The recent WannaCry attack shows why ransomware is one of the top-of-mind issues for executive boards, security operations centers, and incident response and forensics teams. The attacks seem to have high success rates despite being relatively simple. It's a threat that's both pervasive as well as extremely disruptive to not only technical operations, but in many cases, customer-facing services and business operations.
In contrast to other threats that may be based on diverse motivations and factors, ransomware targets business assets and makes itself clearly visible. An example is the recent third-party breach of Netflix, in which hackers didn't target customer details like credit card information, but yet-to-be-released TV content. It's critical for enterprise security operations teams to monitor and track ransomware as cybercriminals test new approaches to target vulnerable organizations.
Ransomware was expected to be a $1 billion source of income for cybercriminals in 2016, according to the FBI, compared to just $24 million paid in 2015—a whopping 4,000 percent increase in just one year. According to a recent survey by IBM, 70 percent of businesses hit by ransomware have paid to get their data back, with US hospitals, educational institutions and utility companies paying between $20,000 and $40,000 on average. This ratio makes ransomware a no-brainer for hackers looking for a quick paycheck.
Part of the reason for this explosion in ransomware attacks is the commoditization of malware. Ransomware is packaged for launch with the intent to monetize a breach quickly. It's getting more attention because it is causing immediate disruption to operations. For some ransomware threats in the wild, real-time detection technologies can be configured to block or quarantine the threats. The alerts from those technologies can be used by security teams to review and triage threats. Prevention can include endpoint detection technologies as well as network based technologies.
Among commoditized ransomware, Locky (widespread last year) and CryptoLocker (from several years ago) seem to be fading, only to be overshadowed by Cerber and Spora. But no ransomware attack has gained the same notoriety as WannaCry – it disrupted hospitals and mass transit as well as logistics operations.
Companies must take a broader view of the problem rather than addressing one threat at a time. It is important that organizations have end-to-end visibility across the environment – not just security technologies but across critical applications and services. Organizations must also create processes that enable security and IT teams to work together. So, when there is an attack, the teams can work collectively to address the threat quickly, and get the business back online. A recent Ponemon Institute study found that the average cost of downtime in a data center was nearly $9,000 per minute.
There is sophistication in the “delivery” of new ransomware as well – these are not only new variants, they also incorporate new techniques to ensure maximum disruption. Many security researchers agree that ransomware is often spread via email, like most forms of malware. Yet its presence is growing within compromised or malicious websites, malicious files within mobile apps, or links to ads. Ransomware is peculiar in contrast to other threats because in order to be effective, it doesn't need to remain undetected. In fact, ransomware announces itself once the attack is successful.
To expedite success and financial gain, ransomware authors have used local dialect and language, and ensured disruptions occur during normal hours of business for a particular geography. To improve their chances, ransomware authors may use emails from dumps of previous attacks - with legitimate email recipients.
So how can organizations prepare for this growing threat?
Identify organizational risk tolerance: Sophisticated businesses operate from a perspective that hackers are going to get in. The critical next step for the CISO and CIO is to figure out which data and assets to place the highest security around. For example, retailers may place the highest value around customer credit card information, but manufacturers may want the highest security around systems that control automated machinery. For government organizations, critical infrastructure or public services require the strongest posture.
Account for ransomware defense as part of your risk model: Ransomware is likely to continue as a threat to businesses for some time. To ensure it is being accounted for, IT operations and security teams should budget accordingly to implement the appropriate solutions for ransomware, and create appropriate response plans in the event that there is a ransomware attack. The response preparation should include establishing relationships with law enforcement agencies.
Do the basics and test the basics: One of the best ways to ensure essential IT infrastructure and mission critical operations are not taken hostage in any attack, including ransomware, is by keeping your security systems up to date. Use the latest signatures from security technology providers. Establish a strong backup strategy for your organization. And test the backups at regular basis. Deploy patches as quickly as reasonable. If you cannot patch systems, know which systems cannot be patched. And implement compensating controls – including increased monitoring and network segmentation. If ransomware is part of your threat model, test a ransomware attack scenario. Even a table top exercise is better than having no test at all.
Make the best use of technology you already have: Your organization has likely invested in a number of security and IT technologies. Ensure that you are taking full advantage of your investment in accordance with your risk model. While some technologies are better suited than others, do not chase bright shiny security or IT toys that overstate capabilities. Take an analytics-driven approach with your technology stack. Ensure that you are getting visibility from the technologies. And explore if you can automate the interaction between technologies – for evidence preservation, context development and configuration management. Take these actions in accordance with your risk posture.
Get smarter on best practices to combat ransomware
Digital transformation is changing the IT world – with technology footprints expanding into the cloud and to interconnected devices. This transformation brings about complexity. For attackers, this transformation brings in new opportunities to profit from disrupting your business or mission.
If we accept that more attacks like WannaCry are extremely likely, and that ransomware is becoming smarter by mutating and penetrating enterprise networks in more innovative ways, the onus falls to CIOs, CISOs. Combatting threats in today's digital business is going to require strong collaboration between IT and security. CIOs and CISOs will have to work together to break the process and organizational barriers in the interest of the business. Organizations will have to take a risk based approach to security – driven with a focus on the business.
A simple but scary truth we face with ransomware is that any business at any time represents a potential target. Attacks have been disruptive, even when they lack in sophistication.