While most everyone in the digital era is aware of malware, this term covers a number of different threats, but the one attack method that is leading the pack today is ransomware. Ransomware attacks quadrupled in 2016 and will double again in 2017, according to a report issued by Beazley, a provider of data breach response insurance. It’s now the most profitable type of malware attack in history.
Organizations across all industries are at risk of infection via email or web attacks with new ransomware attacks growing each year. The evidence shows that it’s not a matter of if but when your business will be infected.
Ransomware is a business, and as a business, it's going to evolve. Because the encryption keys are often no longer valid due to the many adaptations by hackers, you can’t get your data back, in many cases, even if you pay.
According to a recent CSO article, ransomware damages have risen 15 times in two years to hit $5 billion in 2017. Because payouts from attackers are more about the volume of attacks that add up to real money for them, ransom payouts are the least of all damage cost contributors for businesses.
For businesses across all sectors and types, the real bottom-line costs that can easily reach hundreds of thousands or even millions come from:
As you can see, it’s not only consumers who are being hit by ransomware but businesses and organizations of all types. A single infected endpoint can lead to file encryptions locally and across the network, which affects anyone accessing the file stores, bringing the business to a standstill.
While social media, mobile computing, and cloud services have greatly advanced business processes, they have also created new risks and challenges. Malware viruses can lie dormant for months while the attackers probe the system, study internal communications, and wait for the best time to take control of the system. This process is known as footprinting.
As far as finding its way in, everything from email to shadow IT via the cloud has contributed to the rise of ransomware. As ransomware grows and mutates, there are countless variations that pose increasing threats to businesses of all sizes and types:
There are numerous types of ransomware, and the attack vectors are numerous as well, ranging from email, text messaging, and social media to voice mail to network propagation and the cloud.
Due to the self-propagating nature of this threat, organizations should determine where they might be vulnerable and develop incident responses for ransomware protection that enable pre- and post-infection responses.
In the ongoing battle against ransomware, there are two approaches that businesses and their employees must develop and plan for: Can you defend against it, and if not, can you recover from it? Ideally, the goal is to prevent the infection in the first place with a series of pre-infection response solutions. Pre-infection responses are all about securing against malware from the network perimeter to the endpoints, which includes cloud applications.
When evaluating your environment’s security, an effective IT hygiene solution should focus on three key areas:
Implementing a multilayered approach to security architecture ensures that the network and the endpoints are monitored for anomalous behavior. Simultaneously, you can proactively protect all the vulnerable points to the network to identify and eliminate potential vulnerabilities before attackers can reach them.
Application inventory management is the first step in establishing a transparent security architecture baseline. Application inventory management enables you to proactively identify outdated and unpatched applications and operating systems. This is bolstered by a thorough patching protocol with automated alerts to ensure that all patch updates are immediately implemented.
Once a transparent security architecture baseline is established, endpoint protection solutions can be deployed across the network. For example:
It’s imperative that employees throughout the company understand that human error is one of the leading causes of data breaches, which makes them key to data security. That means educating them with policies and training about:
Employees must be educated through training about common scams and tricks of cybercriminals, as well as about home protection using firewalls and wireless VPNs. With everyone including the C-suite participating in training biannually, you need a security culture that extends to wherever they may be and with any device that they may be using.
The importance of regular backups and testing of data recovery assets cannot be overstated when it comes to post-infection responses. That needs to go hand in hand with assessment, monitoring, and testing as part of a multilevel managed security approach.
Testing is a key component of managed security, as it provides deep, comprehensive inspection of your organization’s IT systems, including both internal and external vulnerabilities across all network devices, servers, and network services, as well as physical security, behaviors of personnel, and other potential points of vulnerability. These assessments should include:
Having a reliable backup solution in place is imperative to handling traditional backup methods (e.g., backup copies of individual files), as well as complete images of a complete system on storage media such as external hard drives. In order to offer good protection, short backup frequency is imperative, as well as sufficient speed of data backups and restoration.
Tools can detect the attack, stop it, and reset the system or the attacked files to the last safe backup version. They can also provide authenticity checks of files to determine if any changes have been made and pre-emptively warn users as they swap out the infected file for the last safe backup.
Top-of-the-line cybersecurity tools provide prevention features capable of defeating new tools and techniques used by attackers and filling the gap left by legacy antivirus solutions that primarily focus on malware. These solutions include, but go beyond, known malware prevention tools and techniques by identifying attack indicators through endpoint event correlation to detect stealth activities that indicate malicious activity.
These next-gen solutions include prevention for commodity malware, zero-day malware, and even advanced malware-free attacks. In addition, they utilize machine learning to detect ransomware and prevent known and unknown malware, whether endpoints are on or off the network.
Integrated whitelisting and blacklisting processes allow or block custom hashes, while exploit mitigation stops attacks that exploit vulnerabilities to compromise hosts. Sophisticated but intuitive dashboards enable following the attack at each step with detailed timeline information for threat understanding to enable remediation.
All of the measures in this blog post show that ransomware protection is about data protection. Without a cybersecurity plan that integrates data protections, methodologies, and protocols, it is impossible to prevent and detect malware infections.
Given the speed at which ransomware impacts organizations, businesses and their employees need solutions in place to detect ransomware at the earliest stage possible. That requires a level of commitment to following through that goes from the C-suite to the individual employee.