Whenever a data breach happens within a large enterprise, it tends to make headlines. And there were plenty of those in the news last year, from the IRS to Anthem to the U.S. Office of Personnel Management to Ashley Madison. Mid-market enterprises tend not generate big headlines, as far as cyber attacks go, but that doesn’t mean there weren’t more than enough to go around. Hackers are getting more sophisticated each day, and businesses have to contend with not only zero day threats but also souped-up versions of longstanding threats. An example of this is the evolution of popular ransomware tools like CryptoWall and CryptoLocker, which saw a resurgence in 2015.
Most cyber attacks targeting large enterprises are the result of highly sophisticated campaigns. Attackers will have likely spent months testing perimeter defenses and conducting social engineering reconnaissance work. Unlike these targeted, custom attacks executed by experts with specific goals, ransomware is a massively scalable attack that aims to infect as many users as possible via malicious emails or compromised web sites. It’s a similar concept to the Zeus financial Trojan, but instead of stealing money from a victim’s bank account, it runs automated crime logic to encrypt data with no manual intervention.
Because of its ability to cast a wide net, ransomware is a popular tool for hackers. Panicked businesses are often quick to pay a ransom to get their data back, but this is ill-advised since it informs the rest of the hacking community which targets are more likely than others to pay up. Nevertheless, there has been a significant increase in available ransomware. According to McAfee Labs’ recent quarterly threat report, there has been more than a 100% increase in total ransomware in Q3 2015 compared with the same quarter in 2014.
The true tale of a ransomware attack
Recently, a law firm owned by a friend fell victim to a ransomware attack. A paralegal was caught in a phishing scheme, encrypting her AV-protected PC disk with the latest strain of CryptoWall malware. Even though the firm had limited back ups of the data, it was advised to not pay the ransom. There were bugs in the private/public key system use by the CryptoWall malware, creating a situation where the files could not be decrypted even if the firm paid the ransom. So the firm decided to cut its losses and give up the data, and make the move to the Cloud-based Office 365.
Despite the alarm bells that have been sounding for several years now, there are still too many organizations that don’t think they’re the targets of hackers. After all, why would a nation state or an organized cybercrime group take the time and effort to target an organization with a limited customer base and few commercially valuable assets? They can’t really use anything for cyber warfare or to monetize in the black market. But this false sense of anonymity paired with a lack of security resources and expertise is exactly what makes mid-level enterprises such lucrative targets for hackers. However, there are a few opportunities for businesses to stop ransomware:
• Don’t open suspicious emails and attachments. Yes, this is an obvious answer, but one that bears repeating. The weakest link in the cybersecurity chain is a company’s own employees. If phishing scams weren’t so effective, they wouldn’t be the root of most cyber attacks. The base anti-virus program should be paired with an in-depth cybersecurity awareness training program for all employees.
• Warn users of suspicious websites. Deploy a strong URL filter to stop or at least alert users that they may be navigating to a risky website. Where attachments fail, malicious websites will often do the trick.
• Detect incoming malicious files. Another mechanism for defeating ransomware is to catch malicious files coming in through a strong anti-malware or sandboxing solution. This reduces the risk of infection should an employee accidentally download a malicious file.
• Look for malicious outbound traffic. If you do find yourself infected, there’s still hope. For ransomware to work, it has to generate the encryption key pair and deliver the public key to the machine via its command-and-control (C2) server. However, the encryption stage can be impeded if the business can detect and stop the outbound request.
Most top-of-the-line security appliances are cost-prohibitive to any business that’s not a large enterprise due to the difficulty of acquiring, installing, configuring and maintaining them. Instead, mid-market enterprises can look for ways to maximize defenses while offloading the costly ongoing care and feeding work. Mid-market enterprises with limited resources and weak defenses are a particularly good target for ransomware attacks: they have just enough assets worth paying for, and the capital to do so.