If the last few months have taught us anything, it’s that enterprises clearly need to take a long hard look at the cyber security they have in place. One thing is clear – cyber threats now present a bigger risk to organisations than ever before. Considering the huge growth in the number of new ransomware families (an increase of 752% since 2015), online extortion has become a major issue and one that businesses must address.
When it comes to measuring up the country’s worst hit by ransomware, the UK does not appear to be faring well. According to a recent report by Malwarebytes, 54% of UK companies have been hit by a ransomware attack compared to 47% of US companies. It is a common misconception that hackers are only targeting financial institutions, but this year’s attacks on UK parliament and health trusts highlights the reality of the situation – no business or organisation is safe.
It is becoming increasingly easy for hackers to disrupt business operations and extort money with the availability of open source ransomware and ransomware as a service (RaaS). Organisations are rightly concerned about the loss of productivity over anything else. It is estimated that it takes 33 man hours (on average) to fix the problem, with the financial impact potentially much larger than the demanded ransom.
In addition, companies are increasingly concerned about data protection legislation and the potential for significant fines from governing bodies, as well as damage to reputation, resulting from data loss. This comes sharply in to focus now with the EU General Data Protection Regulation coming into force from May 2018.
So what is Ransomware?
In short, it is a type of malicious software that attempts to obtain money from a computer user or organisation by infecting systems and blocking access. This is typically done through encryption of the files and documents on the victim’s machine, then demanding a sum of money to provide the keys to decrypy the files.
There are a number of ways a hacker can initiate an attack, with the most common being a phishing email. This is where the victim is tricked into clicking on a link, or opening an attachment in what appears to be a legitimate email message. The malicious software is then covertly installed on a computer, without knowledge or intention of the user. It can then either stay dormant or spread without user interaction, depending on the type of attack, until it receives a command from the hackers systems to encrypt the files or lock the computer. As soon as the data is encrypted, the user receives the ransom notification and the clock starts ticking.
Once your data is locked you face a difficult choice, whether to pay or not to pay. If you pay, will you really receive the key to decrypt and get your data back? You are dealing with criminals after all!
How can you prevent an attack?
Unfortunately, there is no silver bullet. Cyber criminals are constantly innovating and every cyber-attack is constructed using well-defined phases, which are completed sequentially. Rendering a cyber-attack unsuccessful is all about blocking one or more of these stages.
You therefore need to look at a layered approach to protection. This means:
- Securing your entry points.
- Filtering web traffic and blocking malicious sites.
- Blocking users from certain websites of which they should have no access.
- Blocking macro’s and ActiveX along with not allowing external content from running inside office applications.
- Scanning all emails and attachments for phishing.
- Educating your employees to increase their awareness of phishing techniques and general vigilance.
- Ensuring USB devices are scanned or even restricted in some parts, with auto play disabled at the very least.
- Locking down users’ own (BYOD) devices on secured separate networks from production systems.
- Deploying ransom behavioural tools and scanning your network traffic.
With this layered approach, research has shown that most ransomware attacks can be stopped at the gateway level, through email and URL blocking. The last line of defence is endpoint anti-ransomware behavioural monitoring, designed to proactively detect and block ransomware execution. However, you want to stop this at the gateway and so ensure that your intrusion prevention, email and web scanning solutions are suitably robust to protect your edge networks.
Ultimately, you need to improve your security posture, research and follow best practices for technology and solutions that you already have in place. Where possible, looking to complement these with new and improved technology and services.
But what if it still gets through?
Even with all these tools and techniques in place sophisticated malware can still get through your defences. Cyber criminals are evasive and clever and find new weak points all the time. If the ransomware gets in, it will begin infecting disks and mapped network shares. You therefore need plans in place to contain and respond to an infection and ultimately restore your data. Paying the ransom should not be an option.
Backups are key to protecting your data. However, for a lot of organisations, restoring the previous night’s backup to recover from a ransomware incident is simply not acceptable, due to the data loss and downtime incurred. Organisations may leverage snapshots, be they storage based or at the virtual machine level, to provide more granular restore capabilities. But these too will likely mean accepting several hours’ worth of data loss. This may also not be palatable to some companies, and thus we need to go further in terms of our restore capabilities. We need to look at journaling technologies to be able to quickly roll systems back to a specific point in time, minutes or even seconds before the infection.
Once recovered, it is key that you conduct root cause analysis to help prevent reoccurrence. There are always lessons to be learned and weak points can then be highlighted and addressed accordingly. After the issue is resolved, the question should always be why did this happen? Management will want to see a plan detailing how you will stop this in future.
Vigilance is key
Organisations and their employees need to be educated to be vigilant to avoid losing data and money. You need to be implementing a multi-layered approach to cyber security, implementing solutions that utilise behavioural monitoring and machine learning whilst protecting your gateways, networks, servers and endpoints to help prevent ransomware infections. There is no silver bullet, you need to employ a layered approach – defence in depth.
Prevent, contain and respond – you need plans in place for each. It is time to beef up your defence and recover options against the ever-increasing threat of ransomware.
By Karl Simpson, CSO at Calligo