By Kyle Bubp
Ransomware is big money. In fact, according to the Federal Bureau of Investigation, ransomware attackers collected more than $209 million from victims in the first three months of 2016 alone. This is up dramatically [Note: Opens PDF] from $24 million for all of 2015. And if there is one thing history can teach us, it’s that big money drives innovation. So, it’s logical to predict that as ransomware evolves, so too will its sophistication.
Proof of this is already showing. Traditionally, ransomware attacks have been extremely opportunistic; mass-mailed across the Internet hoping to infect as many victims as possible. Now, trends show that ransomware authors and distributors are getting more targeted and almost more entrepreneurial with their attacks, targeting specific verticals and data types with greater precision. For example, instead of emailing a huge distribution list, a malicious actor may take time to do research on a healthcare organization to craft a believable phishing email. Or, ransomware may be programmed to match patterns that look like social security numbers, addresses, or patient records in an attempt to encrypt patient data instead of simply encrypting alphabetically throughout a filesystem.
Even more scary is the speed at which these new families of ransomware can be created. According to Proofpoint [Note: Opens PDF], there’s been a 600% growth in new ransomware families since December 2015. Further, many experts believe there is a true criminal-to-criminal infrastructure behind ransomware development with potentially off-the shelf malware that can be used to speed new ransomware development. The result? New families of ransomware will be knocking on our doors faster than ever.
The best defense against growing waves of more intelligent ransomware is an aggressive offense. To ensure your enterprise is ready, consider these five tips.
- Think Like Your Adversary. The best way to identify where to focus your security efforts is to first understand how attackers can break in to your environment. For this you need to put on your own black hat. Hackers don’t play by the rules. They don’t care about your corporate policies or procedures, and they are looking for specific misconfigurations and bugs they can exploit. As an example, when you visit an online marketplace and see a search field, you likely type in what you’re shopping for. An attacker, on the other hand, tests it to see if it’s vulnerable to SQL Injection. This difference in thinking can lull us into a sense of false safety. It’s important to remember how hackers think and to stay up to date on hacking techniques so that you can continue to protect yourself as hackers evolve and their methods mature.
- Educate Your Users. You’ve heard it before. Often your greatest vulnerability is your users. Phishing is a multi-billion-dollar cost, year-over-year. The interesting thing about this security issue is that most times, a technology control will not stop it. Cyber criminals know this and prey on users because of it. Therefore, the only way to really safeguard against phishing attacks is to keep your user population informed and educated on how to identify social engineering, phishing, and vishing attacks. Every user should know the risk of email attachments and not to open anything that isn’t from a known sender or trusted source. They should also be informed not to execute software that has been downloaded from the internet, unless it’s first been approved by internal IT processes. Further, they should always be extra cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends.
- Know Where Your Sensitive Data Lives. To protect your most sensitive data, you need to know exactly where it resides in your network, in all forms and all places. Sensitive data should include everything that is valued by your organization, from trade secrets and proprietary information to PII and credit card numbers. You should first discover the data, then classify it based on type, value and data loss risk. Only then can you properly protect it and wrap controls around it to ensure that only the right people are accessing it.
- Wrap Sensitive Data in Advanced Controls. Once the data has been identified, the organization can then begin with a strong access control policy, such as Role Based Access Control (RBAC) and the idea of least privilege and “need to know” practices. Restrict access to those who absolutely need it for their job function. Then embed rigorous monitoring and alerting to provide visibility and response in case something does go wrong.
- Strategically Employ Data Protection. Data protection can be a vital component of your security strategy. According to the Center for Internet Security (CIS) [Note: Opens XLS], Critical Security Control (CSC) for ransomware protection it’s important to “ensure that key systems have at least one backup destination that is not continuously addressable through operating system calls. This will mitigate the risk of attacks like CryptoLocker which seek to encrypt or damage data on all addressable data shares, including backup destinations.” If the hackers can’t find an access path to online backup sets, they can’t break through to delete the attached backup pool preventing stored data from being corrupted.
Just as the intelligence of ransomware continues to grow, so too should our ability to thwart its impact on our environments. Don’t put your data at risk. The more we can foil hackers’ success the less money they will make and perhaps, in time, new ransomware innovation will slow as a result.
About Kyle Bubp
Kyle Bubp is the Security Practice Lead at VeriStor, an advanced IT solutions provider specializing in virtual infrastructure, security and enterprise private, public and hybrid cloud services and solutions.