The ransomware plague: Protecting your organisation from attacks

In late April, the FBI released a warning about the ransomware crisis, alerting organisations that they should take proper measures to protect themselves from this increasingly common cyberattack. Businesses of all sizes, across all industries, are falling victim to ransomware attacks -- a form of malware that encrypts valuable data and demands a ransom to release it. Aside from losing money in ransoms paid, organisations are losing valuable data, assets, intellectual property, and productivity as a result of the ransomware boom. Once a breach happens, brands also risk a loss in public trust, and rebuilding your reputation could take just as much or more of an effort as recovering lost files.

While ransomware attacks are not new -- or traditionally very sophisticated -- there has been an explosive rise in frequency over the past year. High-profile attacks against Hollywood Presbyterian Hospital and MedStar in the USA are just a couple of examples, but large healthcare organisations are not the only targets.

Where does the risk lie?

Outside of major healthcare organisations, recent ransomware attacks have targeted school districts, state and local governments, law enforcement agencies, small and large businesses. Because ransomware has proven to be a profitable form of attack, hackers are becoming more bold in who they target and the ransoms they demand (the Hollywood Presbyterian Medical Center paid a $17,000 [£12,000] ransom). Additionally, while ransomware has been around for several years, the advent of Bitcoin has made them more appealing to attackers, as their payments can’t be tracked.

The risks won’t remain just on on-premises endpoints. Organisations should expect these attacks to evolve to include breaches of cloud and third-party APIs. A recent case already showed the premises of this threat, when an employee got infected by a malware which encrypted not only his local files but also the ones that lived in a cloud service after he mapped the cloud drive with local disk. Researchers at Cisco Talos reported earlier this year that the future holds self-propagating ransomware, or 'cryptoworms' which could potentially target enterprise network vulnerabilities, compromising anything including backups to messaging servers in order to demand the highest ransom possible.

Another source of concern is that ransomware has quickly turned into a real industry with the recent explosion of the ransomware-as-a-service model, where anyone can pay a small fee in exchange of on-demand customised versions of malware code. This enables a lot more potential hackers to attack, including people with low technical skills, while in the past such attacks would have required more advanced knowledge.

How ransomware works

There is also an evolution in the attacks themselves, which are now more sophisticated. While in the past, people were relying mostly on phishing large scale campaigns using generic emails, recent attacks have shown a rise of more advanced techniques. One of the most successful examples of this is spear-phishing attacks. Spear-phishing attacks include the use of tailored and personalised emails appearing to come from an individual or business you know and sometimes also leverage cloud storage services in order to host the malicious pieces of code to be downloaded by the victim once he clicks on the link provided in the email. While they require some extra information about the potential target and are not built to scale, they have shown a very high percentage of 'success' so far, luring even high-level execs.

Preventing attacks

Ransomware attacks continue to grow in complexity, and are becoming harder for current security systems to detect. To avoid an attack, certain planning and solutions should be in place to mitigate risk and damages. Here are six key things to review today:

Offline backup

The easiest step an organisation can take to avoid the damage caused by malware is to backup all data regularly. The recent example of the Locky ransomware, which encrypts not only your local files but also any network shares, highlights how dangerous it would be to rely solely on online backup. Using backup in a cloud service may also work as long as you have enabled versioning for your files, providing a method to cancel the encryption by restoring the previous version. A strong backup policy will ensure that data can be recovered should an attack take place.

Update software

Bad actors often target outdated systems that are more vulnerable to attacks. An easy fix is to be sure that when updates and patches are released that they are updated promptly to protect your system from a breach. This won't protect you against zero-day vulnerabilities but will reduce the attack surface, since most sophisticated attacks require a lot of preparation.

Educate users

The old adage of investing time to educate users holds true. Many ransomware attacks rely on email attachments and links in spear phishing emails. Organisations should take time to ensure all users -- from the ground floor to the executive suite -- know how to recognise a potentially risky email message and flag it to the proper team member when it’s received.

Embrace an adaptive security model

Intelligent, coordinated systems that can predict, prevent, detect, and respond to attacks are necessary in this new era of ransomware. A recent report revealed an average organisation experiences 5,732 suspicious activities monthly. An adaptive security model will help to zero in on suspicious behaviours and pinpoint true threats.

Limit the number of privileged accounts

Most spear phishing attacks rely on spreading the email inside the company, hoping one of the employee will fall for it and become infected. The more access the victim has, the more files the malware is susceptible to encrypt. By limiting the number of people who have admin access, you are reducing the attack surface and containing the damage in case of infection.

Limit asset access to what is needed

Ransomwares encryption mechanism relies on the ability to modify files and encrypt them. If you make sure to only give write-access to files when necessary while sharing files, you are reducing at the same time the number of files at risk.

Should you pay the ransom?

Once your organisation is infected with ransomware, getting your files back without paying the ransom is a challenge, if the proper backups are not in place. However, organisations should be as prepared as possible to defend themselves and avoid getting into a situation where paying seems like the only way out. While the fee may seem nominal (many attackers demand £200-350) if you pay once, it’s highly likely you will be an ongoing target for an attack. What’s more, if you’re hit again, the ransom could be even higher.

Paying the ransom doesn’t solve the problem, so organisation leaders should be on constant alert, analysing the ongoing traffic inside the organisation for any suspicious activity. In addition, organisations should have a contingency plan ready for the business-critical data. If organisations do happen to get infected, having a plan in place can help to not be held hostage by the hackers or give in to their demands, and then recover as soon as possible.

David Melamed, Sr. Research Engineer, CloudLock CyberLab

Image Credit: Shutterstock/Martial Red