Ransomware is recognised as one of the main threats to digital business today. It’s fast-becoming the most financially rewarding malware for cyber criminals, leading to the proliferation of attacks across industries. In recent years, this type of attack has been successful where poor security practices were set in place to patch and prevent malware from infecting and spreading. Without a backup and recovery system in place, organisations and individuals have been forced to pay up in order to have their files restored.
Globally, 49 per cent of businesses reported at least one cyber attack in 2016, of which 39 per cent was a ransomware attack. The US alone reported a 300 per cent rise in ransomware attacks from 2015 to 2016. The high-profile WannaCry and Nyetya ransomware reflected a shift towards these attacks being used to cause mass disruption against a range of different industries. This trend can also be attributed to the growth of Ransomware-as-a-Service (RaaS) in the first half of 2017*, where cyber criminals pay the operators of RaaS platforms to launch the attacks. What’s interesting is that ransomware is increasingly accessible to cyber criminals, even for those without programming skills.
The main reason behind the success of ransomware is that organisations are largely unprepared for an attack. The WannaCry ransomware outbreak was able to spread fast with its unexpected worm-like self-propagation capabilities leveraging outdated and unsupported hardware and software of many organisations’ network infrastructure and end points, which did not have adequate countermeasures and updates in place.
Ransomware attacks undoubtedly signal a critical need for improvements to cyber security, irrespective of industry or organisation size. Simply certifying that an organisation’s firewall, anti-malware, and similar protective measures are up to date is not always enough to protect it from today’s malicious threats. The key goal is to prevent the malware from succeeding in being a business disruptor. The term ‘kill-chain’ is often used to describe the way that attackers discover, infect, “go live” and start to extract or encrypt data from targets, so disrupting this at any stage will reduce the impact of a ransomware attack.
The following framework can be used as part of an organisation’s defence strategy against ransomware.
1. Predict: Threat intelligence services help to level the playing field against such exploits by enabling organisations to stay updated on threats to their business, allowing security professionals to proactively block security holes and take action to prevent data loss or system failures.
2. Protect: Identity and Access Management tools are essential in identifying enterprise device and computing assets, while Network Access Control tools ensure that devices are compliant with the IT security policies before allowing access to the network. These solutions can also determine what patches have been applied and if the user is vulnerable to the latest threats. All endpoints used by the enterprise should have adequate protection with next-generation endpoint security that relies not only on signatures, but also streaming-based techniques to prevent successful exploitation of vulnerabilities across all operating systems. Implementation of Next-Generation Firewalls adds an additional layer of anti-malware scanning for known bad files, while linking to cloud-based sandboxing detects unknown and new malware. Email security solutions will also block threats and inbound phishing mails from suspicious domains as well as remove spam. Applying web and domain name security can effectively prevent the download of ransomware payloads after clicking on a malicious link. Finally, educating users on how to identify phishing emails and not to click on suspicious links is also vital to reducing the possibility of a successful malware download on to a device.
3. Detect: In case malware has already infiltrated an enterprise’s endpoints or network, technologies should be in place to detect anomalies in the enterprise infrastructure. Security analysts should closely monitor the network around the clock to check for indicators of compromise, and evaluate threats using security incident and events management (SIEM) tools. Using AI and machine learning to detect malicious activity such as “command and control” traffic and using that information to update networking equipment will allow rapid isolation of infected networked devices. Active threat hunting activities that can detect malware and ransomware that have infiltrated the network and devices is especially useful to hunt new ransomware that is propagating, but has yet to encrypt files. The use of breach detection technologies such as deception tools and 24/7 threat monitoring services can detect if ransomware is propagating, and trip the technology sensors when ransomware spreads, providing a form of early warning system similar to smoke alarms for buildings.
4. Respond: Businesses must also focus on ensuring business resilience in the event of an attack. First and foremost, an organisation should have a detailed incident response plan which includes ransomware incident scenarios and a dedicated incident response team. And the plan must be tested. Upon detection of ransomware incidents, security analysts should promptly work on blocking malicious communication channels at the firewall or intrusion prevention systems, and quarantine infected machines as soon as possible. Network access control technologies will tag the infected user to quarantine mode and prevent the spread of the malware within the organisation. The use of endpoint security tools to eradicate malware while under quarantine as well as conducting a thorough scan on the rest of the network for traces of the ransomware in other devices is necessary, requiring endpoint forensics tools to provide visibility. Breach detection technology can be quickly deployed in areas after it has been cleaned. These technologies can verify if an area is thoroughly clean of ransomware, and monitor for any new infection.
5. Recover: Backup is the last bastion against a successful ransomware attack. If an enterprise can recover files from a backup, the ransomware creators will not be paid. Therefore, backup plays a critical role in the strategy for fast recovery. The backup system needs to prevent the replication of files maliciously encrypted by ransomware, which can be achieved with dynamic segmentation and inherent security features. Learning from an attack, building security awareness throughout the organisation, determining the areas that require improvement, as well as hardening security technologies to prevent the next possible ransomware occurrence are critical processes that should not be neglected.
As ransomware attacks propagate across industries, the fact is that every enterprise is vulnerable if they do not implement the necessary security measures to counter the evolving threat. By implementing the framework outlined above, businesses will have a fighting chance of disrupting an attack before it can disrupt business operations.
Rory Duncan, head of security Dimension Data UKI
Image source: Shutterstock/Carlos Amarillo