Skip to Main Content

Addressing Ransomware With a Particular Set of Skills

It’s 1996 and Mel Gibson is refusing to pay ransom to his son’s abductor and his excuse, “I will get the best group of man hunters in this country and dedicate my life to tracking you down.” While true that life doesn’t always happen as it does in the movies, especially when it comes to ransomware in the business world, we can draw some parallels.

Much has been said about ransomware and other malware attacking organizations. According to the Cisco 2017 Annual Cybersecurity Report, ransomware is growing at the rate of 350% per year. If you are in a hospital in a life-threatening situation, immediate access to patient information is critical, and not far from what Mel was facing. But you need to have proper governance applied to those accounts to protect sensitive data from being held hostage. Here’s how that happens.

Becoming a victim of ransomware unfortunately is easier than you think – it only takes one person to click on the wrong email or open the wrong attachment as phishing remains the #1 cyberattack vector for criminals. Of course, there are other ways to be compromised. Any “backdoor” in the form of a dormant account or permission could be leveraged to penetrate your network. If someone is targeting your organization, chances are they may already be in. What you can do is help prevent them from taking your important data hostage.

Once a worm makes its way into your file system, it initiates a series of events with the goal to encrypt your files. With this access unknowingly (or maybe knowingly) made available by a user, thousands or millions of business-critical files are now rendered inaccessible. This is where the ability to monitor user access can help identify suspicious activity before it’s too late. By monitoring user access to file systems, you would see many events of the type ‘rename’ and ‘move’ as the files are accessed and altered by the ransomware.

In the latest release of IdentityIQ File Access Manager, SailPoint’s identity governance for files solution, a new alert framework provides notifications when these types of attacks are initiated. The system can identify a pattern of events that are initiated by one or more users and are targeting any data source you have. The alert is triggered when a configurable threshold of events is met so you don’t have to jump every time a user is moving files and you can also exclude certain users or authorized ‘bots’ who perform regular system backups.

A variety of alert rules can be configured to identify specific types of activities as the following examples demonstrate:

  1. Single Activity Alert: Anytime a user deletes a file that has been categorized as GDPR data, except for users from the Legal Dept
  2. Threshold Alert: When more than 500 ‘rename’ events are detected in less than 5 minutes on our ‘/Customer_Data’ folder on the NetApp server

Notifications kick off an automatic email to the designated Data Owner of the particular data set. Other messaging, syslog or custom scripting options are available so you can view the alert in your favorite SOC or even revoke the user account within an identity governance system such as SailPoint IdentityIQ.

Going back to the movies, Liam Neeson probably had the right idea in his “Taken” movie: “If you are looking for ransom I can tell you I don’t have money but what I do have are a very particular set of skills,” and now we know what those skills are.


Discussion