Ransomware and response: Combating the latest cyber threat

It can happen in a second – someone accidentally opens an e-mail attachment or clicks a seemingly harmless link, and launches a ransomware infection that encrypts data and locks users out of the network.

Ransomware has been around for decades, but thanks to “improvements” in how the malware works and changes in the underground economy has put ransomware squarely at the center of the cyber security fight.

What is ransomware and why is it so pervasive now?
Plainly put, ransomware is a type of computer virus designed to block access to computer systems and/or data, demanding an extortion payment in exchange for the keys to “unlock” access.

In its simplest form, ransomware merely prohibits users from logging into their computers, leaving the data itself largely untouched. Unfortunately, these locker-type attacks have given way to much more malicious strains of the malware known as crypto-ransomware. These newer variations are capable of deploying powerful encryption that renders files, folders and hard drives permanently inaccessible. Thanks in part to the effectiveness of crypto-ransomware attacks; the infection rate for ransomware has exploded in the past 18 months.

According to a Symantic report released in mid-2016, ransomware infections spiked in the fall of 2015, hitting a rate of nearly 150,000 infections in the month of October alone. After a brief decline, the infection rate spiked again this past spring, with more than 120,000 infections detected in March.

New and more potent varieties of ransomware help to explain why so many infections are taking place, but innovation alone doesn’t tell the whole story.

Three key factors have come together in recent years to create an ideal environment for cyber extortion. First, alternative “virtual” currencies like Bitcoin have become widely accessible. Unlike more traditional payment methods that can be traced by law enforcement, digital currencies give cyber-extortionists a reliable yet mostly anonymous platform for receiving ransom payments.

Second, it is no longer necessary for extortionists to develop their own malware. Cyber crime has diversified, with specialized groups creating and essentially “licensing” their ransomware variants to lesser skilled attackers in exchange for a percentage of the proceeds.

Lastly, many organizations are still working with fragmented information security practices, which can allow infections to take hold or offer limited ability to recover from a ransomware infection, often leaving organizations with little choice but to pay the extortion demand.

Combating Ransomware
Although there are some publicized examples of sophisticated, targeted ransomware attacks, most infections are opportunistic. Currently, the most popular method for distributing ransomware is through the use of phishing e-mails.

Large networks of compromised computers, known as bot-nets, pump out millions of spam messages that contain either malicious attachments capable of launching the infection, or malicious links that deliver the malware through the use of an exploit kit. Attackers have become especially skilled at evading e-mail filtering systems and disguising attachments as legitimate files. Exploit kits take advantage of unpatched software vulnerabilities in order to install the ransomware.

Given the incredible pace of innovation around ransomware attacks, relying solely on anti-virus and e-mail filtering for protection can leave the door open to unwelcome consequences. When it comes to quickly evolving malware threats like ransomware, it is important to keep up with fundamental good security practices and be prepared for recovery if needed.

What does that mean in practical terms?

It means that phishing education, consistent and timely application patching and the ability to restore data and systems from backups all play important roles in preventing ransomware incidents and minimizing the damage from the infection.

With the majority of ransomware spread through phishing e-mails, the end user is the last line of defense should an e-mail bypass the spam filter and the antivirus fails to detect the latest malware strain. Helping users to understand that everyone can be a target and training staff to be on the lookout for suspicious e-mails can make the difference between a successful attack and safely jettisoning phishing e-mails with the rest of the trash.

Next is the application patching process. Exploit kits are specifically designed to take advantage of certain software weaknesses. Similar to the targeted ransomware attack, there are some advanced kits that take advantage of “zero-day” vulnerabilities (i.e. previously unknown security holes) but most kits leverage vulnerabilities that have been known for months or even years.

A consistent and methodical patch management process can go a long way toward eliminating the security holes attackers need in order to launch the ransomware. Lastly, should all else fail, being able to restore data and systems from backups can turn an otherwise crippling attack into an inconvenient bump in operations.

Best practices recommend every organization have a routine procedure for:

  • regularly backing up data and systems;
  • testing backups, to ensure reliability; and
  • testing the restoration process, to ensure it can be done when needed.

Unfortunately, the threat of ransomware isn’t likely to fade anytime soon. It’s a profitable extortion scheme easily perpetrated by criminals that are unlikely to be caught.

YourCISO can help
That said, following tried and true security best practices has proven effective time and again when it in comes to combating threats like ransomware. The tools found in YourCISO – the information security practice management service offered by VML Insurance Programs (VMLIP) and Risk Based Security – can help your organization stay on track and in alignment with security best practices.

YourCISO includes access to the security health check, which measures current performance in areas like back up and patch management procedures, as well as training tools for raising staff security awareness and incident response planning materials to help prepare for a cyber attack.

Sign up today and start the process of transforming ransomware from an eminent threat to a manageable nuisance. Learn more here.