Protecting Versus Ransomware

By Gordon Mackay, CTO & EVP, Digital Defense

Gordon MackayInternet crime has existed since the beginning of the internet.   Many forms of internet crime involve hackers compromising systems and stealing valuable data, such as credit cards or health-care records, and subsequently selling this data on the underground electronic market in order to realize a profit.  In contrast to these forms of internet crime, there has been a re-emergence and a growth of a form of attack called “ransomware,”where the hackers steal your data by encrypt it with a strong secret key, only they have.  Consequently, you can no longer access your valuable data.  Instead of selling your data on the underground market as in credit card theft-like scenarios, hackers sell the data back to those who value it the most; you.

 

Modern ransomware incidents came into the forefront back in 2005 with the emergence of a malware Trojan referred to as GPCoder.  It encrypted the infected computer’s files with strong encryption (1024-bit RSA), and requested payment be sent in order for these to be recovered.Back then, these incidents were somewhat rare and mainly impacted the home PC user.  Recently, ransomware incidents have exploded in occurrence and have impacted many large corporations.   Even within the past 4 months, several hospitals such as Kentucky based Methodist Hospital, and California Desert Valley Hospital have fallen victim.  Once victim, and if there are no offsite backups available, and assuming there is no master key or backdoor, the only way to retrieve the data is by paying a ransom to the perpetrators, who then decrypt the data and remove the malware.

 

There are many different defenses to this type of attack, which should all be used to protect versus this but in this article, I share3 top effective defenses organizationsshould employ within their information security programs to protect themselves.

 

1- Security Awareness Training

The majority of cases of ransomware infection are initiated by way of phishing attacks against the users (employees).  The attacker includes a link or an attachment within the email and if the user follows the link or opens the attachment, and if their system is vulnerable to the given attack, the ransomware malware installs itself within the user’s system and infects them.  Further, if that system has access to other parts of the information network, the ransomware may spread.  Therefore one way to protect against ransomware is by training your employees on an ongoing basis on the dangers of clicking on links and opening attachments within emails.  Effective training comes in various forms, such as security awareness training programs, as well as phishing behavioral training.  An effective security awareness training program raises employee security awareness throughout your organization and dramatically reduces the likelihood of ransomware infection.  In addition to security awareness training, many organizations are using free or paid email phishing simulation systems.  These are systems which send your employees fake phishing emails and which measure and track which employees fall for the bait, as well as those who do not.   These systems give feedback to the employees on their behavior and help continuously keep the employees awareness at a high level, thus greatly reducing real phishing incidents.

 

2- Patch Adobe and Windows Vulnerabilities

Ransomware can only infect your organization if one or more of your network computers have security vulnerabilities which are specifically vulnerable to this kind of attack.  And as mentioned above, most the majority of ransomware attacks originate by way of phishing attacks against the employee base.  A recent study by Recorded Future shows that most recent ransomware cases take advantage of one of the following 4 vulnerabilities, all of which have available patches: Adobe Flash Players’ CVE-2015-7645, CVE-2015-8446, CVE-2015-8651, and Microsoft Silverlight’s CVE-2016-0034.  With this in mind, organizations should employ an ongoing vulnerability management program which includes assessing for these vulnerabilities on the employee base users’ systems (laptops, desktops), as well as patching these vulnerabilities.  Because these applications do not open ports and connect to the internet, in order to assess for these, the vulnerability management technology must have the ability to assess either by way of authenticated scanning (credentialed based) or agent based technology.  Most vulnerability management and scanning solutions on the market offer this capability.

 

3- Backups

Organizations that have fallen victim and who had no choice but to pay the ransom, did not have a system backup strategy, or had one in place but it was not immune to ransomware and where the ransomware, in addition to encrypting their data, also encrypted their backups.   Backing up workstations and servers is an important component of any recovery effortassociated with ransomware. Companies should complete full backups at least weeklyand then do incremental / differential backups on a daily basis to ensure that any files that are created or modified on the system are backed up.It is important to note that these backups should be “air gapped”. In other words, do not back up to a file share that may also beattacked.

 

Per the recently released 2016 Verizon DBIR, ransomware is the most rapidly growing type of crime ware.  As a result, organizations should understand this type of threat and take appropriate protective action.   Although there are additional ways to protect versus ransomware, the above three protection mechanisms should be part of all organizations’ information security program.