​Cyber criminals heading for $1 billion haul from ransomware

By Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

Ransomware continues to proliferate in complexity, volume and rewards for cyber criminals. Their haul is on track to top $1 billion this year, with more than 4,000 attacks occurring each day, according to the FBI.

Although most organisations believe that paying a ransom means they are in the clear, it often does not prevent future attacks. Worse news is that traditional antivirus protection (AV) is insufficient defence, since ransomware is often file-less and hides in places where AV does not reach. Many organisations are fighting a losing battle against ransomware.

A recent study of 20,000 organisations found that one in 10 educational institutions had been hit by malware, 6 per cent in government, 3.5 per cent in healthcare, 3.4 per cent of energy/utilities, 3.2 per cent of retailers, and 1.5 per cent of financial organisations.

Ransomware has been around for about 30 years. What is new is its sudden escalation as a favoured attack by cyber criminals. Businesses are routinely choosing to pay hefty ransoms rather than lose access to their intellectual property, patient records, credit card information and other valuable data. Targeted businesses are paying up in order to avoid significant disruption to every-day operations.

Cyber criminals are quick learners and eager to make fast money. Whether extorting $300 per user from a small business or $30 million from a multinational enterprise, the level of effort is often similar.

While ransomware is not going away any time soon (if ever), organisations that are properly prepared can defend against it. Next-generation endpoint security (NGES) platforms provide the most comprehensive protection.

Two distinct varieties of ransomware have remained consistent in recent years: Crypto-based and Locker-based. Crypto-ransomware variants encrypt files and folders, hard drives, etc. Locker-ransomware is most often seen on Android systems and simply locks users out of their devices.

New-age ransomware involves a combination of advanced distribution efforts, such as pre-built infrastructures used to easily and widely distribute new strains, as well as various sophisticated development techniques. This combination requires advanced skills on the part of the attacker. But because the return on investment is high, attackers continue to invest in these advanced tools.

Offline encryption methods are also becoming popular. These attacks exploit legitimate system features, such as Microsoft’s CryptoAPI, eliminating the need for command and control (C2) communications.

Defence against ransomware

Even the most educated end users, well versed in security best practices such as never clicking on email attachments, can become victims of ‘drive-by downloads’ when visiting malicious websites and other sophisticated exploit kits that can deliver ransomware.

Traditional, signature-based antivirus can sometimes protect an organisation’s endpoints from known malware. But AV cannot stop new variants of ransomware such as Locky, or advanced attacks that leverage PowerShell, scripts, macros, remote shell attacks and memory-based attacks. These make up more than 50 per cent of the attacks targeting enterprise organisations.

The first step an organisation can take to counter ransomware is to stop relying on traditional AV solutions to defend their endpoints, servers and critical systems.

Certain powerful next-generation antivirus solutions (NGAV) are available. They are combined with endpoint and cloud-based technologies to stop more attacks, see more threats and close more security gaps, by using deep analytics to inspect files and identify malicious behaviour. This comprehensive approach blocks both traditional malware and increasingly common malware-less attacks that exploit memory and scripting languages such as PowerShell.

Defence cheat sheet

Prevention is the most effective defence against ransomware. Deploying a next-generation endpoint security product that can detect and stop ransomware attacks is an obvious first step. Here are 13 additional best practices:

1.Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.

2.Secure offline backups. Backups are essential: for those infected, a backup may be the only way to recover data. Ensure that backups are not connected permanently to the computers and networks they are backing up.

3.Configure firewalls to block access to known malicious IP addresses.

4.Logically separate networks. This will help to prevent the spread of malware. If every user and server is on the same network, newer variants can spread.

5.Patch operating systems, software and firmware on devices. Consider using a centralised patch management system.

6.Implement an awareness and training program. End users are targets, so everyone in the organisation needs to be aware of the threat of ransomware and how it’s delivered.

7.Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.

8.Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.

9.Block ads: Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.

10.Use the principle of ‘least privilege’ to manage accounts: No users should be assigned administrative access unless absolutely needed. If a user needs to read only specific files, that user should not have write access to them.

11.Leverage next-generation antivirus technology to inspect files and identify malicious behaviour to block malware and malware-less attacks that exploit memory and scripting languages like PowerShell.

12.Use application whitelisting, which allows systems to execute only those programs known and permitted by security policy.

13.Categorise data based on organisational value and implement physical and logical separation of networks and data for different organisational units.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managementcyber criminalsNGAVpowershelldata protectionransomwarememory attacksnetwork securityMacrosantivirus softwareback up and recovery

More about C2FBIMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kane Lightowler

Latest Videos

More videos

Blog Posts