Ransomware is a very destructive variant of malicious malware that makes critical systems and sensitive information inaccessible until a ransom is paid. Ransom is typically demanded in bitcoin with a 72 hour window to pay before the key is deleted and data is irreversibly lost.
Some variants have started deleting data before the 72 hours is up making the crisis even more time sensitive. The impact this can have on an organization is: temporary loss of systems and access to sensitive information; downtime of operations; financial impact or loss, and incalculable reputation damage.
Now, ransomware has upped the ante—it’s gone into stealth mode
The most recent variants of ransomware have gone into stealth mode. This means they are fileless and avoid detection by hiding the payload into memory or the kernel. They move under the radar of traditional Anti-Malware software that scans the hard drive for malicious software. These sophisticated cyber attacks first surfaced a few years ago when Kaspersky discovered fileless malware that was targeting the financial, government and telecommunications industries. The fileless malware had been used to record administrator credentials and passwords that allowed the attackers to gain access to almost anywhere within the network and infrastructure, and was ultimately used to withdraw money from ATM’s.
It is important to note that more than 3 billion user credentials and passwords were stolen in 2016. Now, 8.2 million passwords are being stolen every day and approximately 95 passwords every second. And per Verizon Data Breach Investigations report threat actors, or malicious actors, used stolen passwords 95% of the time in the most common types of attacks.
The destructive nature of Ransomware and the impact it’s had on individuals and organizations globally has prompted the Department of Homeland Security, US-CERT and the FBI to release alerts encouraging organizations to take this threat seriously before it’s too late.
Ransomware has become so effective and efficient that many organizations have simply paid ransom, sometimes to the tune of thousands of dollars. It has been found that it can be more cost effective to pay the ransom—with no guarantee of data recovery—than restore a backup, which in some cases would cost more.
To reduce the risk of ransomware organizations must implement multiple security controls. This should be a standard best practice for cyber security and will also reduce the risk of other malicious malware threats.
7 THINGS YOU CAN DO TO PROTECT YOUR ORGANIZATION FROM RANSOMWARE ATTACKS
1. Educate employees about your IT security policy and their responsibility in adhering to it.
Statistics indicate that 1 in 5 employees will open and click on emails containing malicious malware.
Educating employees on how to identify phishing emails containing malicious malware mitigates risk to all organizations. Some achieve more than 50% reduction in cyber risks as a result of good training and strong security awareness programs. This can be a very cost effective solution. It not only protects the employees on corporate systems but also allows them to use that knowledge to protect their own personal systems, information and families from the same threats.
2. Understand how hackers operate. This will give you a cyber advantage.
In advanced threats the attacker will first spend a lot of time researching a list of potential targets; gathering information about the organization’s structure, clients etc.
Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user, and any technology vulnerabilities assessed. Once a weakness is found the attacker will breach the cyber security perimeter or send emails containing malicious software like ransomware to gain access. For most attackers, this is easily done. To protect your organization from this sort of attack you must use similar analysis techniques: identify the vulnerabilities ransomware may target and use that knowledge to deploy appropriate security controls to mitigate the risks.
3. Back up critical and sensitive data online and offline.
For organizations that have a solid online and offline back-up plan in place, critical and sensitive data can be easily restored to get the organization operational again.
Offline backups are vital because some ransomware is able to quickly spread across the network making the online backup system unavailable. A good backup plan can vastly reduce the impact ransomware has on your organization. But—and this is important—while it will provide the ability to restore it is NOT considered a preventive security control. Rather, it is a business continuity measure, and it can also be used in other disaster recovery situations.
4. Implement least privilege and application whitelisting.
Removing administrator privileges or super privileges from users will reduce the possibility of an employee being infected by unknowingly opening or clicking on ransomware.
If an employee visits a supplier website or public website that is infected and is distributing malicious software, least privilege can prevent the software from gaining the privileges required to make the system unavailable, and it can stop the malware in it tracks. This, however, sometimes makes employees unable to perform certain functions required to do their day-to-day tasks. This is where application whitelisting, together with least privilege, enables the employee to continue their tasks with little to no disruption. It also keeps them safe from malicious software.
Application whitelisting enables an organization to analyze software or an executable prior to providing the application with the privileges it needs to perform its task. It checks whether it is coming from a trusted source and whether the current system security controls increase the risk. And it informs a security analyst of the request in case intervention is required. Using least privilege and application control together is one of the most effective ways an organization can reduce the risk against ransomware and other variants of malicious software.
5. Prioritize password and privileged account management.
The secure management of passwords and privileged accounts should be a major concern for every organization today. The effectiveness of your security controls can mean the difference between experiencing a simple perimeter breach or a cyber catastrophe.
Companies must provide adequate training for employees on best practices for password choices. When a very complex password is required, employees may resort to writing it down on paper or in a spreadsheet because it’s difficult to remember. Or they might use the same password for corporate and personal social accounts. This leads to an increased risk of external threat, something companies should continuously assess.
If your organization is giving employees local administrator accounts or privileged access, rigid password management practices must be observed to avoid weakening your cyber security. It could mean the difference between a single system and user account being compromised—or your entire computer system! Advanced Persistent Threats that use privileged accounts often result in major data loss, malicious activity, and financial fraud or, worst case, ransomware.
You must continuously audit and discover privileged accounts and applications that require privileged access, remove administrator rights where they are not required and adopt two-factor authentication to prevent user accounts from being compromised.
6. Keep systems patched and up to date.
Most breaches or ransomware attacks have occurred using known vulnerabilities and exploits to expose weaknesses in a system in order to infect it with malicious software. Keeping your system’s security updates current will significantly reduce the risks of malicious software exploiting those vulnerabilities.
7. Finally, keep Anti-Virus software up to date and scan all attachments and downloads prior to executing them.
While Anti-Virus is no longer the only security control required it is still a basic essential risk mitigation that should be deployed. It can help detect many of the known malicious software programs that will try compromise your organization.
The more you know about ransomware the more likely you are to want to protect your critical data immediately. Stay up-to-date with essential cyber security info by following The Lockdown. In cyber security, knowledge is power.
Editor’s Note: This blog was originally published on The Lockdown.