If a layman pictures a cyberattack, the likelihood is they picture a ransomware attack: The screens overcome by a malicious message, locking up systems and demanding payment to a shadowy organisation or individual.
This cultural ubiquity does not exist in a vacuum: Where other forms of cybercrime have gone in and out of fashion based on new attack techniques or changing defensive landscapes. Below, some of the most respected security professionals working today wax lyrical about ransomware: Why it is so popular, the mystery of it’s longevity, and why it is here to stay.
Richard Bejtlich, Principal Security Strategist at Corelight:
“Ransomware is something which has plagued businesses for years now, but newer variants which aim to completely lock down the network are of particular concern. Encrypting all of the devices associated would make it even more difficult than usual to bypass the ransom and would have a significant impact on business function – potentially even a total shutdown. The advice however remains the same – avoid paying the ransom at all costs and speak to a relevant security team. It is also crucial to have full visibility into movement on your network in order to establish the point of entry.”
Bindu Sundaresan, director AT&T Cybersecurity:
“A ransomware attack can spread rapidly across your systems and quickly render them unusable. Time is of the essence. As soon as ransomware is detected in your environment, you must move swiftly to contain the threat and to prevent it from proliferating across your environment. If done manually or done across many disparate systems, or if the attack happens outside of typical working hours, your response effort may be delayed or too slow to contain the attack.
MSS provides advanced security orchestration and automation capabilities that help you respond quickly and efficiently to threats affecting your environments, including response actions that work in alignment with third-party security tools.”
Tarik Saleh, Senior Security Engineer and Malware researcher at DomainTools
“Different forms of cybercrime go in and out of fashion according to how effective they are at any given moment. Recently, ransomware targeting smaller local government entities has proven to be a profitable endeavour, hence the rise in this type of attacks. Another element granting popularity to this type of attacks is that they are relatively low cost and easy to pull off, especially when the target isn’t a large enterprise with the resources to protect its entry points, patch regularly and train its employees on email hygiene best practices. It is important to use the coverage that these attacks are gaining on the media to promote cybersecurity awareness among local governments and SMEs, which, regardless of their size, should realise that they are still potential targets and should therefore move cybersecurity at the forefront of their agenda; sometimes, even just ensuring that employees are prepared to recognise the signs of a phishing email can be what makes the difference between having to pay a ransom and a diverted security incident.”
Felix Rosbach, product manager at comforte AG:
“While a lot of companies are aware of ransomware and develop strategies to prevent attacks and recover quickly, it still is a very effective attack. Even with having a sophisticated backup strategy in place, the costs and resources needed to do a complete rollback after a successful ransomware attack can be higher than paying the ransom.
Even if sending payments to attackers is never a good idea, the increase of modifications and ransomware-as-a-service offerings in the dark web shows that there still is a market and some companies are willing to pay to continue their business.”
Martin Jartelius, CSO at Outpost24:
“Ransomware mitigation can be partially achieved by preventing execution from the temporary internet files and temporary mail files folders, and removing excessive user rights. This also correlates well with the fact that most malware depends on user interaction to get the first foothold. Other preventive measures, such as reviewing vulnerabilities on servers, segmentation and reviewing user access rights, are easy to suggest but evidentially harder to implement, so endpoint hardening is a cheaper and easier starting point.”Andrea Carcano, Nozomi Networks Co-founder and CPO.
“Ransomware doesn’t discriminate. It can operate across IT, IoT and operational environments. It’s critical to use tools that work across the technology spectrum to effectively track attacks as they move across heterogeneous environments.”
Sam Curry, chief security officer at Cybereason:
“While the overall number of ransomware attacks globally has been declining over the past five years, there doesn’t seem to be a day that goes by w/out a company making headlines for the wrong reasons. Diligence is needed and this onslaught of activity gives organisations the opportunity to review their cyber insurance plans. It is important to make sure they are in line with the level of risk the organisation wants from ransomware. To help innovate the industry, organisations should request a ‘ransomware clause’ for cyber extortion that would eliminate the inability to publicly disclose and adjust the unrealistically high deductible to be more in line with current ransom demands.
Organisations need security awareness training plans and incident response and threat hunting teams working constantly to stay ahead of hackers. Suggested remediation measures include:
- Educate employees on how to correctly handle suspicious emails to prevent initial downloading or dropping of malware.
- In order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly terminating the session, do not store passwords in plain text, deploy good authentication practices, disable unnecessary share folders, and change the names of the default share folders used in your organisation.
- Proactively approach security by performing hunts and searching for suspicious behaviour before an incident starts.”
