Ransomware is dominating the headlines so far in 2016, having moved from targeting individuals to holding corporate data hostage and extorting payments to decrypt the files. Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years. Today, cyber criminals are applying these ancient techniques to modern technologies. So what do enterprises need to know about ransomware attacks and what can they do to minimize the risk of being victimized?
Recent ransomware attacks against school districts (e.g. New Jersey, Horry County in South Carolina), healthcare providers (e.g., Ottawa Hospital), state and local governments, and enterprises illustrate that criminals have shifted away from using this crimeware to extort payments from consumers, since companies will pay higher ransoms.
Ransomware, which encrypts a victim’s data and demands a ransom to unlock it, often has a major impact since it represents a loss of sensitive data or can shut down business operations. Ransomware has been around for a few years. However, according to the Federal Bureau of Investigation (FBI), we’re currently seeing a dramatic increase of these type of cyber-attacks paired with increasingly higher ransom requests. If the first quarter of this year is any indicator, we’ll see the number of ransomware incidents surpass last year’s record, which tallied at 2,453 reported incidents and approximately $24.1 million in ransom paid by victims.
In the past, ransomware was delivered via spam emails, whereby the crimeware was deployed by clicking on an attachment or URL. As defense mechanisms have improved, cyber-attackers have become more sophisticated using spear-phishing emails that target specific individuals and seeding legitimate websites with malicious code. Some recent attacks have even started exploiting smart phone vulnerabilities to penetrate corporate networks. Recent attacks have leveraged RDP brute force attacks as a delivery mechanism.
Upon infection, ransomware begins encrypting files and folders on local hard drives, any attached local storage or backup areas, and potentially other computer nodes that reside on the same network that the victim’s device is attached to. The infection typically goes unnoticed until either access to the data is denied or a message is presented to the victim that demands a ransom payment in exchange for a decryption key.
There are a few fundamental steps that an organization can take to minimize their exposure to ransomware attacks:
1. Implement security awareness programs to educate employees on how ransomware is being deployed and how to avoid spear phishing attacks.
2. Frequently update anti-virus and anti-malware with the latest signatures and perform regular scans.
3. Apply access controls, including file, directory, and network share permissions to limit the exposure of non-administrator users to sensitive data.
4. Create an application whitelist, allowing only specific programs to run on a computer. This should include the disabling of macro scripts from Microsoft Office files transmitted over email.
5. Back up data regularly to a non-connected environment and verify the integrity of those backups regularly.
While these practices cover the security basics, ransomware is just one form of exploit that can easily be replaced by another. The root cause of ransomware infections is the ability of cyber-attackers to exploit known or unknown vulnerabilities. Therefore, streamlining threat and vulnerability management practices becomes the most essential method for minimizing an organization’s exposure.
In today’s dynamically changing threat landscape, contextualizing internal security findings with external threat data can identify imminent cyber risks and help prioritize remediation actions accordingly. However, traditional vulnerability management approaches that use CVE scores to prioritize remediation actions are no longer sufficient. Instead, a more holistic cyber risk management model is needed. One that identifies threats and prioritizes remediation actions by unifying and contextualizing internal security intelligence, external threat data, and business criticality across the entire computing stack to enable pro-active and collaborative enterprise security.