Ransomware: What Organizations Need to Know & How to Avoid It

To continue our series on National Cyber Security Awareness Month, we turn our attention this week to a troublesome trend which has emerged as the “It” threat of the moment: ransomware.

Once considered as an attack technique primarily targeting consumers, ransomware adversaries are now aggressively going after government agencies and commercial companies. With the surge in activity, the FBI expects ransomware extortion losses to total $1 billion this year.

As the author of a recent white paper, titled “Are You Prepared for Ransomware?,” I have immersed myself into this topic and I'd like to take the opportunity to provide a summary of what ransomware is, and what we can do about it. First, we should define the term: Simply stated, ransomware is the type of malware that blocks access to data and/or devices and demands payment for “a service” that will restore access. Until the ransom is paid, the data and/or devices will remain blocked.

Given the stakes, here are two other facts about ransomware that government agencies and private enterprises need to know – especially when it comes to preventing/avoiding the threats:

Ransomware comes in three main forms.

- Scareware. This is a demand for payment based upon the threat of a future action. For now, the victim’s files and system aren’t affected.

- Lockers. In this case, the affected user’s screen/system is blocked off, with the attacker indicating it will stay that way until the ransom is paid.

- Crypto-ransomware. With the victim’s files encrypted, the cyber crook offers to “sell” a decryption key for, of course, a fee. Crypto-ransomware can impact local files and those hosted on network shares. Encrypted files which cannot be retrieved result in a “data destruction” incident – which would be devastating.

To effectively respond to an attack, it’s key to recognize these forms. Once identified, your organization will inevitably debate the following, tough question: Do we pay or not? Unfortunately, there are no clear-cut right or wrong answers here. To make the decision even more complex, ransomware actors often keep demands relatively affordable and easy to pay. They’re intent on collecting money quickly and moving on to the next target.

We at Forcepoint™ can provide the following guidance: Making the payment is always an option, but it does not guarantee the successful return of encrypted files or device/computer usage. It’s also quite possible that the adversary will come back again with more threats and demands. Before agreeing to the terms, leadership must assess the availability of command and control servers on which the decryption key is hosted (will you get what you pay for?); the absence or presence of mistakes in the decryption routine (it might be possible to decrypt without the “official” key); and how “trustworthy” the cyber criminals appear with respect to actually making good on the terms (have your peers had success in retrieving their data and device/computer access?).

Ransomware thrives upon email, internet activity and social engineering.

Ransomware is more than just a piece of malware. Attacks often start with a phishing email and through a "drive-by" infection on a suspect web page. The first signs of malicious code are often infected programs that entice victims to download and execute them or delivered through email attachments (especially Microsoft Office-created ones). It applies constantly evolving, and often targeted, social engineering tactics to trick users into running, downloading or clicking on malicious content. With this, ransomware immediately starts enumerating all of the compromised system’s drives to search for target file types, and then proceeds to swiftly encrypt those files.

With the right monitoring and reporting tools, you can detect and defend your network from such attacks – before they have a chance to interrupt operations and squeeze you for money. A continuous user-education program will go far here too; inform employees about the dangers of ransomware, provide phishing education, and encourage them to report suspicious emails or incidents through an easy to use security incident program. Today’s workforce is increasingly cyber-savvy, and can be trained to identify potential social engineering schemes, check suspicious hyper-links, and understand the risks of opening unexpected or unfamiliar attachments in email.

While ransomware appears to dominate the current cybersecurity conversation, it really isn’t new. Its core components are based upon the same “penetrate and do bad things” principles that have driven hackers for decades. So defenses designed to cover the full threat lifecycle (aka Kill Chain) are particularly useful to defend against ransomware … detecting lures (phishing emails and drive-by web sites), identifying detection evasion tactics, recognizing exploits, and blocking malware.  User Behavior Analytics (UBA) are also powerful at the later stages of the attack with the ability to identify excessive file activity and alerting IT or proactively shutting down the activity.  More granular assignment of user access rights can limit the access of the ransomware to a smaller attack surface within the network, minimizing its impact.  A reliable backup program can dramatically reduce the overall impact and recovery time.  There are even economical backup options for road warriors and remote workers.

Subsequently, you will position your organization as highly guarded against ransomware threats. These crooks aren’t known for their patience, after all, as the classic “time is money” mantra usually dictates their MO. If you make it difficult enough for them to make a quick “sale,” they will move on. With the proper malware defense tools, procedures and awareness efforts in place, they will do just that.

Carl Leonard is Principal Security Analyst, Forcepoint Security Labs™