Dealing with ransomware the intelligent way
Ansie Vicente asked Jeremy Matthews, country manager for Panda Security, about the role extortion is playing in IT security.
What are the challenges businesses face around ransomware?
The primary challenges are business disruption and loss of productivity; financial loss without any guarantee that the data will be restored; and a possible compromise of company intellectual property, customer data and confidential information.
How are businesses currently dealing with ransomware attacks?
We have found that companies, for the most part, either pay the ransom or try to restore from whatever backups they have available and just try and cope with the loss of data. We do not advocate the payment of the ransom, as this only creates more incentive for criminals to continue these malware campaigns.
Do you have an idea of the level of attack businesses in SA are facing?
Unfortunately, there are very few reliable statistics regarding ransomware attacks in SA. This is partly because companies are quite unwilling to admit that they have fallen victim to ransomware, or unwilling to admit how many times they have fallen victim. However, anecdotal evidence points to a very high prevalence of attacks in South Africa. These attacks come in waves, with the release of each new strain of ransomware. In the USA, the departments of justice and homeland security believe victims paid over $24 million in 2015 to criminals to have their systems restored. Aside from Trojans, ransomware was the most common form of cyber attack throughout 2015.
The problem has gone way beyond how many people/businesses are infected with ransomware. We are now talking about how many people/businesses in the last x amount of time have been hit by which family of ransomware.
How does a victim actually pay the ransom?
The victim is usually prompted via a text file or message (common to change the wallpaper to the message) to pay the ransom. Ransom demands range between 0.5 BTC (Bitcoin) to 2 BTC on average, which is equivalent to between R3 500 and R14 000 per encrypted machine. Bitcoin is the currency of choice, because of the anonymous nature of transactions. Unfortunately, Bitcoin can be difficult to buy quickly in South Africa, often due to banking regulations requiring a new exchange account to be verified. This can be quite a big problem if the victim intends to pay, as some ransomware imposes a time limit on the payment, either with a hard deadline or with a deadline after which the ransom demand increases.
What are the blind spots that companies with existing security solutions have? What are they not realising about the security they have?
There are a few important "blind spots" to be aware of:
- The users themselves are often unknowingly responsible for the initial infection. General security education is the first step to ensure your company remains safe and secure.
- Almost all traditional security solutions work in much the same way. They rely on the malware either matching a sample (malware signature) that they have taken previously or triggering some kind of heuristic or behavioural rule. This creates a window for what are called zero-day threats. A zero-day threat is simply a threat that has never been seen before in the 'wild' and thus has never been seen by an anti-virus. We refer to this as the malware window of opportunity.
- Cyber criminals are also constantly searching for and finding new and ingenious ways to infiltrate our networks.
What level of employee is likely to be targeted?
No employee or individual is immune to these attacks. Hackers will use a specific individual's endpoint - such as their Android devices - to access the organisation's network and encrypt data on that network. Ransomware as a malware category is normally very broadly targeted, going after anyone they can get infected. However, criminals are always looking to optimise their return and will target high profile individuals or institutions where possible. One example is the recent targeted ransomware attacks on hospitals around the world.
What is best practice in terms of dealing with ransomware?
Once you are infected, it is generally already too late. By then you only have three options: restore from any backups you may have, lose the data or pay the ransom. If you are not using an advanced security solution, the best way to prepare yourself would be to ensure you do regular backups (ideally off-site), filter mail and URLs for dangerous file types, ensure systems are patched and up to date, and educate your users to the dangers of ransomware and ensure they are aware of suspicious e-mails and attachments.
Panda suggests Adaptive Defense (AD) solution to prevent ransomware infections. How does it work?
Adaptive Defense is a managed cloud-based solution that will monitor all actions on the endpoint and classify them as either malware or goodware. If a new program tries to run and has not already been automatically classified as goodware, the program will be blocked until it can be classified by Panda Labs. This approach closes the window of opportunity on zero-day threats (including ransomware) and provides superior protection against other pervasive malware, such as advanced persistent threats (APTs).
The product falls into a new category of security solution called Endpoint Detection and Response (EDR) and has been made possible by advances in big data and cloud computing. The product is available in two versions: Adaptive Defense and Adaptive Defense 360. AD360 is the first of its kind using traditional endpoint protection (EPP) and EDR to monitor and protect individual endpoints.
How does rolling out Panda AD work in the corporate environment?
It is a cloud-based technology, with a range of deployment options based on Panda's proven cloud platform. Deployment is rapid and straightforward.
What do the IT guys have to do to make the line-of-business people feel comfortable about security with Panda AD?
Adaptive Defense is non-intrusive and can be implemented alongside the organisation's current anti-virus solutions, adding an extra layer of protection while leaving all existing security measures in place. AD gives full network visibility, which improves the organisation's ability to manage risk and better meet governance and regulatory requirements. With the use of graphical dashboard tools, such as Logtrust, this visibility and insight are highly demonstrable, making it easy for IT people to show value to business.
Is there any training required for the IT guys?
IT guys who are familiar with traditional security solutions should have no problem with Adaptive Defense.
Adaptive Defense 360 integrates with security information and event management (SIEM) solutions to provide detailed data on the activity of all applications run on your systems. This gives you access to information like network load, software usage, data flow, data loss detection and much more. For those without SIEM, we have partnered with a company called Logtrust to offer our own security event management and storage system for real-time analysis of all the collected data.
Some training in data analysis and visualisation could be required for admins who want to make the most of the SIEM integration available in the product. The more skilled the user, the more insight they will be able to derive from the data provided and available reports.
Where can readers learn more?
We have made a white paper about ransomware and how to deal with it available here.