Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

To Defend Against Ransomware, Remember Health is Wealth

Ransomware Targets Businesses

Ransomware Targets Businesses

Ralph Waldo Emerson said, “The first wealth is health.” With ransomware dominating the malware market, it’s important to keep this in mind. Your high-value digital assets and systems are increasingly the target of adversaries launching ever-more malicious ransomware campaigns. Without healthy security practices, you risk significant disruption, damage, and costs.  

There are dozens of ransomware variants, many language-specific, and all of them resilient. Although it is not a new threat, ransomware has reached a new level of effectiveness with cryptographically sound file encryption and has evolved to become the most profitable malware type in history. In the first half of 2016, ransomware campaigns targeting both individual and enterprise users became more widespread and potent. Estimates put these attacks on pace to reach $1 billion this year.

Given its success, we’ll likely experience more destructive ransomware that is able to spread by itself without relying on an unwitting target to click on an email or be exposed to malvertising. Some threat actors are now using network and server-side vulnerabilities to self-propagate. These new vectors provide an opportunity for attackers to quietly carry out ransomware campaigns that could potentially affect entire industries.

One widespread campaign that appeared to target the healthcare industry earlier this year employed the Samas/Samsam/MSIL.B/C (“SamSam”) ransomware variant, which was distributed through compromised servers. The threat actors used the servers to move laterally through the network and compromise additional machines, which were then held for ransom. Adversaries used JexBoss, an open-source tool for testing and exploiting JBoss application servers, to gain a foothold in organizations’ networks. Once they had access to the network, they proceeded to encrypt multiple Microsoft Windows systems using the SamSam ransomware family. In many respects, the SamSam attack was inevitable because many organizations were operating JBoss servers with unpatched vulnerabilities, despite the fact that they had been informed to take the servers offline and upgrade them immediately. 

Data integrity is another new concern when it comes to ransomware. While it may seem that paying the ransom is the easiest (and only) thing to do, this requires that targets “trust” that their attackers will follow through if the ransom is paid. But in a ransomware situation files may not be able to be decrypted, may have been tampered with, and could even be lost or deleted, as demonstrated by a recent variant called Ranscam. Depending on the type of files, for example medical records, the fallout could be dire. 

Backing up critical data and confirming that those backups are not susceptible to compromise and can be restored quickly is an effective way to negate the threat of ransom. There’s no need to worry about data integrity and “trusting” attackers if you have current backups that are off-site and well-protected from compromise.

At the same time, it’s clear that vulnerabilities sit at the intersection of increasingly faster changes in technology, and organizations’ ability to keep pace with that change and limit threat vector opportunities. If defenders can close the window of opportunity for attackers by accelerating their time to secure, they reduce the threat. 

Good hygiene goes a long way to preventing and mitigating ransomware attacks. Being more proactive about patching vulnerable Internet infrastructure and systems reduces the opportunities for attackers to launch a ransomware campaign against your organization. If defenders leave vulnerabilities open and unpatched, attackers use them as a stepping-stone to launch their campaigns. Other security hygiene measures like better password management (putting a stop to shared passwords and “overprivileged” accounts), can also make infections much more difficult. 

Software-defined segmentation can also stop or slow the lateral movement of self-propagating threats as well as contain them. By enabling companies to segment their network from the user and device level all the way back to the server, it dramatically curtails the ability of attackers to move about the network, limiting the spread of destructive ransomware and helping to keep critical assets safe. 

The wave of ransomware will likely become more pervasive, particularly for organizations that don’t focus on their health. But with good security hygiene and a few basic measures you’ll be able to more effectively block, contain, and negate the impact of ransomware.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.