Market disruption, it turns out, isn’t just something that happens to legitimate markets. Hackers experience it too.
A few years ago, changes in the regulation and tracking of pharmaceuticals caused a disruption in the spamming market, which relied on low-cost, counterfeit pharmaceutical sales for much of its revenue. Now, before you shed a tear, rest assured that the bad guys didn’t take this lying down. No, they created a new market, one that took advantage of the burgeoning (and wholly unregulated) bitcoin phenomenon. It’s called ransomware and it’s a real problem for many enterprises.
Nearly every conversation I have with CIOs and CSOs (Chief Security Officers) quickly comes to the rising problem of ransomware. In the last few years, anecdotal reports of ransomware incidents have become increasingly common (I write “anecdotal” because recent studies show that nearly half of ransomware victims don’t report the attacks because of the stigma attached to paying the ransoms).
The healthcare and public education industries have recently become the target for many of these attacks, but we can expect the attacks to move to new data markets in the near future as healthcare and education organizations shore up their defenses, and the attackers seek new markets where slim security budgets are common.
For those fortunate companies not yet familiar with ransomware, its purpose is to take your data hostage by encrypting it with a unique key—ironically, the very technology that could protect your data from exposure in any other form of breach. A ransomware attack often begins like any other malware attack. At first, a weaponized but seemingly innocuous email is opened (for example) containing or linking to a piece of malware that is quickly downloaded to a client device such as a laptop, tablet or mobile phone.
From there, the malware phones home across the Internet to its command and control server to establish a unique cryptographic key and then begins encrypting each and every one of the files that the compromised device has access to. Once the encryption is complete, the ransomware typically alerts the victim to the attack along with a fee to be paid in untraceable bitcoin in order to regain access to their data.
The truly insidious side of ransomware is its affordability.
That’s right, ransomware is affordable by design. A typical attack may carry a ransom of several hundred to several thousand dollars, depending on the amount of data encrypted. In the case of personal ransomware—for example, encrypting the data stored on your smartphone—the ransom might be as low as $10. It’s not a case of attackers being compassionate, of course. They simply understand that victims are more likely to pay a small ransom as a nuisance, and have elected to mount more frequent ransomware attacks to make their money in volume.
So what can you do to stop ransomware? Well, you can start by doing what you should have been doing all along: practicing good security hygiene. That includes installing the latest security patches, ensuring that hidden file extensions are displayed (malware loves to hide in file extensions) and never downloading executable files from untrusted sources.
Next, you need to have strong protection in place, which includes up-to-date anti-malware software to block attacks from executing once they have landed. At the endpoint, Palo Alto Networks Traps and RSA NetWitness for Endpoint are two preventative controls that we often recommend to our clients. Varonis DatAdvantage with DatAlert works similarly, disrupting ransomware activity as it happens, but working instead at the file access level.
Finally, enterprises need to have a trusted recovery point for their data. Detective controls are also very important, to enable response to live ransomware. Human-based intervention, powered by traditional Security Incident and Event Management (SIEM), can be useful in cleanup and recovery in the wake of an attack, but it is simply not enough to fight an invasive ransomware outbreak. Analytics capabilities and machine learning at the process and access levels are key, as ransomware can encrypt files faster than humans can chase it.
In the wake of a ransomware outbreak, recovery is a critical capability. Using tools such as the Dell EMC Data Protection Suite, enterprises can easily create a trusted data recovery point to help safely restore the handful of data files that may have been encrypted before an attack has been stopped.
As ransomware shows us, encryption can be a double-edged sword. Protecting yourself from attacks like ransomware requires a layered defense to make your organization resilient in the face of attack. Secure your data by locking down and governing access to it. Secure your data on the network, and at the endpoint. Secure your data with good security practices that prevent humans from being the weakest link. Even if you haven’t been bitten by ransomware yet, that doesn’t mean it won’t be pointed at your data tomorrow. ▪