Ransomware: Will You Be A Victim or Survivor?
Are you prepared for a ransomware attack? Rarely a day goes by that I'm not asked about ransomware or end up in a conversation about ransomware. Questions range from “What is ransomware?” to “How can ransomware be avoided?”, and everything in between.
Depending on which study or report you read, ransomware has maintained the first or second position in cybersecurity threat lists for several years.
Here are a few of the healthcare ransomware incidents so far in 2019.
Ransomware attacks are on the rise and increased 195% in the first quarter of 2019 compared to the fourth quarter in 2018 according to a recent Malwarebytes report.
So, what is ransomware and how does it work?
Ransomware is malicious software that is installed without the user's knowledge, encrypts the user's files, and holds the user’s data for ransom. Encrypting a user’s data is a process of converting readable data to unreadable code using a software key that is kept secret. The software key is required to encrypt and decrypt the data back to a readable format. The attacker will demand the user pay a fee in exchange for the secret software key. Most often, attackers demand the payment is made in Bitcoin due to Bitcoin's nearly untraceable nature as a cryptocurrency, which is a digital asset designed to work as a medium for barter or exchange. Either a screen banner informing users of their current condition, or a significant computer/network slow down often indicates the presence of the malware. Ransomware causes immediate fear and panic once users realize what has happened. Victims often fear not only losing data but fear not knowing how to pay with Bitcoin. One of the main reasons’ ransomware is so effective is because the encryption is nearly impossible to unlock without paying for the software key.
Is ransomware new and why can’t we stop it?
Ransomware is not new. The first documented ransomware attack, according to Becker's Hospital Review, took place in 1989 and was unleashed by an AIDS researcher named Joseph Popp, PhD. The attack targeted the healthcare space and was named the AIDS Trojan or PC Cyborg. Ransomware became much more sophisticated and common around the mid-2000s. Since that time, it has remained one of the top threats to individuals and organizations alike. Ransomware's longevity is due to its number of variants. A malware variant is a new or modified version of an existing strain. End point protection is updated constantly to recognize new malware. Variants allow malware authors to continue to use the basics of a malware strain but make slight changes to avoid detection.
How do I end up as a victim of ransomware?
An attack vector is a way by which an attacker gains access to a computing device in order to deliver a malicious payload or outcome.
The most common attack vectors used to spread and infect devices with ransomware are:
· Phishing Emails: unsuspecting victims receive a well-crafted email and tricked into opening an attachment or clicking on a link containing a malicious file. Once files on one machine have been encrypted, the more sophisticated strains will move to other devices on the network
· Remote Desktop Protocol (RDP): users running RDP will have port 3389 open and attackers look for these machines. After they find a machine, they will attempt to brute force the password using popular password cracking tools and gain entry to the machine as an administrator. As an administrator, attackers will encrypt the device and will often disable any endpoint protection software they find
· Malvertising (term created by combining malware and advertising not to be confused with adware): occurs when an attacker purchases legitimate advertising space and embeds malicious code in the ad or redirects users to malicious sites that aim to exploit vulnerabilities and deploy ransomware
· Removable Media (USB drives): even though plugging "a found" USB drive into your computer has become the punch line for worst security screw ups, it never fails to catch folks. In Pakenham, Australia (near Melbourne), unmarked USB drives were placed in residents’ mailboxes. After plugging in the USB drives, users were encouraged to install an alleged Netflix promotion, but instead received ransomware that encrypted their machines. It worked well enough that police issued a warning to residents not to plug in found USB drives.
To be a survivor, use a layered approach to your security
Figure 1. Layered Cybersecurity. Adapted from "Layering network security has become necessity for businesses ," by Rob Swenson, 2016, September 21, SDN Blog, Cybersecurity. Copyright 2016 by SDN
The best way to protect yourself from becoming a victim is to utilize a layered approach to your security practices. A layered approach involves employing multiple mechanisms to defend your machine and/or your network.
Here are a few strategies to include in a layered approach:
- Backups: develop a backup strategy that calls for storage offsite or implement a complete cloud strategy. Whichever method is used, backup files/media should be effectively isolated from machines or networks except during backups. Backups should be tested regularly to ensure completeness and integrity.
- Patching / Updates: all software receives updates and/or patches at some point. A well thought out strategy of testing patches and updates, as well as, a deployment strategy is critical to ensuring software is up to date against known vulnerabilities.
- Security Awareness Training: the adage “you are only as strong as your weakest link” certainly applies regarding ransomware. Email phishing campaigns and regular security awareness training are a great way to get a feel for how well your people understand ransomware and the threat it poses.
- Antivirus / Anti-Malware: antivirus generally deals with more established threats such as trojans, viruses, and worms whereas anti-malware focuses on more advanced threats such as zero day and polymorphic malware. The takeaway here is that it’s recommended to have both running side by side as part of a layered approach.
If the worst happens and you find your machine or network infected with ransomware, it’s important to be prepared. Depending on your business, critical questions such as the feasibility of manual recovery based on the amount of time it will take should be addressed ahead of time. Ensure backups are reliable and recent. This is where partnerships between Cybersecurity and Business Continuity can pay significant dividends.
When you realize you’ve become a victim of ransomware, the question you need to immediately ask yourself is “Should I pay, or should I try to restore and recover?”
In the next article in this series, we will address that question and the factors to consider before making that decision.
If you have questions, or comments feel free to reach out to me via the contact information below.
About the Author
Mike has over 30 years of IT experience with the last 15 focused exclusively on information and cyber security. During that time, Mike has served in organizational leadership roles as a Chief Information Security Officer (CISO) and as a cybersecurity consultant.
Regardless of the role, Mike enjoys helping organizations develop effective cybersecurity programs by addressing risk and creating a cybersecurity conscious culture.