared drives that connect to the computer.
There are numerous types of ransomware, and the attack vectors are numerous as well, ranging from email, text messaging, and social media to voice mail to network propagation and the cloud.
Due to the self-propagating nature of this threat, organizations should determine where they might be vulnerable and develop incident responses for ransomware protection that enable pre- and post-infection responses.
Pre-Infection Ransomware Incident Response
In the ongoing battle against ransomware, there are two approaches that businesses and their employees must develop and plan for: Can you defend against it, and if not, can you recover from it? Ideally, the goal is to prevent the infection in the first place with a series of pre-infection response solutions. Pre-infection responses are all about securing against malware from the network perimeter to the endpoints, which includes cloud applications.
When evaluating your environment’s security, an effective IT hygiene solution should focus on three key areas:
- Who is working on your network, and what can they do in relation to password and permissions management
- What applications are being run and determining their security risk
- Detection of unprotected systems to eliminate backdoor entry by attackers
Implementing a multilayered approach to security architecture ensures that the network and the endpoints are monitored for anomalous behavior. Simultaneously, you can proactively protect all the vulnerable points to the network to identify and eliminate potential vulnerabilities before attackers can reach them.
Application inventory management is the first step in establishing a transparent security architecture baseline. Application inventory management enables you to proactively identify outdated and unpatched applications and operating systems. This is bolstered by a thorough patching protocol with automated alerts to ensure that all patch updates are immediately implemented.
Once a transparent security architecture baseline is established, endpoint protection solutions can be deployed across the network. For example:
- Endpoint detection solutions like Splunk provide defense and early warning against WannaCry, other current threats, and emerging threats.
- Other security platform solutions like Check Point’s SandBlast can provide sandboxing to contain and monitor files as they execute. This enables the platform to flag, contain, and block suspected modules from entering the network by bypassing authentication and defined privileges.
- As malware attempts to evade virtual machines by implementing pre-exploitation triggers, some of these sophisticated security platforms can operate on a CPU level to prevent attacks before any code execution.
- Network segmentation provides a critical network security defense against increasingly sophisticated cybersecurity threats by splitting a network into many “sub-networks” known as segments. This approach allows organizations to group applications and like data together for access by a specific group (e.g., finance) to block attacker infiltration and enhance network security through data access control for insiders, partners, or third parties.
- Network access policy engines can dynamically change network access and enable segmentation based on the who, what, where, and when of the network. This eliminates the need to manually change network access on multiple network devices.
It’s imperative that employees throughout the company understand that human error is one of the leading causes of data breaches, which makes them key to data security. That means educating them with policies and training about:
- Never sharing passwords
- What a phishing email looks like
- Never connecting an unknown USB drive or clicking a link
- Breached-system warning signs
- Securing home Wi-Fi and Internet of Things devices
- Keeping antivirus and firewalls up to date on ALL devices—regardless of internet connectivity
- Utilizing complex passwords rather than default passwords
Employees must be educated through training about common scams and tricks of cybercriminals, as well as about home protection using firewalls and wireless VPNs. With everyone including the C-suite participating in training biannually, you need a security culture that extends to wherever they may be and with any device that they may be using.
Post-Infection Ransomware Incident Response
The importance of regular backups and testing of data recovery assets cannot be overstated when it comes to post-infection responses. That needs to go hand in hand with assessment, monitoring, and testing as part of a multilevel managed security approach.
Vulnerability Testing and Assessment
Testing is a key component of managed security, as it provides deep, comprehensive inspection of your organization’s IT systems, including both internal and external vulnerabilities across all network devices, servers, and network services, as well as physical security, behaviors of personnel, and other potential points of vulnerability. These assessments should include:
- Network vulnerability
- Wireless security
- Operating environmental security
- Database and application security
- Personnel security
Backup Mechanisms and Protocols
Having a reliable backup solution in place is imperative to handling traditional backup methods (e.g., backup copies of individual files), as well as complete images of a complete system on storage media such as external hard drives. In order to offer good protection, short backup frequency is imperative, as well as sufficient speed of data backups and restoration.
Tools can detect the attack, stop it, and reset the system or the attacked files to the last safe backup version. They can also provide authenticity checks of files to determine if any changes have been made and pre-emptively warn users as they swap out the infected file for the last safe backup.
Next-Gen Antivirus Platforms
Top-of-the-line cybersecurity tools provide prevention features capable of defeating new tools and techniques used by attackers and filling the gap left by legacy antivirus solutions that primarily focus on malware. These solutions include, but go beyond, known malware prevention tools and techniques by identifying attack indicators through endpoint event correlation to detect stealth activities that indicate malicious activity.
These next-gen solutions include prevention for commodity malware, zero-day malware, and even advanced malware-free attacks. In addition, they utilize machine learning to detect ransomware and prevent known and unknown malware, whether endpoints are on or off the network.
Integrated whitelisting and blacklisting processes allow or block custom hashes, while exploit mitigation stops attacks that exploit vulnerabilities to compromise hosts. Sophisticated but intuitive dashboards enable following the attack at each step with detailed timeline information for threat understanding to enable remediation.
Keeping Your Business Secure
All of the measures in this blog post show that ransomware protection is about data protection. Without a cybersecurity plan that integrates data protections, methodologies, and protocols, it is impossible to prevent and detect malware infections.
Given the speed at which ransomware impacts organizations, businesses and their employees need solutions in place to detect ransomware at the earliest stage possible. That requires a level of commitment to following through that goes from the C-suite to the individual employee.