Ransomware seems to be everywhere at the moment. From small beginnings, ransomware has grown in popularity with malware writers as a way to extort money from victims.
Each attack can cost between £400 and £2000 to be fixed, while the risk to those that write this malware is negligible. For example, the team behind Cryptowall received over $18 million from people desperate to unlock their files during 2015 according to research published by the FBI.
In order to work, ransomware relies on people not being prepared. So what steps should you take to stop your IT assets from being attacked?
Plugging the gaps – vulnerabilities and exploits
Ransomware relies on faults within software in order to get into someone’s PC. The most common routes in are through email or web browser activity. In order to carry out these instructions, there have to be vulnerabilities in the software being used. The most common attack targets are widely used software products like Microsoft Office. For example, the Locky strain of ransomware uses Macro support in Word documents to download the malware component in the attack.
Malware can also be delivered via exploit kits, which attack vulnerabilities that have not been fixed. Weak points in browsers like Internet Explorer and plug-ins like Adobe Flash are commonly targeted, and most of these issues already have known fixes available for them. However, some attacks can target issues with no update available – Flash in particular has been vulnerable to this.
The solution to these problems is to patch software vulnerabilities as soon as possible, particularly where Remote Code Execution issues are discovered. Microsoft and Adobe publish their patches every month, while other major software companies like Oracle provide patches once a quarter. For tools like Flash that have been hit by zero day attacks, uninstalling may be the best approach to retain security if those tools are not required for business usage.
With so many patches coming through all the time, it’s important to prioritise since deployment requires time and resources. For example, many updates may need to be tested first, especially if they might have an impact on other software or services which you can’t risk breaking if a patch doesn’t work as described. This takes time, however malware attacks are being developed sooner than ever after vulnerabilities are announced. About ten years ago, this “vulnerability gap” was estimated to be around 60 days; today, it’s around two days.
This shrinking window for plugging vulnerabilities means that you should consider how to leverage automation around patch deployment, as well as prioritising which patches to focus on first. For companies with distributed infrastructure across data centres and cloud platforms or employees using laptops, making use of cloud-based security tools can help ensure both continuous monitoring across all endpoints and also that all necessary updates are getting deployed.
Ransomware attacks delivered by different exploit kits all target the same known vulnerabilities on the endpoint. While the exploits themselves change quite frequently in order to evade desktop security defences like anti-virus and anti-malware in order to be successful - some use a different exploit each time thousands of times per day - those exploits still target the same vulnerability.
Organisations that prioritise patching of vulnerabilities with live exploits available and in active use will have the best proactive defence against ransomware. Patching helps dramatically lower their overall risk posture with the least IT impact; fixing just one vulnerability across user machines can prevent all known and future strains of a ransomware family.
All this relies on having an accurate real-time view of IT assets including hardware, software, vulnerability posture, and any other IT services used. Without this, it can be very difficult to know what is in place and how up-to-date these assets are. Putting together an inventory for IT is essential, while keeping it up to date is just as important.
Knowing who is who
One way to prevent the spread of ransomware is simply knowing how it spreads within a company. If a user with admin rights gets hit by an attack, then the malware can spread to other IT assets and connected drives. This can affect far more people than if one machine gets infected.
To stop this potential attack, it’s worth knowing and managing who has elevated access rights and privileges when it comes to IT. In the past, some applications could only run if the user held an Administrator account, but this is not the case for the vast majority of apps today.
If users require privileged access, then this should be documented and agreed beforehand. It may be the case that these rights are only needed occasionally rather than all the time, so they can be granted when they are required. After carrying out tasks, access can be downgraded too.
This rule also applies to IT staff who support other users. IT administrators often have access to employees’ PCs and other devices for support. This access can be managed so that a ransomware attack is contained. If any IT asset does get compromised through one account, it should be simple to quarantine it without affecting too much of the rest of the business.
Don’t skimp on data protection
Backup may be the simplest way to limit the impact from a ransomware attack. Having several copies of critical data – including copies that are held offsite and secure – can mean that no ransom will have to be paid since the files can be found elsewhere and restored as needed. While some time might be required to reset IT devices and copy files, this could be a less costly option. However, many companies still don’t have this approach in place before it’s too late.
Backup of files should be simple and inexpensive – using a cloud service with low cost storage to host data can be completed in a few clicks, for example. Where more regular and automated backups are necessary, then cloud services can be put in place to save data as files are changed. Data can also be copied to multiple places – using two different sites or a second company site and a cloud service are both common approaches.
However, it’s important to understand that backups can themselves be hit by ransomware. Look for backup systems that do not use shared network drives to make backup copies of user machines, as some strains of ransomware seek to encrypt shared network drives first, allowing them to target critical file servers and backup servers. Copying a “bad” file back from a backup means that the data contained is still encrypted. It’s therefore important to test backups periodically to check that files are still available and secure. It’s also possible to automate the checking of hash files for critical files as another way to ensure that data remains in a “known good” state.
Ransomware and probability
Like most human endeavours, our ability to think about and manage risk can be critical to our long-term success. For many, risk around IT is often underestimated.
However, the sheer volume of new ransomware attacks underscores the importance of preparation to reduce the risk of an attack being successful. The steps required to prevent ransomware are simply good IT hygiene – patch regularly, keep an eye on accounts, take backups – so there is no excuse not to put them into practice. For IT teams that have ever had trouble ensuring that their policies are implemented and followed, cloud-based security tools can help ensure that cost is not an argument against implementing better processes.
Ransomware has developed into an international market worth millions to malware creators. New malware attacks are now supported by live support and more efficient customer experience designs.
However, it’s not rocket science to stop these attacks where possible and reduce the damage when one does take place; instead, it’s just a question of helping people do their jobs more effectively.
Chris Carlson, VP, Product Management, Cloud Agent Platform, Qualys
Photo credit: Ton Snoei / Shutterstock