Connect with us

Hi, what are you looking for?



Boost Infrastructure Immunity Against the Ransomware Epidemic

Despite the recent incidents at the City of Baltimore, aluminum giant Norsk Hydro, and ASCO Industries, ransomware attacks have declined in both 2018 and 2019.

Despite the recent incidents at the City of Baltimore, aluminum giant Norsk Hydro, and ASCO Industries, ransomware attacks have declined in both 2018 and 2019. Researchers report that only four percent of organizations worldwide experienced ransomware infection in 2018 — that’s a 44 percent drop compared to 2017. However, the news that Lake City, the City of Riviera Beach, and La Porte County opted to pay a combined $1.3 million in ransom has security experts warning that we should brace for a wave of ransomware attacks of epidemic proportions. The decision by these cities to pay the ransom, which goes against common wisdom and the advice of the FBI, will undoubtedly encourage copycat attacks looking to cash in on the fact that some organizations, in this case municipalities, are willing to pay up. Given the likelihood of an uptick in ransomware attacks, let’s consider steps organizations can take to minimize the risk of being victimized.

Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years. Today, cyber criminals are applying these ancient techniques to modern technologies. Ransomware is most commonly delivered via spam emails whereby the crimeware was deployed by clicking on an attachment or URL. Upon infection, ransomware begins encrypting files and folders on local hard drives, any attached local storage or backup areas, and potentially other computer nodes that reside on the same network that the victim’s device is attached to. The infection typically goes unnoticed until either access to the data is denied or a message is presented to the victim that demands a ransom payment in exchange for a decryption key. 

Ransomware often has a major impact since encrypting and blocking access to sensitive data can shut down business operations. A good example, were the WannaCry and NotPetya attacks in mid-2017 that spread like wildfire across the globe, crippling banks, logistics firms, manufacturing plants, and many other industries. 

While these wide-spread attacks led to the deployment of additional defense mechanisms, cyber-attackers have also created more sophisticated attacks, using spear-phishing emails that target specific individuals and seed legitimate websites with malicious code. Targeted attacks might affect fewer organizations but have a much higher success rate. 

That’s why the decline in infections has not resulted in declining revenues for attackers or financial impacts on the victim organizations. In fact, the damages associated with ransomware have dramatically increased according to the FBI’s Internet Crime Complaint Center (IC3). The City of Baltimore is a good example, as the damages are expected to exceed $18 million. 

Basic Hygiene 

There are a few fundamental steps that organizations can take to minimize their exposure to ransomware attacks:

Advertisement. Scroll to continue reading.

• Implement security awareness programs to educate employees on how ransomware is being deployed and how to recognize and avoid spear-phishing attacks.

• Regularly update anti-virus and anti-malware with the latest signatures and perform regular scans.

• Create an application whitelist, allowing only specific programs to run on endpoints. This should include the disabling of macro scripts from Microsoft Office files transmitted over email.

• Back up data regularly to a non-connected environment and verify the integrity of those backups regularly.

Stopping Ransomware Attacks with a Dual Therapy Strategy

While these practices cover the security basics, ransomware is just one form of exploit that can easily be replaced by another. According to Forrester, an estimated 80 percent of data breaches are tied to privileged access abuse. By applying proper access controls, organizations can apply a “dual therapy” to this epidemic: address the number one cause of today’s data breaches — privileged access abuse — while at the same time minimizing the impact of a ransomware attack by preventing malware from running or at least limit its capability to spread through a network.

In this context, organizations can stop ransomware attacks in their tracks by:

1. Establishing a Secure Admin Environment

In order to prevent malware from spreading during sessions that connect servers with privileged access, establish policies that only authorize privileged access from a “clean” source. This will prevent direct access from user workstations that are connected to the Internet and receive external email messages, which are too easily infected with malware. 

2. Zoning Off Access

Enforce “access zones” that restrict access by privileged users to specific systems and requires multi-factor authentication (MFA) in order to reach assets outside of their zone. Without an MFA challenge, ransomware can spread to other systems. By zoning specific systems and organizational units, ransomware may spread but not to those systems that require additional user verification.

3. Minimizing the Attack Surface

By vaulting away shared local accounts, organizations can minimize their attack surface. Ransomware does not always need elevated privileges to spread, but if it is able to gain it, the impact will be much more damaging. 

4. Limiting Privilege

Ultimately, applying the concept of least privilege empowers organizations to granularly control what access admin users have and what privileged commands they can run. Without the ability to install files or at least elevate privilege when installation is necessary, ransomware cannot spread undeterred through a network.

There is no broad-spectrum therapy that will treat every existing variant of ransomware. However, following basic security best practices including implementing security awareness programs, backing up data regularly, and applying least privilege access, can minimize an organization’s exposure to becoming a casualty of ransomware.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...