In 2016, ransomware caught fire.
Ransomware attacks increased over 6,000% from the previous year, and their victims paid out an estimated $1 billion. This year, ransomware attacks are on pace to break last year’s record-setting numbers.
What can you do if you’re hit with a ransomware attack? If you’re like 70% of enterprises, you pay the ransom. In fact, it’s more and more common for CIOs to include ready access to bitcoin as part of their disaster recovery plan. But let’s face it: you want to be in the 30% of enterprises that have a better plan.
Here’s what that better plan looks like:
1. Identify threats and Protect your devices with endpoint protection.
Signature-based anti-malware tools will never be able to protect you from the latest ransomware. There are 90,000 zero-day packages created every day that signature-based software simply can’t catch. That’s why you should take a look at 21st century endpoint prevention technology like Palo Alto Networks Traps, which can respond to zero-day malware based on its behavior and prevent malicious code from executing.
2. Protect yourself with good security hygiene.
The recent WannaCry ransomware attack could have been stopped if enterprises had simply patched their software. Good security habits such as updating software with the latest security patches and training employees not to open suspicious emails are the security equivalent of eating your spinach and brushing your teeth: it’s not exciting, but it is a simple way to save yourself a lot of trouble later.
3. Detect and Respond with UEBA (and Varonis).
Security Intelligence Event Management (SIEM) technology is designed to aggregate machine data and present alerts to human security analysts. It is not designed to halt the damage that ransomware can cause. In those cases, SIEM is better suited to post mortem analysis than live threat responses. To handle time-sensitive attacks such as ransomware, an automated approach such as UEBA (User & Entity Behavior Analytics) is needed. UEBA is a new category of security technology; in fact, it didn’t even have a name until recently.
What UEBA does is define “normal” and “abnormal” user and device behavior based on machine learning and real-time network analytics from sensors. This abnormal behavior could be a known signature of malware command-and-control traffic, signs of lateral movement within your systems or unusual file system activity. A similar technology is Varonis DatAlert, which can act as an access sensor to detect and respond to abnormal behavior such as widespread file encryption (a hallmark of ransomware).
4. Respond and Recover with an airgapped backup system.
Dell EMC IRS is an example of disaster recovery in the post-ransomware world. IRS creates a pristine backup copy that remains airgapped from the main network so that enterprises can recover quickly from a ransomware attack. At the end of the day, one of the best ways to avoid losing access to data is still to make sure you always have a safe copy of it.
Ransomware isn’t going away any time soon. In fact, it’s already been assimilated into the cybercriminal toolkit and is now evolving into a new breed of ransom-based attacks that range from locking hotel guests out of their rooms to illegally uploading upcoming scripts from the Game of Thrones. Like Jon Snow, it would seem the notion of trusting our defenses to a single Wall is overly optimistic in a world where advanced persistent threats are on every side. ▪