The plague of ransomware is continuing to be one of the most detrimental cyber crimes against organizations and promises to be for quite some time.  Beginning on a small-scale in the consumer realm, it is one of the most significant threats that organizations across industries face.

We experienced two high-profile global attacks that presented as ransomware this year, “WannaCry” and “NotPetya.”  However, the actors who executed these campaigns failed miserably on the backend processes that would have allowed them to collect any ransom.  The outbreaks were prolific with WannaCry generating 230,000 infections across 124 countries.  NotPetya impacted computers across eastern Europe, as well as Australia and the U.S and continues to have ripple effects.  The advance tools they leveraged from the Shadow Brokers drove the global impact and is a testament of what our future holds should more competent ransomware actors leverage the same tools.

To address ransomware, it’s important to understand it’s anatomy and origins.  With this knowledge in place, enterprises will be in better position for improved security and best practices to slow its spread.

History

Initially, ransomware targeted consumers by sending a phishing email to deceive them to click a link or open an attachment, downloading malicious code and encrypting data files including Word, PPT, and Excel. For a ransom of few hundred dollars, threat actors would send keys to victims to unlock the files, which yielded dividends for years.  However, criminals began pursuing more lucrative victims by pursuing businesses to not only lock machine but also attempt to affect file sharing as well as laterally move to other workstations.

Today, with the emergence of WannaCry and NotPetya it’s clear that ransomware is becoming a go-to tactic to obtain quick cash at higher volume than identity theft or stealing payment card numbers.  It is now big business with a low-point of entry for relatively unskilled criminals.  Some ransomware developers even sell exploit kits complete with customer service to guide perpetrators step by step through the process, as well as help victims make payments with cryptocurrency.

Process

There are two primary ransomware paths of entry into an enterprise.  The first utilizes remote access to a user’s terminal, typically through a phishing email, as a path to other portions of the network with the goal of gaining administrator credentials to databases and data stores.  Once compromised, network controls are pursued to encrypt or wipe data remotely – ransom demands follow closely thereafter.

Another lesser-known, yet effective technique, is exploitation of public-facing websites through webservers with vulnerable applications that lead to the datacenter.  This tactic requires a more sophisticated skill set and indicates that more advanced criminals are increasingly realizing the benefits of executing a ransomware campaign.

Response

With the ease and proliferation of ransomware tools, what can be done to turn the tide? Primarily, there must be an organizational commitment to protect one basic element – data.  This starts with a diligent patching program for applications, comprehensive data-back-ups, and potentially engaging security experts to help guard against vulnerabilities and mitigate those that arise.  Important safeguards include:

  • Establish an “incident response playbook” that focuses on ransomware
  • Utilize antivirus software to guard most known ransomware
  • Implement a critical data and user workstation back up strategy
  • Monitor network vulnerabilities targeted by ransomware and prioritize patching accordingly
  • Block connections to known ransomware commands and control nodes
  • Segment webservers from database servers and file shares to prevent compromise
  • Engage a threat intelligence team that analyze for attacks against infrastructure

While ransomware puts a new spin on cyber attacks that are still being grappled with, their ultimate objectives remain unchanged.  A mentality to go back to the basics by focusing on data protection can offer a significant edge to thwart this metastasizing challenge.