​Cyber criminals heading for $1 billion haul from ransomware

By Kane Lightowler, Managing Director Asia Pacific + Japan, Carbon Black

Ransomware continues to proliferate in complexity, volume and rewards for cyber criminals. Their haul is on track to top $1 billion this year, with more than 4,000 attacks occurring each day, according to the FBI.

Although most organisations believe that paying a ransom means they are in the clear, it often does not prevent future attacks. Worse news is that traditional antivirus protection (AV) is insufficient defence, since ransomware is often file-less and hides in places where AV does not reach. Many organisations are fighting a losing battle against ransomware.

A recent study of 20,000 organisations found that one in 10 educational institutions had been hit by malware, 6 per cent in government, 3.5 per cent in healthcare, 3.4 per cent of energy/utilities, 3.2 per cent of retailers, and 1.5 per cent of financial organisations.

Ransomware has been around for about 30 years. What is new is its sudden escalation as a favoured attack by cyber criminals. Businesses are routinely choosing to pay hefty ransoms rather than lose access to their intellectual property, patient records, credit card information and other valuable data. Targeted businesses are paying up in order to avoid significant disruption to every-day operations.

Cyber criminals are quick learners and eager to make fast money. Whether extorting $300 per user from a small business or $30 million from a multinational enterprise, the level of effort is often similar.

While ransomware is not going away any time soon (if ever), organisations that are properly prepared can defend against it. Next-generation endpoint security (NGES) platforms provide the most comprehensive protection.

Two distinct varieties of ransomware have remained consistent in recent years: Crypto-based and Locker-based. Crypto-ransomware variants encrypt files and folders, hard drives, etc. Locker-ransomware is most often seen on Android systems and simply locks users out of their devices.

New-age ransomware involves a combination of advanced distribution efforts, such as pre-built infrastructures used to easily and widely distribute new strains, as well as various sophisticated development techniques. This combination requires advanced skills on the part of the attacker. But because the return on investment is high, attackers continue to invest in these advanced tools.

Offline encryption methods are also becoming popular. These attacks exploit legitimate system features, such as Microsoft’s CryptoAPI, eliminating the need for command and control (C2) communications.

Defence against ransomware

Even the most educated end users, well versed in security best practices such as never clicking on email attachments, can become victims of ‘drive-by downloads’ when visiting malicious websites and other sophisticated exploit kits that can deliver ransomware.

Traditional, signature-based antivirus can sometimes protect an organisation’s endpoints from known malware. But AV cannot stop new variants of ransomware such as Locky, or advanced attacks that leverage PowerShell, scripts, macros, remote shell attacks and memory-based attacks. These make up more than 50 per cent of the attacks targeting enterprise organisations.

The first step an organisation can take to counter ransomware is to stop relying on traditional AV solutions to defend their endpoints, servers and critical systems.

Certain powerful next-generation antivirus solutions (NGAV) are available. They are combined with endpoint and cloud-based technologies to stop more attacks, see more threats and close more security gaps, by using deep analytics to inspect files and identify malicious behaviour. This comprehensive approach blocks both traditional malware and increasingly common malware-less attacks that exploit memory and scripting languages such as PowerShell.

Defence cheat sheet

Prevention is the most effective defence against ransomware. Deploying a next-generation endpoint security product that can detect and stop ransomware attacks is an obvious first step. Here are 13 additional best practices:

1.Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.

2.Secure offline backups. Backups are essential: for those infected, a backup may be the only way to recover data. Ensure that backups are not connected permanently to the computers and networks they are backing up.

3.Configure firewalls to block access to known malicious IP addresses.

4.Logically separate networks. This will help to prevent the spread of malware. If every user and server is on the same network, newer variants can spread.

5.Patch operating systems, software and firmware on devices. Consider using a centralised patch management system.

6.Implement an awareness and training program. End users are targets, so everyone in the organisation needs to be aware of the threat of ransomware and how it’s delivered.

7.Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.

8.Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.

9.Block ads: Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.

10.Use the principle of ‘least privilege’ to manage accounts: No users should be assigned administrative access unless absolutely needed. If a user needs to read only specific files, that user should not have write access to them.

11.Leverage next-generation antivirus technology to inspect files and identify malicious behaviour to block malware and malware-less attacks that exploit memory and scripting languages like PowerShell.

12.Use application whitelisting, which allows systems to execute only those programs known and permitted by security policy.

13.Categorise data based on organisational value and implement physical and logical separation of networks and data for different organisational units.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity managementcyber criminalsNGAVpowershelldata protectionransomwarememory attacksnetwork securityMacrosantivirus softwareback up and recovery

More about C2FBIMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kane Lightowler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts