With the introduction of the CryptoLocker Trojan in September 2013, the cyber-plague we now know as ransomware was unleashed on the Internet. From its simple beginnings, ransomware has mutated into many different forms — and it’s not always easy to catch them all.
“There are now well over one hundred different strains, and the end is nowhere in sight,” says Stu Sjouwerman, founder and CEO of KnowBe4.
The sheer number of malware variants demonstrates ransomware’s strong appeal, where many aspiring cybercriminals — big and small — are trying to muscle their way onto the scene with increasingly sophisticated digital tools.
“It is only a matter of time before one of these guys gets smart and starts analyzing the files on disk or file server to see which are recent and/or shared, or sit in a directory that indicates high value like accounting, design, or software development,” Sjouwerman predicts.
To date, traditional signature-based computer security products have been unable to effectively combat ransomware. And the problems are getting worse, because there’s so much for the bad actors to gain, and nothing for them to lose.
Igor Baikalov, chief scientist at Securonix, explains ransomware's allure this way: "...the barriers to entry are low, the payoffs are high, operations are scalable, and risk is negligible compared to the physical hold-up in a dark alley.”
Meanwhile, ransomware continues to evolve and competition amongst the criminals is fierce — and it spans the globe.
“These mostly Eastern European cyber mafias are investing a lot of money in ‘new feature’ development such as new strains that function as a worm, strains that obtain admin privileges, a strain that adds a DDoS bot to the machine, and others that literally pull some encrypted files off the victim machine up into their control and command server — this bring us into data breach territory,” Sjouwerman says.
Criminals are moving quickly. The industry must move faster to combat these threats, experts say.
“Within the year, we will see fully-automated ransomware targeting all machines on a company’s network, using multiple methods of attack and delivering multiple types of payloads,” Sjouwerman says.
Here's how to build a defense-in-depth strategy to help you prepare for a ransomware attack — with the goal of not having to pay the ransom.
Securing The Network
Although they won’t protect against all threats, firewalls and other security tools designed to fortify the network perimeter play a critical role when protecting employees working from corporate-provisioned desktops sitting in the office behind the corporate firewall.
“Make sure your web gateway employs next-gen and frequently updated security layers,” suggests Stu Sjouwerman, founder and CEO of KnowBe4, adding, “make sure your firewall configuration is set to ensure no criminal network traffic is allowed out.”
“Continually watch for outbound command-and-control traffic destined for known bad hosts,” says Chris Whidden, Solution Engineer at eSentire. He recommends also setting rules to prevent "unknown binaries from being downloaded from the Internet.”
Email & Browser Protection
Email clients and web browsers top the list of applications used to trigger the ransomware payload. Getting a handle on that type of traffic to protect against phishing, spear-phishing, and malicious (or hacked) websites is paramount when dealing with this daunting threat.
“Scan ALL attachments — particularly zip files and documents — for the latest malware variants,” recommends eSentire's Whidden.
“If you have no secure email gateway, get one now and make sure it provides URL filtering,” Sjouwerman says. “Do more than open it up and install it - make sure it is tuned correctly to handle this threat.”
Endpoints: Block & Tackle
As with any malware, effective defense against ransomware requires up-to-date, real-time malware detection/prevention tools coupled with fast-acting remediation capabilities. Don’t ditch your anti-virus software just yet — but don’t rely on virus-scanners as your sole means of protection, either.
“As a starting point, make sure all of your endpoints are patched religiously — including the operating system and your third-party apps,” Sjouwerman says.
“Look for anomalous behavior on the endpoint, such as spikes in file access and CPU utilization,” eSentire's Whidden notes. “These could be signs of the encryption process in action.”
Behavioral analytics and anomaly detection can help in cases where multiple systems may be infected. They can detect things such as unauthorized processes and abnormally high disk writes or file changes, for instance, says Igor Baikalov, chief scientist at Securonix. “If you can identify the so-called exploit kits — aka, the delivery vehicles for ransom-, ad-, and other kinds of malware — then you can prevent a whole lot of malware being delivered to your computer, including ransomware,” he says.
If a machine does become infected, Sjouwerman recommends that companies “wipe the machine and re-image from bare metal.”
User Awareness Training
Since phishing has risen to the #1 malware infection vector and attacks seem to find their way through existing (or missing) filters all too often, it’s a must to provide employees and other users with effective security awareness training — and that training which include simulated phishing attacks. Do it until they “get it.”
“Now’s the time to deploy new-school security awareness training, which includes social engineering via multiple channels, not just email," Sjouwerman says.
“Train your users to be suspicious of all attachments and links in external and internal emails by encouraging the simple practice of hovering over a link [prior to clicking it] to confirm whether its actual destination is legitimate,” adds Whidden.
Thus far, criminals are primarily using ransomware to hold the data ransom and do not appear to be stealing the data for their own use, nor are they expanding ransomware beyond desktop/notebook computers and servers.
This could change down the road, however (imagine having to pay a ransom to unlock your Tesla). For now, organizations need to focus on backing up their critical business data so they can quickly and fully recover from a ransomware attack without having to pay a ransom.
“Data integrity and availability are two of the tenets of information security and, like malware protection, don’t need any special treatment for the ransomware, Baikalov says. He suggests the following:
- Schedule backups to no-overwrite media
- Make sure backups are located on segregated network storage, preferably offsite
- Have dedicated backup operator credentials – don’t share or otherwise reuse those credentials for other purposes, and surely don’t reuse the passwords with other accounts
- Audit the integrity of those backups regularly
- Maintain proper access management for these backups
“Create, maintain, and regularly test a cyber-incident response plan that includes ransomware scenarios,” Whidden says.
Business Processes and Policy
Sometimes the weaknesses in our defense have nothing to do with the people or the technology – it could just be how business processes are defined and how risk is mitigated (or ignored), especially when it comes to senior executives.
“Identify users that handle critical business information and enforce some form of higher-trust authentication, such as two-factor authentication,” KnowBe4's Sjouwerman suggests. “Review your internal security policies and procedures, specifically related to financial transactions, as a means to prevent CEO fraud.”
Note: imsmartin would like to thank Chris Whidden, Solution Engineer at eSentire, Stu Sjouwerman, founder and CEO of KnowBe4, and Igor Baikalov, Chief Scientist at Securonix, for their contributions to this slideshow.