Pick up any newspaper or log-on to your favorite tech news site today and you’re likely to come across a story about ransomware. There aren’t many CISOs or IT managers left in the US who haven’t either become a victim or know an organization that has. Trend Micro alone has blocked over 100 million such threats since last October and counting.
The best way of tackling ransomware is to take preventative measures built around layered protection. But the first step we need to take is understanding the problem. So let’s take a closer look at exactly what this new malware menace is and the implications for organizations.
The simplest way to describe ransomware is an online threat which could render your organization’s files and/or systems completely useless. The victim is then forced to pay-up in order to regain access. The earliest versions of ransomware were designed to lock the victim’s machine until payment was made. But more dangerous is the new breed of so-called “crypto-ransomware” which will search for specific (often common) file extensions like .doc or .pdf and make them unusable via strong encryption. This leaves IT bosses with little option but to pay for a decryption key.
A ransom note will be displayed; telling you how much must be paid to gain access to those files/systems again. It usually amounts to a few hundred dollars and will be payable in Bitcoin or similar payment methods. Many variants have detailed how-to guides and information designed to walk less tech-savvy victims through the whole process, including chat session options. Once they’ve paid they will be required to send the associated Transfer ID to the attacker as proof of payment. If it’s crypto-ransomware they can then usually expect to be given a decryption key.
Ransomware is most commonly targeted at users, typically using social engineering and email/web channels. This means weaponized attachments in unsolicited emails, or malicious URLs – to known bad or compromised sites are used to infect the victim. Increasingly, however, ransomware has been crafted to exploit weaknesses at a network or server level. This is why a holistic approach based on the principal of layered protection is vital.
Why should I be worried?
The implications for organizations are obviously pretty serious. At the very least you’ll be forced to pay a ransom to get access back to your files. This could be a few hundred dollars but some organizations have been extorted for far more. One of the most high-profile victims – the Hollywood Presbyterian Medical Center – ended up paying $17,000 to restore key systems and administrative functions.
Even without counting the ransom fee itself, there’s the cost of lost productivity and worker downtime, damage to brand and reputation and potential regulatory fines to consider. Some reports claim the FBI has pegged losses in Q1 alone at $209 million – a huge increase on the $24m estimated for the whole of 2015.
As if that weren’t enough to be worried about, new ransomware variants like the latest version of the infamous CryptXXX are including additional features, such as functionality to steal corporate data as well as encrypt it.
How do I keep my organization safe?
When it comes to ransomware, the black hats are updating their malware all the time to evade detection and circumvent any attempts to break encryption. Another challenge is that there’s no guarantee that paying up will result in the hacker giving you access back to those key files.
IT security bosses must therefore focus all their attention on prevention, around a few key areas:
Back-up enterprise data. Operate a 3-2-1 system: three back-up copies on two media and one of those in a secure and offline location.
Educate your end users not to click on links or open attachments in unsolicited emails; to verify email sources before opening; and to bookmark frequently visited sites. The latter will help prevent them from accidentally visiting drive-by-download sites laden with malware
Patch all systems as soon as updates come out and keep security software up-to-date, minimizing the chances of software vulnerabilities being exploited
Network segmentation can minimize the spread of ransomware through an organization
Layered defense with advanced security in place at the web/email gateway; endpoint; network; and physical/virtual/cloud server-levels
Check out this ransomware blog series to learn more about how to best protect your organization with layered ransomware protection.