Security Experts:

To Defend Against Ransomware, Remember Health is Wealth

Ransomware Targets Businesses

Ralph Waldo Emerson said, “The first wealth is health.” With ransomware dominating the malware market, it’s important to keep this in mind. Your high-value digital assets and systems are increasingly the target of adversaries launching ever-more malicious ransomware campaigns. Without healthy security practices, you risk significant disruption, damage, and costs.  

There are dozens of ransomware variants, many language-specific, and all of them resilient. Although it is not a new threat, ransomware has reached a new level of effectiveness with cryptographically sound file encryption and has evolved to become the most profitable malware type in history. In the first half of 2016, ransomware campaigns targeting both individual and enterprise users became more widespread and potent. Estimates put these attacks on pace to reach $1 billion this year.

Given its success, we’ll likely experience more destructive ransomware that is able to spread by itself without relying on an unwitting target to click on an email or be exposed to malvertising. Some threat actors are now using network and server-side vulnerabilities to self-propagate. These new vectors provide an opportunity for attackers to quietly carry out ransomware campaigns that could potentially affect entire industries.

One widespread campaign that appeared to target the healthcare industry earlier this year employed the Samas/Samsam/MSIL.B/C (“SamSam”) ransomware variant, which was distributed through compromised servers. The threat actors used the servers to move laterally through the network and compromise additional machines, which were then held for ransom. Adversaries used JexBoss, an open-source tool for testing and exploiting JBoss application servers, to gain a foothold in organizations’ networks. Once they had access to the network, they proceeded to encrypt multiple Microsoft Windows systems using the SamSam ransomware family. In many respects, the SamSam attack was inevitable because many organizations were operating JBoss servers with unpatched vulnerabilities, despite the fact that they had been informed to take the servers offline and upgrade them immediately. 

Data integrity is another new concern when it comes to ransomware. While it may seem that paying the ransom is the easiest (and only) thing to do, this requires that targets “trust” that their attackers will follow through if the ransom is paid. But in a ransomware situation files may not be able to be decrypted, may have been tampered with, and could even be lost or deleted, as demonstrated by a recent variant called Ranscam. Depending on the type of files, for example medical records, the fallout could be dire. 

Backing up critical data and confirming that those backups are not susceptible to compromise and can be restored quickly is an effective way to negate the threat of ransom. There’s no need to worry about data integrity and “trusting” attackers if you have current backups that are off-site and well-protected from compromise.

At the same time, it’s clear that vulnerabilities sit at the intersection of increasingly faster changes in technology, and organizations’ ability to keep pace with that change and limit threat vector opportunities. If defenders can close the window of opportunity for attackers by accelerating their time to secure, they reduce the threat. 

Good hygiene goes a long way to preventing and mitigating ransomware attacks. Being more proactive about patching vulnerable Internet infrastructure and systems reduces the opportunities for attackers to launch a ransomware campaign against your organization. If defenders leave vulnerabilities open and unpatched, attackers use them as a stepping-stone to launch their campaigns. Other security hygiene measures like better password management (putting a stop to shared passwords and “overprivileged” accounts), can also make infections much more difficult. 

Software-defined segmentation can also stop or slow the lateral movement of self-propagating threats as well as contain them. By enabling companies to segment their network from the user and device level all the way back to the server, it dramatically curtails the ability of attackers to move about the network, limiting the spread of destructive ransomware and helping to keep critical assets safe. 

The wave of ransomware will likely become more pervasive, particularly for organizations that don’t focus on their health. But with good security hygiene and a few basic measures you’ll be able to more effectively block, contain, and negate the impact of ransomware.

view counter
Ashley Arbuckle, Cisco’s VP of Security Services, is responsible for the oversight and global delivery of the Cisco portfolio of Advisory, Implementation, and Managed Services, bringing a pragmatic approach to helping Cisco’s clients solve their most complex security challenges. Arbuckle started his career in security consulting at PwC working with Fortune 500 customers. After PwC he joined PepsiCo where he led enterprise security and the strategic planning process for PepsiCo’s IT budget of over $2 billion. He has a BBA in MIS and Accounting from the Rawls College of Business at Texas Tech University, is a CPA, and holds a CISSP and CISM.