EXECUTIVE SUMMARY:
Last year, researchers caught cyber criminals shifting from complex banking attacks to simple ransomware attacks that extort money by encrypting businesses’ files. Following the upswing, along came the WannaCry ransomware outbreak, which taught some key lessons. First among these is that paying a ransom does not guarantee that criminals will restore access to encrypted files; cyber defense is the only option. The best practice is to use purpose-built protection against ransomware that prevents new and known ransomware from entering users’ computers (endpoints); removes any ransomware that should enter; and instantly restores files that become encrypted from an integrated backup, to ensure uninterrupted business continuity.
Read the full story
A Quick Primer on the Birth of Ransomware
Cyber security researchers noticed something odd in 2016. Banking-Trojan attacks that steal victims’ bank usernames and passwords suddenly decreased. Instead, ransomware attacks were on the rise.
Criminals were discovering that ransomware is simpler to use than Trojan attacks, which require writing malware and creating counterfeit bank websites to harvest user login credentials. Then, along came ransomware, a new arrow in the attacker’s quiver. Now, criminals could attack more broadly, not just one bank’s customers. On top of that, ransomware let them evade banking safeguards that trace or block cyber criminals’ transactions—instead, payments are made in bitcoin, which can’t be stopped or traced. With its simplicity, broad targeting, and improved payment methods, ransomware attacks against businesses have escalated 300 percent since January 2016; add to that, a new attack is recorded every 40 seconds, according to Kaspersky Lab.
Fast-Forward to the Present
That brings us to WannaCry, the global ransomware attack that recently spread to more than 200,000 computers in 160 countries. Using stolen NSA hacking tools, courtesy of a group called “Shadow Brokers,” attackers used a vulnerability in Microsoft software. WannaCry initially enters the “victim zero” computer when a user clicks on an email attachment or visits an infected website. Once inside a computer, WannaCry rapidly spreads to other computers using the Microsoft software flaw. It is an example of expertly crafted ransomware, designed to evade detection by standard cyber security measures. That’s what they got right. And then….
Normally, “professional” ransomware restores the victim’s access to files after the ransom is paid, although restoration is never certain. WannaCry ransomware, though, was unable to track if a victim had paid the bitcoin ransom, which led to reports of victims not regaining access to their files despite paying the ransom. As word of this spread, victims were cautioned against paying. As a result, attackers did not make as much money as more sophisticated cybercriminals have with other ransomware. Kansas Heart Hospital, which was hit with a different attack in May 2016, learned that hard lesson when it paid the ransom but didn’t get all its data back. Without any guarantee of being able to conduct business even after paying a ransom, protecting your organization against such attacks is your only viable option.
Executive Takeaways: Ransomware Defense
To avoid lose/lose ransomware situations, make sure your cyber-security team implements these key practices:
Educate employees not to click on unknown email attachments and web links. Expert criminals usually trick a few employees into downloading ransomware that can spread though the network. The WannaCry outbreak likely started with users opening email attachments or clicking web links. Learning how to recognize suspicious attachments or links can help.
Regularly patch software and update antivirus with new malware signatures. Patching prevents vulnerabilities. And, up-to-date signature-based security like antivirus programs catches malware that researchers have identified and given a signature. But remember, antivirus does not catch newly minted malware and modified malware that do not have signatures.
Use deep OS- and CPU-level sandboxing capabilities to keep ransomware out of networks. With the right type of sandboxing technology, you’re able to trigger malware in a safe environment to prevent it from entering your network. This deeper-level sandboxing helps you identify malicious activities at the OS level and exploits at the CPU level, preventing attacks before they occur. When your protection is limited to run-of-the-mill, signature-based sandboxes your system can be fooled by evasion techniques, letting ransomware and other malware in. Plus, they do not protect users’ laptops when not on the network.
Protect endpoints. In addition to having sensitive files that ransomware can encrypt, users’ computers are also entryways for ransomware to spread to other computers as happened in the WannaCry malware outbreak. Be sure your ransomware protection works effectively whether users’ computers are connected to the corporate network or not. Using endpoint protection solutions can protect your data, whether it’s in use, at rest, or in transit.
Remediate attacks. If ransomware should get through, be sure to use protection that can instantly quarantine and remove the malware.
Restore encrypted files from regular data backups. Every enterprise must backup files for business continuity on a regular basis. But don’t wait until the last minute: Restoring files from backup tapes stored offsite can take days and even weeks. Even the best disk-to-disk data backup systems can take an hour or longer to restore files needed for critical services, leaving you vulnerable. Use ransomware protection that can rapidly restore encrypted files without resorting to backup tapes and disks.
Ransomware is here to stay. To turn a serious threat into a manageable issue, executives should understand ransomware and work with their cyber security teams to develop effective policies and practices.
To recap, here are the key lessons from WannaCry:
- Ransomware attacks are growing in frequency
- Ransomware can spread globally in a few hours
- If you pay the ransom, criminals might still not restore access to your files
- Purpose-built protection against ransomware should protect endpoint computers, stop new and known malware, remove ransomware, and restore encrypted files from its own integrated backup.