A lot has been written about ransomware, with even committed technophobes now able to discuss it at company meet-and-greets. Given all the press, is there anything more to be said? As it turns out, ransomware is surprisingly similar to daytime soap operas: the plot evolves from one day to the next, with evil villains launching new schemes at every turn. If you think you know everything about ransomware and how to fight back, you may want to keep reading: this pernicious form of malware just evolved while you were sleeping.
Just the Facts, Ma’am
For the uninitiated, ransomware is a type of malware attack that prevents organizations from accessing their own data or systems until they pay a ransom to obtain a decryption key. In addition to paying ransom, victims may also suffer steep IT costs, fines, business downtime and brand damage. Worse, paying up provides no guarantee that victims will recover their data.
Instead of politely going away, ransomware is a growing problem for organizations large and small. CNN recently reported that ransomware events are expected to collect $1 Billion in 2016, with researchers seeing a 3,500% increase in the criminal use of net infrastructure to run ransomware campaigns.
Spreading the Love
Ransomware often spreads via e-mail messages or drive-bys, programs downloaded to computers upon visiting an infected website. It’s also disseminated through spearphishing campaigns, infected advertisements and “crypters” and “packers” that make files look benign. Once users click on something containing ransomware, it can migrate from that person’s browser into their entire file system, access cookies, data, networks, and hardware.
Mouse – 1, Cat – 0
For some hackers, ransomware has eclipsed credit card theft as the preferred cyber-racket. Why? Perhaps the biggest cause is that chips, sign-in and other improvements in credit card infrastructure have decreased the value of credit card data. Instead of breaking into an individual device to see what they can steal, hackers can simply lock everything up and let the victim decide what’s valuable. This shotgun approach is easy and low-risk, enabling hackers to directly monetize every attack without incurring additional time and risk to actually steal data.
Other forces that have also shifted the balance of power between attackers and victims. William Largent, security researcher with Cisco Talos Groups notes, “The problem we face is that every single business that pays to recover their files, is directly funding the development of the next generation of ransomware.”
Darwin Would be Proud
According to the BBC, experts have now identified more than 120 separate families of ransomware. Although each family reuses existing capabilities, ransomware is continuously evolving and becoming increasingly sophisticated over time.
Over the last year, hackers have started adopting varied approaches to plying their trade, with combinations of new techniques almost certainly on the horizon. Not only are hackers getting good at cryptography, but they’re now returning only partial datasets to victims, prolonging ransom demands long-term. They’ve also figured out how to attack “connected shares” and spread ransomware through traditional office documents. Another major change is that attacks have moved to machine time scale. In the next phase of ransomware, we’ll see hackers hit individual endpoints with crypto-based tags than use wormlike capabilities to move laterally across the enterprise.
“Detect to Protect” a Misnomer
Like sitting ducks, some organizations do nothing to address ransomware whereas others spend big bucks on traditional front-end protection, a wholly failed approach. Protecting the perimeter doesn’t work if you don’t know where the holes are or what you’re looking for, and monitoring doesn’t work if you don’t know what you’re seeing. With the routine use of mobile devices and unsecured networks, there’s an enormous number of vulnerable endpoints. It only takes one compromised device to threaten an entire organization.
Traditional anti-malware tools designed to detect compromised software are fruitless since malware doesn’t compromise operating systems, with anti-virus sweeps unable to keep up from a signature perspective. Likewise, relying on hashes to identify ransomware is useless as well since most malware quickly mutates into some new undetectable form. Moving data to the cloud won’t solve the problem either since cloud services typically offer minimal backup and are subject to ransomware too.
Users Muck Up the Works
Given the failure of other approaches, educating end-users to avoid suspicious links and attachments seems like a good idea. Who would argue with that?
Safe browsing habits are good but far from a surefire prevention strategy. Not everyone understands attack vectors and there will always be people who click on something they shouldn’t. Users steeped in guilt over their careless online habits often try to resolve ransomware attacks on their own, leaving enterprise IT none the wiser and data potentially still at large. Worse yet, hackers may still maintain presence on the compromised device.
Glimmers of Hope
If ransomware can evolve, why can’t the enterprise? As discussed in a recent SOCK(net) podcast, there are promising new approaches to combatting ransomware.
Drawing on the notion of least privilege, hardware features built into computing CPUs are now being used to hardware-isolate individual tasks in the operating system, segmenting infected endpoints and preventing access to other hardware, data, and networks. There are also efforts underway to provide post-breach forensics and use endpoint collaboration to identify and isolate attacks on machine-time scale.
Data Backup Sidesteps Attacks
It’s not all bad news on the ransomware front. There’s a streamlined, elegant way to protect data: it’s called backup. By automating time-indexed snapshot backups of data across servers, laptops, and cloud apps, organizations can quickly restore data back to any point in time prior to the attack. Yes, go ahead and educate users about safe browsing. Yes, do your darndest to protect the perimeter. And by all means, keep abreast of new technologies. But at the end of the day, you have to do comprehensive data backup if you want to definitively reduce the impact of ransomware. Do this and you won’t be waiting around, wringing your hands, while hackers perfect their game. Most importantly, think of the satisfaction you’ll get when you can tell a hacker where to stick his ransom demand.