Ransomware's reach expands

According to Mark Thomas, group CTO Cybersecurity at Dimension Data, Ransomware is a different kind of threat that could have serious implications for organisations.

Johannesburg, 22 Jun 2018
Ransomware's reach expands.
Ransomware's reach expands.

Ransomware is a different kind of threat that could have serious implications for organisations. The goal of such an attack is very simple: lock down company data through encryption and demand a ransom to grant access again. It can stop a company's business operations in its tracks and is unnervingly simple to deploy. Fortunately, the threat of ransomware is also reasonably easy to remedy but it starts by being proactive, says Mark Thomas, group CTO Cybersecurity at Dimension Data.

Understanding ransomware

Ransomware started making news headlines in 2014. It often targets people using social engineering methods such as phishing to have them unknowingly deploy a ransomware payload on their machine, usually as an e-mail attachment. The payload then encrypts files on the machine and demands a ransom, often asked for in a crypto-currency such as Bitcoin, to unlock the files. These demands are usually time-sensitive with a deadline, after which the data is permanently deleted. Paying the ransom is no guarantee, though, that the files will be activated again.

In 2016, this method took on a new dimension. Ransomware would not only infect the first machine, but then look to propagate itself across the network. A single attack becomes a raging infection. Adding to the devastation is the choice of target: adversaries using ransomware often go after companies with highly sensitive business process-relevant information, such as health records or manufacturing data. This raises the odds that the victims will pay.

350% increase in ransomware attacks in 2017

The world saw an explosion in ransomware attacks in 2016, in part because attackers used exploits allegedly stolen from the NSA and released online. The vulnerabilities that these exploits target can be patched, yet from Dimension Data's analysis, ransomware attacks actually rose in 2017, from 1% of malware attacks to 7%, an increase of 350% from the previous year. There's growing evidence that attackers are also using ransomware to expand their control, downloading additional payloads once an infection is active. But unlike long-term breaches, which might siphon valuable company data over time and be even more devastating, ransomware attacks work best on shock-and-awe tactics: pay the money or lose your data.

Growing security maturity among certain sectors has tangibly reduced ransomware attacks. Business and professional services used to be the most popular target because they have access to and hold records on many customers (and thus many potential targets). Security investments have reduced their ransomware threat. We found a reduction from 28% in 2016 to 17% in 2017. Adversaries are now focusing on new targets to catch less security-mature companies and countries.

The change has been offset by a heightened focus on casinos and other gaming companies, which now top the list as the most target sectors. These are financially lucrative organisations but they may not have the security pedigree to match. Attackers are also paying more attention to supply chains.

Ransomware is still a serious threat for all sectors and shouldn't be ignored. Future surges in ransomware attacks are very likely.

Fighting ransomware

There are strategies organisations can follow to reduce their threat profile and risk. It requires investment and executive-level buy-in but it can be accomplished. The financial services industry (FSI) has demonstrated as much.

In 2016 FSI companies ranked very high for ransomware attacks. This forced a flurry of security-related upgrades and investments, and in 2017 FSI wasn't even in the top five of most-attacked sectors. Their strategies included three vital components: people, patches, and backups.

Let's start with the last point: backups are a natural remedy to ransomware, as the data that's been compromised is available elsewhere. FSI companies adhere to compliance dictating backup and recovery, which has greatly reduced the reward for successful attacks. This still causes a disruption to operations but it leaves a bad taste in the mouths of adversaries, who prefer maximum reward for the effort. At this stage many FSI companies can even respond internally to a ransomware breach. So a good data backup/recovery strategy is critical.

Patches are just as crucial: many ransomware attacks exploit known flaws in operating systems. Yet patching can be challenging to implement. This depends on the sector and company but suffice to say it's not always practical to take down systems and patch, as this can interrupt business operations. Yet, on the other hand, it's crucial, so a risk-based patch strategy must be in place. Even in 2017, after the attack methods became known, many companies were still caught unaware. A healthy patching strategy is a critical element of a mature security culture.

Cyber awareness culture critical

Finally, people may be the weakest link in implementing strategies to combat ransomware. Attackers are skilled at duping people into malicious actions. They could chance it by hitting various people or finely hone an attack to focus on a specific individual. A vigilant workforce is invaluable to security. Humans are the best at spotting curious activities and reporting them. Cloud technologies are helping here: for example, an attachment could be detonated in an online sandbox to test for any red flags.

The people element includes the executive: it's important for them to know that ransomware goes straight for the business' throat. It will target and compromise the very process-related data and workloads that executives and departments need to execute their mandates. Security, in general, is a business problem but ransomware brings this home acutely.

More and more companies are using simulated attacks to test their employees' actions, giving additional training to those who don't spot threats. Even experienced security operators have been caught out by clever cyber subterfuge: failing such a test is not a mark but a victory. It helps get the workforce one step closer to being the vanguard of the company's frontline. Adequate investment in endpoint security also bolsters this area but is not a substitute for cyber aware employees.

Prevention or cure?

There's another choice: pay the ransom. Some companies even stockpile crypto-currencies such as Bitcoin for this purpose. But this should be avoided: there's no guarantee that the files will be unlocked, plus it enables and encourages attackers to do the same again. In the case of ransomware, prevention is far better than cure, because there is no real cure.

The lack of an effective security culture, especially relating to people and endpoints, attracts adversaries. This trend is currently evident in the EMEA region, the only global region where ransomware attacks ranked in the top three malware types. Malware activity is also rising in the APAC region, where endpoint security and user education remain low priorities. But ransomware, as with all malware, is an evolving threat. It's simply too easy and rewarding for criminals to ignore.

In summary

Ransomware is one of the easiest ways for adversaries to bring a company to its knees. Without the right precautions, there's little that can be done to recover compromised data. But it's very possible to build defences against it: despite a rise in global malware attacks from 1% to 7%, ransomware-related incident response engagements dropped from 22% in 2016 to 5% in 2017. This indicates that companies are improving their capabilities to deal with such threats internally. Here's how they accomplished it:

Assess the threat to the organisation: what would stop the business in its tracks?

* Ensure sufficient investment in security.
* Gain the understanding, buy-in, and support of executives.
* Put a backup/recovery strategy in place.
* Have a system patching strategy in place.
* Secure the endpoint.
* Invest in user education and training.