This year we are seeing an unprecedented increase in ransomware attacks on businesses and organisations of all sizes, from universities, hospitals and utility companies to police stations and medical centres. A rather alarming trend, considering that according to Ponemon Institute’s 2016 State of Endpoint Report, most organisations are not prepared to deal with this threat. While ransomware is not a new concept, in fact it goes back almost 30 years, cybercriminals have used the emergence of bitcoin, increasingly sophisticated encryption, and lack of vigilance by businesses and institutions to turn ransomware into today’s cash cow.
1. What is Ransomware?
Essentially, ransomware is a form of data-kidnapping malware that encrypts a victim’s data with the intention to extort payment. It is constantly evolving, with new malware families emerging nearly every week. The sheer size of possible threats, coupled with the constant development of new variants and continuous improvements made to the code and attack vectors, ensure that criminals always stay two steps ahead. This means, that in many cases, once ransomware infects a computer, the encryption is rather impossible to break, leaving the victim with two painful choices: pay the attacker for decryption of the data or face losing it.
At the moment, all popular operating systems are being targeted by ransomware, including Windows, Mac OS X, Linux, and Android. Regardless of the ransomware family involved, attacks are carried out in a similar manner each time. The malware is spread via email attachments, exploit kits, infected programs and even compromised websites. These methods of infection are effective because they work on people, with 81% of respondents in a recent study agreeing that employees were the biggest threat to security, it’s not hard to see why cyber criminals choose to exploit the human factor.
2. 2016 – Year of the Ransomware
The increased attacks on corporate entities and other institutions are actually not that surprising, considering the significantly more severe consequences of losing corporate data than consumer data, and subsequently increased likelihood of potential payout. What is surprising though, is that these entities are so ill prepared. According to a recent study, 56 percent of companies surveyed said they are not ready to fend off ransomware attacks, and just 38 percent said they have a strategy to deal with destructive software.
These numbers seem like a fairly accurate representation, considering the number of reported ransomware attacks every month. In February, the Hollywood Presbyterian Medical Center in Los Angeles and several police departments in the US, had to pay ransom after falling prey to ransomware attacks. In March, MedStar Health, a network of 10 hospitals in Washington D.C. and Maryland, and a hospital in Kentucky were hit with similar attacks. More recently in April, a water and electricity utility in the US State of Michigan has needed a week to recover from a ransomware attack that happened after an employee opened an email with a malicious attachment. From reading of these incidents, one may assume that the US companies are particularly negligent when it comes to cyber security compared to Australian organisations. The fact is, that unlike Australia, which is lagging behind the rest of the developed world, mandatory data security breach notification laws have been enacted in most U.S. states since 2003.
“Mandatory data security breach notification laws have been enacted in most U.S. states since 2003.”At present, Australian organisations enjoy a measure of anonymity without being legally bound to report security breaches, something that may change if the mandatory data breach reporting legislation is passed in the near future. In truth, Australia and the Asia Pacific region make a relatively easy target for cyber criminals due to lack of awareness at all levels of security, underinvestment in security, and skill shortages.
3. How Can Companies Protect Themselves from Ransomware?
While companies are discouraged to pay the ransom, depending on the criticality of the asset and effect of its loss on a business’ viability, many enterprises may not have a choice. Organisations like hospitals store vital patient data, the loss of which may result not just in financial difficulty or loss of reputation, but rather risk to patients’ lives. To successfully combat ransomware, organisations should employ a layered approach, as no single solution will be effective on its own. It is important to have sufficient controls and recovery processes in place to render a hostage situation merely an inconvenience and not a critical business threat.
- Back Up
Daily back up of all critical data is the most important step as insurance against worst-case scenarios involving not only ransomware attacks and a myriad of other security issues, but also natural disasters, such as floods and fires. At a minimum, two backup copies should be maintained – one to enable on-site recovery and a second copy for vaulting to a secure off-site facility.
Whitelisting may also help reduce risk as it prevents malicious software and unapproved programs from running on an organisation’s network. This option may be less appropriate for users like developers, but the average office worker is protected by having access only to known safe files.
- Anti-virus and Firewalls
Maintaining up-to-date anti-virus and anti-malware capabilities, as well as appropriate firewall configurations is just good practice, especially as some malware variants tend to terminate themselves if anti-malware software is present on the compromised machine.
- Software and Systems Patches
A large percentage of attacks target vulnerable applications and operating systems, therefore keeping the operating system and software up-to-date with the latest patches is crucial.
- Network segmentation and user permissions
Network segmentation is an important step in ensuring that any infection or security breach is contained, thereby limiting the impact of ransomware on the organisation. To further lower the risk of infection, restrict user permissions for installing and running unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Doing so may prevent malware from running or limit its capability to spread through the network.
- Education and awareness
Because staff are often the cause of ransomware infections, user education could go a long way to improving a company’s resilience to ransomware. However, while it is important that staff understand the spiel on malicious attachments, suspicious links, etc., carrying out random pen tests, with a social engineering component to imitate ransomware attacks, can not only test if the employees are doing the right thing, but also motivate staff to be more vigilant in the future.
- Email Security and macros
Disabling macros and ensuring users can’t switch them back on, as well as adopting an email security gateway to effectively thwart emails that contain malicious URLs, may be an effective strategy as it cuts out the human factor, reducing the risk of that one user getting a twitchy finger and rendering the above security precautions futile.
Read Our Latest Blogs