by Dr. Grigorios Fragkos, VP Cybersecurity
At the beginning of 2016 we warned our readers about the increasing threat of ransomware and provided advice on having an incident response plan that is ready to face this emerging threat. Our article focused on tips related to prevention, response and evading extortion. If you did not have a chance to read our article from January, we recommend that you read it as soon as possible.
Now, at the end of the first quarter of 2016, it is evident that ransomware has become a headache for those who did not take all the necessary precautions to avoid being the next target. Recently, the FBI released a statement to The Wall Street Journal that ransomware is a prevalent and increasing threat.
As this recent article describes, attackers are trying new approaches to infection, such as ransomware ‘malvertising’, and have succeeded in creating the first Mac OS X ransomware.
Have a plan, Be Prepared
Due to the fact that it is not easy to deal with the situation after an organisation is hit by ransomware, the best course of action is to ensure there is a backup plan in place.
It might come as a surprise but in order to understand the seriousness of the situation, consider that an official in the FBI’s Boston field office went against normal FBI policy and suggested to a conference audience that often the only solution is to pay the ransom.
Sysnet wants to make sure you do not have to face that moral dilemma and for that reason we are trying to inform you about the increasing threat and ensure you have taken all the necessary steps towards prevention.
Many cyber criminals have shifted their focus to ransomware as it has become the easiest way to target organisations and individuals. The primary reason for this is that it has become time-consuming and difficult to generate income by other means while infecting systems for ransom has become more profitable for them.
One of the main attractions of using ransomware instead of stealing card data is that ransomware skips the step of having to resell the data on the black market, and instead allows profit to be generated directly via a paid ransom. Additionally, the ransom is often required to be paid in Bitcoin and therefore there is a lower risk of getting caught due to the fact Bitcoin transactions are untraceable.
The common ransom demand is usually up to one Bitcoin equivalent to about $425/£300/€370.
The spam campaigns and spoofed emails used to distribute ransomware have become even more sophisticated in the last few months and the quality of the emails has improved making ransomware difficult to detect, even for the trained eye.
Cyber criminals have translated the content of these emails into different languages, and it is no longer obvious that the emails come from an automated translation engine. Additionally, once a system is infected, the ransomware propagates by sending itself to the contacts found on the compromised machine’s address book, exploiting a potential trusted relationship between the sender and the recipient.
Ransomware has recently gone a step further with the CTB-Locker variant attacking websites. When it has compromised a website, CTB-Locker encrypts all files in the repositories and usually installs a password-protected shell to serve as a backdoor.
The hidden costs
Ransomware goes beyond just infecting a computer host; the downtime caused by the infection is what costs more to the organisation than the actual ransom. Losing the ability to have access to important and sensitive data can have not only devastating consequences to organisations and business but also to the wellbeing of individuals.
Only a few of weeks ago, ransomware infected two German hospitals and the US Hollywood Presbyterian Medical Center, and managed to paralyse the hospitals’ computing infrastructure.
Paying the ransom does not guarantee that you will regain access to your data. Criminals carrying out these types of attacks cannot be trusted and supporting their actions by paying the ransom only encourages them to continue investing in such criminal activities. Consider investing in cloud storage or cloud based services which can act as a risk mitigation tactic.
Actions to be taken
Understanding why these types of attacks are so successful and the action that needs to be taken is very important. Only with an understanding of the threat can you avoid infection and the risk of someone holding your data for ransom.
- Lack of proper security training is one of the main reasons why spam campaigns and spoofed emails delivering ransomware are successful. Employees need to be made aware of the threat and how it spreads. Most companies have a Bring Your Own Device (BYOD) policy in place meaning it is important that employees understand that, along with company data, their own data is at stake here as well.
- In most cases, ransomware attacks are successful not because the cyber criminals managed to breach a company’s cyber defences by exploiting a zero-day vulnerability, but because the company had an inadequate backup strategy in place. Good security practice dictates that updates and patches to address vulnerabilities must be implemented swiftly but one must not forget that the worst can happen and good security practice also expects that you have backup and recovery plans prepared. Preparation can ensure that it is only takes a matter of minutes to remove the infected systems from the network and be up and running using the most recent backup.
- Poorly segmented or flat networks not only allow ransomware but also other types of malicious files to spread across the computer infrastructure. Consider isolating critical business systems or segmenting your network to minimise the impact in the event of an infection.
- Downtime as a result of ransomware can be most costly to the organisation than the ransom. There have been cases where the IT security department failed to understand and respond in time which resulted in valuable time being lost that exponentially increased the downtime. Your organisation’s IT security team need to take steps towards improving their understanding of ransomware and have an up to date incident response plan in place.
- The threat landscape is constantly changing. Frequently evaluating the changing malware threat landscape (per PCI DSS, requirement 5.1.2) will assist in ensuring that the antivirus/antimalware tools in place are sufficient to address any threat. Part of that evaluation should be to determine whether systems not yet protected by antivirus software now need protection. For example, as threats develop smartphones or tablets not previously considered to need antivirus may be at risk.
- Business changes may increase exposure to the ransomware threat. You should assess the impact of business changes in your organisation on your exposure to malicious software such as ransomware. Technology, operational or process changes may increase your exposure; changing business dependencies on at-risk systems or data may require updated prevention and response approaches.
Finally, you should assess the effectiveness of your cybersecurity awareness training and more particularly your measures to protect against the threat of a ransomware infection across all business, by including this scenario in the testing of your incident response plan, which should be undertaken at least annually.
If you are targeted, report the threat to the relevant e-crime unit (in Ireland – An Garda Siochana; In the UK – National Fraud & Cyber Crime Reporting Centre; in the US – the FBI Internet Crime Complaint Centre – or local law enforcement).
If you are a merchant that requires technical or PCI DSS help, please click here