The popularity and use of ransomware appear to be spreading at record pace in 2016 as cybercriminals are actively using ransomware to hold businesses, institutions and even individuals hostage. No one is immune to this sort of attack. If you’ve been following the news, you’re probably aware that authorities and security experts are calling this the new crisis in cybercrime today.
The rise of ransomware within the hacking economy can be attributed to how simple and fast attackers can potentially capitalize on thousands or millions of their victims in a short period of time as opposed to a targeted attack, which requires more work and time to monetize from a single data breach. To date, the SonicWall Threat Research Team has observed a 78% growth in ransomware variants over 2015. With recent discovery of the new “DMA Locker” in the wild earlier this month, the team found that organizations are hit by a range of highly active ransomware including:
- CryptoWall (considered most dangerous and used so far)
- DMA Locker
Below is a visual sample of the DMA Locker to help give you a good idea what an infected system looks like. A quick search using the bitcoin address “1C8yA7wJuKD4D2giTEpUNcdd7UNExEJ45r” on the www.blockchain.info website shows that the same bitcoin address has been used in multiple transactions. This indicates that thousands of dollars have already been paid out by victims since its introduction.
With thousands of daily ransomware attacks, your success in maintaining normal operations is paramount towards the achievement of your business objectives. So it’s best to conduct routine security reviews, and take any and all necessary steps to improve your cyber-defenses and prevent ransomware from spreading across your networks. This is a risk that can easily be mitigated by following these seven recommendations:
1. Training and awareness
It’s imperative to put some governance policy in place to make certain everyone in your organization is educated about the dangers of ransomware and trained to identify methods cyber-criminals use to compromise devices, through social media, social engineering, suspicious websites and downloads, and various spam and phishing scams.
2. Email security
Since phishing emails are predominantly used by attackers to distribute ransomware, you want to deploy a capable email security solution that can scan all attachments for malicious content and isolate all files embedded with ransomware.
3. Use a multi-layered approach to network security
Cyber-criminals are very good at using the latest exploit kits and web vulnerabilities to infect systems and devices with ransomware. Enhance your security posture by eliminating siloed security architecture. A more effective way is to employ an adaptive cyber defense platform that leverages multiple integrated threat prevention capabilities to provide many different ways to break the malware infection cycle, including advance threat protection, gateway anti-malware, intrusion prevention and other available network-based security services.
4. Secure the endpoints
Mobile devices are particularly targeted as reported in the 2016 SonicWall Security Annual Threat Report with the emerging ransomware threats on the Android platform. So, do everything possible to make sure all your mobile endpoints are secured as they can be because devices of this sort are frequently outside and external to your network without firewall protection. There are many good endpoint security options to satisfy your risk tolerance. At a minimum, you would want to consider layering your protection with patch management, web content filtering and signature-less anti-virus (AV) software that uses advanced machine learning and artificial intelligence to detect advanced threats on top of your traditional signature-based AV solution.
5. Network segmentation
Ransomware attacks always look for opportunities to spread from the endpoint to the server/storage, where valuable primary and secondary data are stored. Imagine the potential harm done to an organization if cyber criminals were able to gain unauthorized and unchallenged network access and freely move laterally within its unsegmented networks. To contain and mitigate threat propagation during an attack, it’s essential that you keep your critical applications, data and devices isolated on a separate networks or virtual LANs to prevent the spread of an attack.
6. Backup and recovery
A California-based hospital recently paid approximately $17,000 to recover its data from a ransomware attack by obtaining the decryption key to quickly return its administrative functions to normal capacity. This unfortunate incident provides an opportunity for us to learn from other misfortunes. Another safeguard against having to pay the ransom is a speedy, reliable backup and disaster recovery (DR) strategy that allows you to restore full operation with minimal disruption. Make sure the solution allows you to automatically perform testing and verification to ensure data is restorable and recovery service level is met.
7. Encrypted attacks
Not long ago, Yahoo users were targets of one of the largest malvertising campaign after a criminal entity bought an ad space on Yahoo’s website in order to plant malicious ads with the purpose of installing ransomware on users’ computers visiting the site. The redirection code planted in the malicious advertisements used SSL/TLS encryption, which made it difficult for traditional defense systems to detect.
If you’re currently not inspecting HTTPS traffic, then you are effectively blind to any attacks utilizing SSL/TLS. Therefore, it is absolutely essential that you deploy the next-generation firewall that has a high performing SSL inspection engine to rapidly decrypt and inspect all internet traffic coming from or going to clients for threats hidden within those SSL sessions.
For more detailed information, I recommend you to read our technical brief: “How to protect against ransomware.”