Although the year isn’t over yet, it is safe to say that 2017 has already earned the dubious distinction as “The Year of Ransomware.” Over the past year, ransomware incidents have increased more than 700 percent; associated business losses in 2016 are pegged at $1billion. Mobile ransomware alone has grown 250 percent in the first few months of 2017. Total ransomware costs for 2017 are forecast to exceed $5 billion.
Nobody but the data hijackers themselves are happy to see these statistics, but even big numbers don’t ring bells like the knock-out punch that was WannaCry, the malware scourge of mid-May. So far, upwards of 300,000 machines in at least 150 countries have been impacted. Hospitals, universities, airlines, trains, telecoms, postal agencies, logistics companies, media outfits, and many more from the U.S. and Europe to Russia and Asia were forced to pay up, suffer data loss, or shut down operations for recovery processes. While the direct ransoms paid have remained relatively low and a kill switch was identified that allowed security researchers to sinkhole the primary malware within days, the indirect costs have been very high and new variants have already begun to pop up. Related attacks could continue indefinitely or until cyber criminals move on to a more lucrative scheme.
On a more promising note, the WannaCry attack and sharp rise in ransomware have sounded the alarm about pervasive endpoint security issues. Despite longstanding, oft-repeated warnings from security experts, there are far too many organizations failing to follow-through with baseline security practices that mitigate the risk of falling prey to WannaCry-type attacks.
Outdated and unpatched
Extensive research from Bitsight found that just two months before WannaCry, almost 20 percent of computers they examined (in 35,000 companies around the world representing a wide variety of industries) were running versions of Windows no longer supported by Microsoft (e.g., Vista and XP). The research also identified widespread failure to update operating systems, browsers, and other high-risk applications, leaving known vulnerabilities unpatched.
Under-investment in upgraded infrastructure leaves individual organizations many times more vulnerable to endpoint threats than those that consistently patch, update, and replace legacy hardware and software. Likewise, investment in only solutions that focus on relatively rare risks like zero-day attacks or point solutions that don’t provide comprehensive coverage along the prevention-detection spectrum can provide a false sense of security. When baseline security measures, which often require more consistent and continuous intervention, are neglected, misguided priorities can leave gaping holes for hackers to waltz through. WannaCry is a perfect example of the consequences.
The Land of Lost Machines
Another phenomenon that creates security gaps on network endpoints is the forgotten machine. Unlisted, unused systems are often totally unprotected. They aren’t being monitored or patched regularly, and may even be invisible to network admins. But guess what, they aren’t invisible to hackers. Even inexperienced cybercriminals can search for and identify these machines, then leverage them move in and out of networked systems with ease. Malware can remain on these machines for extended periods of time before being detected.
Resistance is Not Futile
We can only hope the WannaCry epidemic was alarming and widespread enough to drive a trend toward better endpoint security practices. Following is a short list of practical first steps on the road to ransomware resistance.
Continuous patch hygiene: Patch, patch, patch. And patch again next month. Act quickly to update operating systems, browsers, and other applications to cover announced vulnerabilities. Ensure that anti-virus solutions are comprehensively updated and applied. Wherever possible, upgrade unsupported systems, especially those using popular software like Microsoft.
Consistent asset management: Inventory ALL endpoints. Scan the network for unused or hidden machines and disconnect them or bring them into fold of monitoring and patching. Regularly inspect networks for improperly maintained assets and blacklisted applications. Assess your network from an outside perspective, as an attacker would, and figure out which endpoints are most targetable.
Access privilege controls: In the BYOD era, the emphasis on work-from-anywhere convenience has led to bit of a free-for-all. Tighter controls and stricter policy enforcement go a long way. Start by limiting user privileges, especially at the admin level. Access to confidential databases, especially those containing PII/PHI and intellectual property, should be closely managed. The ability to acquire and install software and services should be similarly controlled with application visibility and control solutions, including automated whitelisting and blacklisting.
Back up and disaster recovery: WannaCry victims without sufficient backup and recovery systems are kicking themselves right about now. Indeed, backup and recovery is often the most effective response ransomware-induced disruption. Unrecoverable data loss can be devastating to digital businesses. Backups save data, and comprehensive disaster recovery solutions prevent downtime, outages, and productivity loss. Identify your most critical and valuable data assets and make sure they are frequently backed up in a separate, secure environment that can be quickly brought back online.
Employee awareness: As cyber security defenses become more varied and sophisticated, one type of vulnerability remains constant —user error and negligence. Social engineering schemes like phishing, pretexting, scareware, spoofing, and new scams like pyramid-scheme ransomware leverage human gullibility, carelessness, and panic to drive a wedge into corporate defenses. Poor cyber hygiene like weak passwords, unauthorized workarounds, and insecure mobile apps also introduce vulnerabilities. Short but frequent security awareness training modules have been proven to reinforce policy and foster an enterprise-wide culture of security and accountability.
Ransomware attacks will continue to become more sophisticated and effective as the year goes on. It is now imperative that organizations prepare their networks and devices for the next ransomware attack. WannaCry put a harsh spotlight on the weaknesses endemic to far too many critical systems, and the fallout makes it clear that the consequences are unacceptable. To protect your customers, partners, intellectual property, make sure all your endpoints are defended from multiple angles: inventory, patch, monitor, remediate, and back up. Don’t let the data hijackers back you into a corner.
Simo Kamppari, CEO of Promisec
Image Credit: Carlos Amarillo / Shutterstock