[BreachExchange] Why companies shouldn’t feel helpless in the fight against ransomware

Tue Jan 31 19:09:43 EST 2017

https://www.helpnetsecurity.com/2017/01/31/fight-ransomware/

According to recent reports, ransomware is now a billion dollar business
for cybercriminals. Attackers are honing in on the weak spots of
organisations; human behaviour through social engineering and ineffective
cyber protection techniques based on static analysis. They’ll lure
individuals to open phishing emails, or simply wait for users to click on a
compromised website before executing malware that alters data and corrupts
or deletes back-ups.

Certainly, these figures point to the fact that cybercriminals have tapped
into a lucrative form of attack and ransomware has become one of the more
prolific means of targeting organisations. From our own findings, nearly
half of all businesses reported that they had been attacked by ransomware
in the past year, with 81% of companies indicating that they’ve suffered
from three or more attacks. Ransomware, it would appear, is ramping up.

Given the prevalence of ransomware attacks and the impact they can have, it
is perhaps not surprising that organisations now express a sense of
powerlessness and are prepared to accept that cyber criminals are ahead of
the game. In fact, a third of all organisations now report that they feel
helpless in the face of these attacks.

Is this the new reality? Should users feel they’ve been left ‘high and dry’
when it comes to protecting themselves against different variants of
ransomware or is there hope that they can arm themselves and avoid the
operational and financial fall-out that a ransomware attack leaves in its
trail?

Are we resigned to ransomware attacks?

For the victims of ransomware that have had their data and, in effect,
their business held hostage, there can be serious repercussions with
businesses grinding to a halt or forced to put emergency contingency plans
into action. Organisations may suffer the loss of irreplaceable data or the
financial consequences of downtime compounded by the man hours and human
resources which need to be dedicated to decrypting data or restoring it
from backups.

In November, hackers infected and took over more than 2,000 computers used
to operate San Francisco’s public transport system. This resulted in the
Municipal Transportation Agency (MTA) opening its gates and allowing
passengers to travel for free. Ransomware attacks can even put the safety
of individuals at risk, as seen when an attack on the Hollywood
Presbyterian Medical Centre in the US took systems off line for a week and
caused massive disruption to its healthcare systems. In the UK, an attack
on the computer network at Northern Lincolnshire and Goole NHS Trust in
October encrypted a number of the Trust’s servers resulting in the
cancellation of operations and appointments.

It seems there is also a direct impact for security teams in the aftermath
of an attack with not only the reputation of the organisation damaged, but
jobs being put at stake. In our research, nearly a quarter of organisations
which experienced an attack reported that the buck stops squarely with the
Head of Security and that a senior member of security staff had lost their
job in the wake of an attack.

Perhaps, unlike other forms of cyber attack, the very nature of a
ransomware attack can make organisations feel resigned to the fact that the
cyber criminals are winning. Loss of data, revenue, downtime and the
‘human’ impact can be devastating. However, in spite of organisations’
sense of powerlessness, should they feel that the fight against ransomware
is futile? Is ransomware, in any way, less preventable than other forms of
malware?

Fight ransomware

The fact that so many organisations are being attacked, multiple times,
does point to the fact that traditional, signature-based detection methods,
which look at the identifiable characteristics of malware – such as the
servers it’s communicating with – are not adequate to protect against
ransomware.

Examining the characteristics of ransomware, however, we can see that it’s
actually not so different from other forms of malware. What’s different is
the payload and the after effect that this has on a company.

In common with other viruses, ransomware is designed to hide itself from
detection, through encryption or evasion techniques such as wrappers –
which protect executable files – enabling malware to bypass every security
mechanism. Signature-based methods will not identify malware that has been
modified or obfuscated. Nor can it detect malware which has been designed
to recognise when it’s in a virtualised environment; a technique used by
the Cryptowall ransomware. Attackers can quickly adapt and create more
variations on a theme that will render these static techniques redundant.

We must look for different ways of protecting against threats and detecting
new malware variants. Approaches which analyse the malware’s behaviour and
determine a threat’s next action based on attack patterns, techniques and
crowd-sourced threat intelligence, will remove this blind spot in malware
detection and protection. Focussing on the malware’s behaviour means that
we’re not reliant on static indicators that can be easily changed.

Ransomware may be on the rise, but there are approaches that can help
organisations in the fight back against this stealthy and burgeoning
threat. Cybercriminals are developing new techniques, but innovative
approaches that can discover and stop this new breed of threats means the
fight is far from lost.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170131/08bec34e/attachment.html>