NEW FROM CSX
Ransomware 101—What You Really Need to Know About the Latest Trending Threat
By Ed Cabrera, CISA, CISSP
The Nexus | 14 November 2016
With 79 new variants discovered in the first 6 months of 2016 alone, representing a 172% increase over 2015, ransomware has become the type of attack enterprises need to take notice of and work to protect against.1 The sheer number of ransomware attacks is enough to cause concern, but even more disturbing is the impact inflicted upon victims—to their operations, finances and reputation. Despite the hype surrounding this attack method, many enterprise leaders may be left wondering what the real implications are for their organizations and what can be done to protect themselves.
What Is Ransomware?
In a nutshell, traditional ransomware and crypto-ransomware are types of malware that block users from accessing their computer systems and/or encrypt their data until a ransom is paid. Crypto-ransomware, first seen in 2013, is the nastier and newer type of ransomware; it encrypts certain file types on infected systems, forcing users to pay ransom to get a decryption key and regain control of their files. While traditional ransomware renders a computer useless, crypto-ransomware encrypts critical consumer and enterprise file types.
There has been a major shift in the last few years in the ratio between ransomware and crypto-ransomware attacks. In 2014, 80% of attacks used traditional ransomware, while in 2015, it flipped to 80% crypto-ransomware.2 Another ransomware evolution is the transition of its target: from consumers to enterprises. In 2016 alone, a major portion of the new crypto-ransomware families being detected and blocked are targeting more enterprises than ever before.3
To sufficiently target a large number of enterprises, threat actors are still relying on spamming emails. However, they are becoming more adept at targeting human resources (HR) and payroll departments with well-crafted emails that have relevantly titled attachments. While cybercriminals may not know exactly whom they are emailing, the language is designed in a way to lure enterprise employees to click on malicious attachments and/or links. Spamming is the preferred entry method, but watering hole attacks utilizing compromised web servers to deliver malicious code via exploit kits are also growing in numbers. Watering hole attacks target unsuspecting web servers in hopes of infecting unsuspecting users of that web site.
In 2014, 80% of attacks used traditional ransomware, while in 2015, it flipped to 80% crypto-ransomware.
There are two potential causes for the rise of ransomware attacks: They are easy to execute with the right infrastructure, and hackers are able to monetize their attacks in minutes as opposed to the months required by traditional data breach attacks. The Crime as a Service (CaaS) industry has flourished in the Russian underground in the last 10 years and now Ransomware as a Service (RaaS)4 is the latest criminal enterprise to make an impact. Automation and orchestration by RaaS providers has enabled larger groups of unskilled criminals to enter the marketplace and attack a greater number of victims for huge profits.
How Does Ransomware Affect Organizations?
Ransomware attacks can come in many forms, but 71% percent of attacks in the first 6 months of 2016 gained system access via attachments in spammed emails.5 Downloads from infected web sites or the use of exploit kits make up a good portion of the remaining attacks. Hackers also compromise legitimate web servers using exploit kits with watering hole attacks.
If that were not enough, new crypto-ransomware families now have worm-like capabilities that can attempt to penetrate the network and servers of an enterprise. The deeper within an enterprise system the attack is initiated, the greater the potential impact to operations. Valuable data is now scattered in more segments of the IT infrastructure, as well, which makes physical and virtual servers high-value targets.
What Can an Organization Do?
Email is an entryway that needs holistic protection, along with the support of a strong employee education program. Email and web gateway protection serves as the first line of defense in a comprehensive approach to ransomware protection. Endpoints, networks and servers should also be monitored and secured to further protect enterprise systems from ransomware and other significant cyber threats. These protections offer benefits which include:
- Email and web gateway protection blocks ransomware attempts via email before they reach the end user by stripping the malicious attachment or link. Beyond email, ransomware can also access systems when users click on web sites that are, intentionally or not, malicious.
- Endpoint protection catches ransomware before an organization is forced to pay to recover its data. It includes behavior monitoring, which watches for rapid file encryption, and application control, which whitelists applications and allows only those that are whitelisted to operate.
- Network-level protection detects and blocks ransomware that attempts to gain access via methods other than email and web gateways. Monitoring all network ports and protocols, plus sandbox analysis and integration with other security solutions, can help lock in the ransomware at a network level to prevent it from spreading to other endpoints and servers.
- Server protection stops ransomware from gaining server-level access, which is where the most valuable data lives. At this layer, ransomware can target known software vulnerabilities to inject itself. Monitoring for suspicious activity, providing virtual patches for known vulnerabilities, and keeping an eye on lateral movement between servers can all help detect malicious activity and prevent its spread.
As mentioned previously, there are 2 points that deserve particular attention to help protect enterprise data from ransomware.
Employee education can have intangible benefits. Understanding what to look for as spam and knowing not to open attachments or click links from unverified sources can save businesses from falling victim to threats that slip through established safeguards. This is especially important for small and medium-sized businesses that may not have thorough security solutions in place, leaving employees as the primary defense against social engineering ploys.
Behavior monitoring provides further protection by identifying rapid encryption of multiple files and stopping the encryption, preventing the ransomware from spreading further and causing greater damage.
To prevent the impending damage and loss that can be caused by ransomware, there are a few important precautions to take. First, avoid opening unverified emails or clicking on embedded links within them. Second, back up files using the 3-2-1 system—create 3 backup copies in 2 different media with 1 back up in a separate location. Last, regularly update software, programs and applications to protect against the latest patched vulnerabilities.
In a global effort to combat this growing and evolving threat, enterprises of all sizes and in all industries should prepare with both security solutions and employee education to thwart potential attacks before reputational damages and financial losses are felt.
Ed Cabrera, CISA, CISSP
Is the chief cyber security officer at Trend Micro and is responsible for analyzing emerging cyberthreats to develop innovative and resilient enterprise risk management strategies for Fortune 500 clients and strategic partners. Previously, he served as the chief information security officer of the US Secret Service with experience leading information security as well as cyber investigative and protective programs.
1 Trend Micro, 2016 Midyear Security Roundup: The Reign of Ransomware, 23 August 2016
2 Trend Micro, “Crypto-Ransomware, A Growing Threat to Healthcare,” 18 February 2016
4 Trend Micro, “Ransomware-as-a-Service: Ransomware Operators Find Ways to Bring in Business,” 2 September 2016
5 Op cit, 2016 Midyear Security Roundup: The Reign of Ransomware