Ransomware has become a major threat and high risk to many individuals and organizations worldwide. It is a very destructive variant of malicious malware. When it impacts systems it makes critical systems and sensitive information inaccessible until a ransom is paid. Ransom is typically is paid via bitcoins within 72 hours and if unpaid the key to unlocking the data is deleted, making it almost impossible to recover. Previous variants have also started deleting data within the 72 hours making the urgency to unlock the systems even more time sensitive. The impact this can have on organizations is a temporary loss of systems and access to sensitive information, downtime of operations, financial impact or loss and reputation damage.
The most recent variants of #Ransomware #WannaCry #WannaCrypt and #WannaCrypt0r 2.0 are believed to have been exploiting the EternalBlue vulnerability developed by the NSA, meaning unpatched Windows systems are exposed to this latest variant. This variant of ransomware has been known to have infected more than 230,000 systems in more than 150 countries, making it one of the most destructive ransomware to date. The recent revelations of the stolen NSA exploits started with Microsoft releasing patches as recently as March 14th to mitigate these risks. It has found companies rushing to patch systems although unfortunately not fast enough to prevent this attack. Some of the first techniques using these sophisticated cyber-attacks surfaced a few years ago when Kaspersky discovered a fileless malware that was targeting financial, government and telecommunications. This fileless malware had been used to record administrator credentials and passwords that allowed the attackers to gain access to almost anywhere within the network and infrastructure and ultimately used to withdraw money from ATM’s.
It is important to note that more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. And per Verizon Data Breach Investigations report threat actors used stolen passwords 95% of the time in the most common types of attacks.
The destructive nature of ransomware and the impact it has had on individuals and organizations globally has led the Department of Homeland Security, US-CERT and the FBI to release alerts to help organizations take this threat more seriously before it is too late.
Ransomware has become so effective and efficient that many organizations have resulted in paying the ransom sometimes in the costs of thousands of dollars. It was found that it was more cost effective to pay the ransom (no guarantee, however) than restore a backup which in some cases would cost more.
Organizations should consider multiple security controls to reduce the risk of ransomware, which is also considered best practices for cyber security and will also reduce the risk of other malicious malware threats.
What steps can be taken?
#1 Educate Employees into Their Responsibility and the IT Policy. Statistics indicate that 1 in 5 employees will open and click on emails containing malicious malware. Educating employees on how to identify phishing emails containing malicious malware will be a major risk mitigation to all organizations with some achieving more than 50% reduction in cyber risks as a result of good training and security awareness programs. This can be a very cost-effective solution. IT not only protects the employees on corporate systems but also allows the employees to use that same knowledge to protect their own personal systems, information and families from the same threats.
#2 Understanding How Hackers Operate Will Give You Cyber Advantage. In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization’s structure, clients etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like ransomware – the basic security most companies adopt – and gain access, which, for most attackers, is easily done. Organizations should use similar analysis techniques to identify which types of threats like ransomware will target and use that knowledge to deploy security controls to mitigate the risks.
#3 Backup critical and sensitive data online and offline. In the situation that ransomware has impacted the organization then it is ultimately important that a recovery plan is considered, critical and sensitive data can be easily restored to get the organization operational again. Offline backups are important in the case that the ransomware is able to spread across the network and also make the online backup systems unavailable as well. A good backup plan can reduce the impact that ransomware has on an organization though while it will provide the ability to restore, it is not considered a preventive security control but a business continuity measure and can also be used for other types of disaster recovery situations.
#4 Least Privilege and Application Whitelisting. Do this by removing Administrator privileges or Super Privileges from users will reduce the possibility of an employee unknowingly opening or clicking on a ransomware, or in the situation where the employee visits a supplier website or public website that is infected and distributing the malicious software and prevent the malicious software from getting the privileges required to make the system unavailable stopping the malware in it tracks. This however sometimes makes employees unable to perform certain functions to do their day to day tasks and this is where application whitelisting together with least privilege enables and empowers the employee to continue doing their day to day tasks with little to no disruption and at the same time keeping them safe from malicious software, application whitelisting, reputation and intelligence allows an organization to analyze software or an executable prior to providing the application with the privileges they need to perform the tasks required, it checks whether it is coming from a trusted source, software library, reputation and whether the current system security controls increase the risk and as well as inform a security analyst of the request and intervene if required. Using least privilege and application control together is one of the most effective ways an organization can reduce the risk against ransomware and other variants of malicious software.
#5 Password and Privileged Account Management should be a major concern for every organization. Implementing effective security controls can be the difference between a properly defending yourself against a simple perimeter breach or experiencing a cyber catastrophe.
Companies should provide suitable training for employees on best practices for password choices. Often, when a very complex password is required, many employees revert to writing them down due to difficulty in remembering them. Or, they might use the same password for corporate and personal social accounts. This leads to a possible external threat, which companies should continuously assess.
If your company is giving employee’s local administrator accounts or privileged access then this type of ineffective password management seriously weakens the organization’s cyber security. It could mean the difference between a single system and user account being compromised or compromise of the entire organization’s computer systems. Advanced Persistent Threats that use privileged accounts often result in major data loss, malicious activity, and financial fraud or worst case ransomware.
Organizations should quickly ensure that they continuously audit and discover privileged accounts and applications that require privileged access, remove administrator rights where they are not required and adopt two-factor authentication to mitigate user accounts from easily being compromised.
#6 Keeping Systems Patched and Up to Date. Another security control which today has shown that many organizations, while they continue to patch systems, is not quite as effective as it should or could be. Most of the breaches or impacts of ransomware has been using known vulnerabilities and exploits to expose weaknesses in systems in order to infect the system with malicious software. By keeping systems security updates current will significantly reduce the risks of malicious software exploiting those vulnerabilities.
#7 Anti-Virus Should be Kept Up to Date and Scan All Attachments and Downloads Prior to Executing Them. While anti-virus is no longer the only security control required it is still a basic essential risk mitigation that should be deployed. It is not as effective but can still help detect many of the known malicious software that can impact an organization.