[BreachExchange] Ransomware on the rise: how to prevent an attack

[Audrey McNeil]

http://www.itsecurityguru.org/2017/07/27/ransomware-rise-prevent-attack/

If the last few months have taught us anything, it’s that enterprises
clearly need to take a long hard look at the cyber security they have in
place.  One thing is clear – cyber threats now present a bigger risk to
organisations than ever before.  Considering the huge growth in the number
of new ransomware families (an increase of 752% since 2015), online
extortion has become a major issue and one that businesses must address.

When it comes to measuring up the country’s worst hit by ransomware, the UK
does not appear to be faring well.  According to a recent report by
Malwarebytes, 54% of UK companies have been hit by a ransomware attack
compared to 47% of US companies.  It is a common misconception that hackers
are only targeting financial institutions, but this year’s attacks on UK
parliament and health trusts highlights the reality of the situation – no
business or organisation is safe.

It is becoming increasingly easy for hackers to disrupt business operations
and extort money with the availability of open source ransomware and
ransomware as a service (RaaS).  Organisations are rightly concerned about
the loss of productivity over anything else. It is estimated that it takes
33 man hours (on average) to fix the problem, with the financial impact
potentially much larger than the demanded ransom.

In addition, companies are increasingly concerned about data protection
legislation and the potential for significant fines from governing bodies,
as well as damage to reputation, resulting from data loss. This comes
sharply in to focus now with the EU General Data Protection Regulation
coming into force from May 2018.

So what is Ransomware?

In short, it is a type of malicious software that attempts to obtain money
from a computer user or organisation by infecting systems and blocking
access. This is typically done through encryption of the files and
documents on the victim’s machine, then demanding a sum of money to provide
the keys to decrypy the files.

There are a number of ways a hacker can initiate an attack, with the most
common being a phishing email. This is where the victim is tricked into
clicking on a link, or opening an attachment in what appears to be a
legitimate email message.  The malicious software is then covertly
installed on a computer, without knowledge or intention of the user.  It
can then either stay dormant or spread without user interaction, depending
on the type of attack, until it receives a command from the hackers systems
to encrypt the files or lock the computer.  As soon as the data is
encrypted, the user receives the ransom notification and the clock starts
ticking.

Once your data is locked you face a difficult choice, whether to pay or not
to pay. If you pay, will you really receive the key to decrypt and get your
data back?  You are dealing with criminals after all!

How can you prevent an attack?

Unfortunately, there is no silver bullet.  Cyber criminals are constantly
innovating and every cyber-attack is constructed using well-defined phases,
which are completed sequentially.  Rendering a cyber-attack unsuccessful is
all about blocking one or more of these stages.

You therefore need to look at a layered approach to protection. This means:

- Securing your entry points.
- Filtering web traffic and blocking malicious sites.
- Blocking users from certain websites of which they should have no access.
- Blocking macro’s and ActiveX along with not allowing external content
from running inside office applications.
- Scanning all emails and attachments for phishing.
- Educating your employees to increase their awareness of phishing
techniques and general vigilance.
- Ensuring USB devices are scanned or even restricted in some parts, with
auto play disabled at the very least.
- Locking down users’ own (BYOD) devices on secured separate networks from
production systems.
- Deploying ransom behavioural tools and scanning your network traffic.

With this layered approach, research has shown that most ransomware attacks
can be stopped at the gateway level, through email and URL blocking. The
last line of defence is endpoint anti-ransomware behavioural monitoring,
designed to proactively detect and block ransomware execution.  However,
you want to stop this at the gateway and so ensure that your intrusion
prevention, email and web scanning solutions are suitably robust to protect
your edge networks.

Ultimately, you need to improve your security posture, research and follow
best practices for technology and solutions that you already have in place.
Where possible, looking to complement these with new and improved
technology and services.

But what if it still gets through?

Even with all these tools and techniques in place sophisticated malware can
still get through your defences.  Cyber criminals are evasive and clever
and find new weak points all the time.  If the ransomware gets in, it will
begin infecting disks and mapped network shares.  You therefore need plans
in place to contain and respond to an infection and ultimately restore your
data.  Paying the ransom should not be an option.

Backups are key to protecting your data.  However, for a lot of
organisations, restoring the previous night’s backup to recover from a
ransomware incident is simply not acceptable, due to the data loss and
downtime incurred.  Organisations may leverage snapshots, be they storage
based or at the  virtual machine level, to provide more granular restore
capabilities.  But these too will likely mean accepting several hours’
worth of data loss.  This may also not be palatable to some companies, and
thus we need to go further in terms of our restore capabilities.  We need
to look at journaling technologies to be able to quickly roll systems back
to a specific point in time, minutes or even seconds before the infection.

Once recovered, it is key that you conduct root cause analysis to help
prevent reoccurrence.  There are always lessons to be learned and weak
points can then be highlighted and addressed accordingly.  After the issue
is resolved, the question should always be why did this happen?  Management
will want to see a plan detailing how you will stop this in future.

Vigilance is key

Organisations and their employees need to be educated to be vigilant to
avoid losing data and money.  You need to be implementing a multi-layered
approach to cyber security, implementing solutions that utilise behavioural
monitoring and machine learning whilst protecting your gateways, networks,
servers and endpoints to help prevent ransomware infections.  There is no
silver bullet, you need to employ a layered approach – defence in depth.

Prevent, contain and respond – you need plans in place for each. It is time
to beef up your defence and recover options against the ever-increasing
threat of ransomware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170731/aa26daae/attachment.html>