Ransomware: Prevention vs Cure

Cyber extortion has become a prevalent threat to companies in recent years, chiefly in the form of Ransomware, which accounted for 42% of security breaches in 2015. Just in the last few weeks alone we’ve seen high-profile Ransomware attacks on hospitals, local Councils and WordPress

You can see the appeal to an attacker. It is a quick, easy way for hackers to target an organization of their choosing, lock down their data and request a hefty sum of money (often by Bitcoin) before they have it on their toes, with no guarantee that the company’s information will actually be released even if they pay up.

It gives the cyber-criminals immense power – some small- to medium-sized companies can face closure if they cannot access their vital data, it’s that serious.

It’s another example of hackers continually evolving their techniques to exploit the weak, or even as we saw throughout 2015, the strong.

“Ransomware is just the latest iteration of payloads that enable the generation of revenue in the face of much better controls over financial crime within the banking infrastructure.” Jay Abbott, Security Expert and Founder of JustASC told Infosecurity.

“If you are in the business of making money through fraud then it’s getting harder to do using a banking trojan on someone’s computer. Multi-factor transaction verification is making that game less effective, so the only real option is to diversify.”

“Ransomware is that diversification. Tied to the growth in consumer-led technology and the digitization of our lives it’s an obvious choice to extort money rather than steal it. The growth of digital currencies has significantly helped with the money side of the scam and it’s become the perfect storm that puts all data at risk.”

There are several different ways that cyber extortion can manifest, but in the main it occurs via insecure/fraudulent websites, downloaded programs or infected emails.

So, with predictions suggesting 2016 will bring the highest levels of cyber-attacks ever, how can companies arm themselves against cyber extortion?

Panda Security claims to have provided the five-step answer in its ‘Practical Security Guide for avoiding Cyber Extortion’, but does this really get to the heart of what it takes to deal with a Ransomware attack or is it simply too focused on prevention, overlooking remediation?

Let’s start by taking a look at the steps themselves.

Step one – Empower your users. Panda Security says advising users is, first and foremost, of chief importance. They must be kept up-to-date with good practice, in tune with security risks and have knowledge of the techniques the ‘con’ artists use.

Step two – Rules are rules. Internet use at work needs to be controlled, so it’s important there are strict rules in place that govern which sites are safe for users to access, and which aren’t.

Step three – Know your business. Companies need a security solution that suits their infrastructure and requirements.

Step four – Establish protocols. The installation and running of software needs to be monitored, as do applications which have been installed on a regular basis.

Step five – Lastly, but by no means least, stay up-to-date. An application update policy should be set out and stuck to, with certain apps blocked.

Plenty to keep businesses busy then, but it does feel as though Panda Labs are slightly ‘skimming the water’ here.

Whilst I believe their insistence that the education of users is vital in having good security is wise advice indeed, and businesses should enforce rules that prevent the unsolicited use of the internet, as Jay Abbott explains, suggesting it’s possible to actually see or avoid Ransomware by being vigilant “is a seriously ludicrous proposition.”

Instead, he argues that “these infections will get in regardless of your level of vigilance/paranoia on the internet,” and so he outlines five steps of his own that focus on recovery rather than prevention.

1) Make sure you have a backup
2) Did you get round to that backup yet?
3) How did last night’s backup look?
4) Is the backup still going?
5) Have you tried to restore from that backup yet?

“Ransomware is the one attack that unfortunately highlights the failings of IT quite visually. Ransomware's ‘kryptonite’ is a simple backup, but more often than not they go unchecked in organizations and as such, when the attack lands, the issue becomes a burning platform.”

He concluded by discussing what he refers to as the “overlooked” benefit of monitoring stating that whilst most companies don’t do it, they should.

“If you have a good monitoring service in place, configured well and baselined, the second a ransomware trojan drops they will see a significant increase in activity on the file servers that will follow a detectable pattern. With this simple piece of intel they can alert you and this speed of detection is often the difference between recovering in a few hours versus a few days, or even weeks.”

What’s Hot on Infosecurity Magazine?