Blackmail is nothing new. The term actually dates back to a time when English settlers living along the Scottish border had to pay local gangs to protect them from Scottish thieves crossing the geographical divide and causing havoc.
Today, the blackmail threat is faceless with plenty of modern day raiders hacking into people’s computers and accounts through the comfort of their desk and then demanding money in return for returning the victim’s data in one piece. Ransomware has now (unfortunately) entered the tech lexicon and become more and more common.
Ransomware is nothing new. According to a recent report published by the German government body for security in IT (BIS), the earliest recordings of ransomware date back to 2010. Like success in business, hackers like to focus on their ability to scale quickly and efficiently. However, it’s becoming more and more sophisticated and increasingly threatens organisations. Symantec published a report in July 2016 stating that between January 2015 and April 2016, around 43 per cent of the victims of ransomware were employees in organisations. The US was the region most affected by ransomware, with 31 per cent of global infections. Italy, Japan, the Netherlands, Germany, the UK, Canada, Belgium, India, and Australia round out the top 10.
The most common way to spread the attack has been through email spam whereby attackers send emails to multiple addresses and try to persuade users to open enticing email attachments. They are camouflaged as invoices, scanned documents or order confirmations and criminals often use real company names and addresses to make it look like exact copies of emails from well-known companies.
Criminals are often successful with ransomware attacks because of the high psychological strain on their victims - the restoration costs might be higher than the amount of money demanded as ransom, so victims end up paying. Of course payment is no guarantee that the ransomware will restore your files. Why should a criminal recover your data when they already have your money? At the same time, the rise of Bitcoin and cryptocurrencies has made anonymous and fast payments possible making it very difficult to trace the perpetrators.
BIS writes in the same report that since the middle of September 2015 the threat of ransomware has increased substantially. One type of ransomware alone - CryptoWall - has caused financial damage of around $325m dollars according to the Cyber Threat Alliance. But there are many more variants such as TeslaCrypt, Locky, Padcrypt and TorrentLocker. The ability of companies to recover employees’ work tools affected by ransomware is driven by answers to these questions:
- How fast can you identify an attack? Individuals don’t tend to recognise it immediately but they start to become suspicious when things do not work properly. Often, companies only realise because of various IT support requests for the same problem and by that time it is too late. The good news is that ransomware is ‘noisy’ and tends to make itself known very fast in your user population.
- How quickly can the affected devices be identified? It can often be a challenge if a company is using diverse infrastructures. Endpoint security and device quarantine will be invaluable in finding compromised devices and isolating them from the network.
- How old are the backups? Snapshots and backup-to-disk are often very recent which means there is a danger that even the backup may be affected too. Ransomware may strike in the period just after a backup runs.
- Is the IT department familiar with the process to restore data from backups and can it be executed quickly?
Protecting against ransomware
The good news is that there are some effective solutions that can be deployed by companies wishing to prevent ransomware from becoming so destructive. The most important solution is building redundancy around data storage. That’s the only way to really defend companies in depth because ransomware will always target company data. Choosing a cloud provider and moving the company data into the cloud could be a solution for that redundancy.
Ransomware is only effective if you are at risk of losing your files. Obviously if companies have a recent backup of their data then ransomware loses its effectiveness; the damage would be undone by simply restoring those backup copies. But how often should companies make backup copies of their data? At best backup solutions make hourly copies of files, leaving files created in the last hour vulnerable to ransomware. What if they could have constant backups? Cloud file synchronisation products keep a copy of all files in the cloud always ‘up to date’.
Ransomware loses all effectiveness if employees’ files are continually sync’d to the cloud. Combine cloud file sync with a history function allows companies to ‘turn back time’ to get the files in a clean state before they were infected. In the example of Dropbox, users can use the version history to roll their files back to the version before they were encrypted.
Prevent initial infection
Ransomware announces itself to users and leaves a very obvious signature of activity on an infected system. Anti-virus solutions quickly adapt and can detect and eliminate ransomware. Endpoint security is also still a key piece of the solution to prevent the initial infection vector from entering a company’s system. That’s something that many companies still struggle with - either due to poor or missing endpoint security protection such as anti-virus software or up-to-date patching.
This goes hand in hand with employee education on how to avoid malware in email. Ransomware is only effective if it can get into your systems, and unfortunately user actions are still the most likely way that ransomware will get downloaded into your network.
Limit lateral movement
Companies are often structured in ‘flat’ networks that allow any system to connect to any other system. That means that ransomware can spread easily because every system is able to reach every other system. It’s critical for those companies to have network anti-virus scanning capabilities because they will be able to detect ransomware as it traverses the network so the fast and broad spread can be prevented.
Network isolation will give companies time to single ransomware out and eradicate it from systems without suffering massive data losses. Companies with compartmentalised networks have the advantage that the structure slows down the malware and gives the affected companies more time to respond. IT departments, especially those who have a flat network, should also think about appropriate quarantine abilities. If systems that have been affected, which are typically employee computers, are taken offline quickly it will prevent them from scanning and infecting more systems on the network.
Take a data-centric view
Ransomware targets data making it unique in malware. To defeat ransomware you need to take a data-centric approach to your defences. Ransomware loses its effectiveness if infected files can be rapidly recovered, undoing any damage. Look to constant backup solutions, typically available through cloud services, that keep files constantly in sync and also feature a file roll-back mechanism to recover historic copies of files.
It’s important to take a holistic view in combating ransomware. Developing a defense-in-depth approach to protecting users against malware in general will go a long way towards eliminating the threat of ransomware. Strong endpoint protection, network isolation and building an ability to quarantine outbreaks will allow you to react and contain any ransomware outbreak.
Taking a data-centric (rather than device-centric) approach will get your business data back online and your employees productive again.
Mark Crosbie, Head of Trust & Security EMEA at Dropbox
Image Credit: Christiaan Colen / Flickr