​How to avoid an expensive and disruptive ransomware attack

By Simon Howe, Director of Sales ANZ for LogRhythm

Since first appearing in the late 1980s, ransomware has evolved to become a multi-million dollar business. Victims are faced with either paying large sums of money or losing access to crucial data files.

Recently, ransomware criminals have shifted their attention from targeting individuals to businesses and large organisations. The logic is that larger victims have more to lose, and larger resources with which to pay demands.

As a result, ransomware has become one of the top security concerns for many organisations. Senior managers understand the potential disruption it can cause to daily activity and the potentially large financial cost they will face to overcome it.

Types of attack

Ransomware comes in two forms. One uses mass distribution methods to find victims while the other uses targeted attacks. Both involve the distribution of software that encrypts files on target systems and then demands payment for their decryption.

Attackers use mass distribution techniques in an effort to find as many victims as possible. Rather than pinpointing potential targets, they simply unleash their efforts on the internet and see who takes the bate. Victims could become infected through phishing emails, visiting compromised websites or downloading malicious software.

Targeted attacks tend to be aimed at specific potential victims who have more to lose, and more money with which to pay. They tend to be much more customised and driven by people rather than automated tools.

The goal of a targeted attack is to infect an entire business or organisation, rather than an individual user. This makes it more difficult for the victim to avoid paying the ransom as the financial losses resulting from disruption can be very significant.

How ransomware works

Once a system has become infected, ransomware makes its presence felt alarmingly quickly. A target system can have its data totally encrypted within minutes.

An attack starts with delivery of malicious code and initial infection within about five seconds. Next, the code enters a backup spoliation phase which removes any data backups that can be found. This is normally completed within about 10 seconds.

The file encryption process usually starts within two minutes and can be completed in as little as 15 minutes. Even if a system is turned off during this time, the code can continue from where it left off once power is restored.

The final stage is user notification. Some ransomware will change desktop wallpaper or display a message on screens that outlines what has happened and the payment that is required to retrieve access to the encrypted data.

At this point, the ransomware code usually deletes itself from the target system, reducing the likelihood that the perpetrators can be traced.

Defending against an attack

The first step in reducing the chance of suffering a ransomware attack is the development of a comprehensive incident response plan. Data stores should be examined and back-up processes tested to ensure critical files are replicated in at least two secure locations.

IT teams should also ensure that security patches are rolled out as soon as they are released. These should be applied to operating systems and applications throughout the organisation as attacks can come from a range of different vectors.

A least-privilege approach should also be taken to file stores. Staff should only have access to the files they need and restricted from others. This tactic can help to slow the progress of ransomware should it successfully infect the infrastructure.

Detection is critical

The deployment of effective endpoint detection tools within the IT infrastructure is a vital step in combating the ransomware threat. These tools can detect infections early and respond automatically. They can also perform tasks such as monitoring for phishing emails containing malicious attachments.

If a system does become infected, the endpoint protection system should be able to automatically block and kill malicious processes. For example, the tool should check the 'appdata' and 'temp' folders on systems as these are often the locations where the malicious code will run.

The tools should also be able to automatically isolate infected systems from the organisation's network. This can be achieved by disabling all network adapters to stop the code from receiving instructions from the attackers.

Eradication and recovery

If an attack has been detected and prevented, affected systems will need to be thoroughly checked to ensure the threat has been removed before they are reconnected to the network. If the code has managed to encrypt files, these will need to be replaced with copies from the secure back-up site.

It's then worth investigating what vector was used to infect the system. Was it a web-based attack kit or a phishing email scam? What steps can be taken to ensure this doesn't happen again in the future?

By making effective plans and deploying endpoint detection tools, organisations can significantly reduce the likelihood they will face a ransomware attack. The threats are not going away, but the chances of them resulting in disruption and financial hardship can be greatly reduced.

Join the CSO newsletter!

Error: Please check your email address.

Tags ANZLogRythmmalicious codedata filesdata protectionransomwaremalwaredecryptioncyber security

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Simon Howe

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place