Jonathan Knudsen, senior security strategist at Synopsys:
“Ransomware continues to be a popular tool for cybercriminals. The diabolical simplicity of ransomware is that the attacker first locks up information, then sells it back to the one organisation where it has the most value–the victim. Several defences reduce the risk and impact of a ransomware attack: Security education can help your firm’s internal users be savvy about the dangers of phishing and other common attacks. If just one user knows better than to click on a bad link in an email, it could make all the difference. Traditional reactive defences such as intrusion prevention systems and antivirus software can block known malware. However, they will be powerless against new types of threats. Keeping operating systems and applications up to date makes it much more difficult for ransomware to take root and spread within your organisation. The knockout punch for ransomware is as plain as dirt–regular backups. If you plan and execute a consistent and comprehensive backup of your data, you can laugh in the face of your ransomware captor, restore from your latest backup, and experience minimal disruption to your business. If you fall victim to a ransomware attack, you must have a plan ready to execute. The plan should include removing infected systems from your network, wiping them and reinstalling the operating system and applications, then restoring data from your backups.”
Tyler Reese, senior product manager, One Identity:
“Although the destructive nature of ransomware attacks has been widely documented by the news coverage of some of the worst, high profile cases, it is important to remember that these malicious software are only capable to compromise the portion of the network and data that they can gain access to. To put it simply, if privileged credentials are well protected and inaccessible from an end users’ machine, a ransomware infection will remain limited to that single machine, unable to spread to the critical processes that cause operational collapse if halted.”
Stuart Sharp, VP of Solution Engineering, OneLogin:
“The best defence against ransomware is a robust Business Continuity Plan which includes regular backups, version control and thorough testing of disaster recovery procedures. Companies that leverage cloud-based storage and automatic synching from end point devices will be well-placed to recover from such attacks but should practice the recovery procedure to minimize downtime if an attack does occur.
Information Technology is now a critical part of every organisation, whether it is state-owned, commercial or non-profit and as a core part of their infrastructure, organisations must treat IT – and therefore IT Security – with the same detailed planning, maintenance and governance as physical buildings, finance and health and safety.”
Saryu Nayyar, CEO of Gurucul:
“Ransomware attacks are so common because they’re often so profitable for the attackers. Ransomware is also one of the most basic cyberattack vectors to defend against. It can be foiled by a couple of tactics that have long been in use – patches and backups. Ransomware usually relies on human errors or known, unpatched vulnerabilities to succeed. When it does succeed, and the victim doesn’t have backups, the attacker’s extortion tactics often work.
Many overburdened IT departments simply don’t have the time or the tools to get the security basics right. Every organisation should use two factor authentication (2FA) to block brute force attacks, perform regular backups of valuable data, deploy patches and updates immediately to stop known threats and provide each critical system with a unique and frequently updated password. From there, organisations should invest in modern cybersecurity technology with machine learning algorithms that can identify anomalous behaviours in real-time, before an attacker can strike.”
Sebastian Bortnik, Director of research, Onapsis
“Ransomware has become lately the most prevalent malware, and the combination of probability and impact is risky enough to put it as one of the main concerns for CISOs: having the same massive conditions as any other malware (mostly used for non-targeted attacks), a ransomware infection usually generates critical disruption of business processes and it cost a lot of money for companies, even if they don’t pay the ransom, just because of the cost of getting back operations. It is good to think about how to face it for both prevention (steps to take before…) and response (how you should react…), every CISO should think for both phases. Regarding prevention, ransomware has two main paths to infect companies: exploiting vulnerabilities in public servers or through social engineering for endpoints. So, in summary, I would say that the four key points for ransomware prevention would be:
1.Ensure you have antivirus protection in all your systems, and they are up to date.
2.Educate your employees to reduce the chance of infection through social engineering. Awareness programs should be an ongoing effort.
3.Keep your servers protected, through an efficient risk management and continuous risk assessment. Put priority to any vulnerability that can be used to remotely and allow remote code execution, since those are the ones that may allow an attacker to install ransomware in the system.
4.Have regular backups of any critical data. Last item about backup (4) is not really about prevention, you won’t reduce the chance of having a ransomware infection because you have a backup, but that’s something you need to have to reduce the impact if you have an incident later, and having a backup totally change the picture for a proper response. Going to this phase, what to do if I got infected by ransomware?
As said before, there are two extremely different scenarios: if you have a backup or not:
- If you don’t have a backup, the only way to recover the data is to pay for it. Is that recommended? It depends. I always prefer not to pay to cybercriminals, but companies need to value what’s the cost of losing this data compared to ransom value.
- If you do have a backup, that’s the best scenario. Ensure an antivirus or similar tool cleans the system, restore the data and that’s all. In these cases, I would recommend directly not to contact cybercriminals, there’s nothing to talk about. Nevertheless, if you restore the backup but do not fix the infection path, you can have an infection again pretty soon. Take into account that probably the attacker is monitoring and waiting for the contact, and they know how they succeed first, so they will probably try to come back sooner or later, especially if it was an attack in a server, through a vulnerability. A few more comments: sometimes you have a backup, but it is not up to date. That means that there is some losing restoring it, but sometimes this is recommended against paying for the data.
Of course this will depend on any company and situation. Finally, it is important to mention that even if you don’t have a backup, and recover the data through payment, you also need to do forensic analysis to review how you got infected and fix it before having another infection.”