Today's top stories

More targeted, sophisticated and costly: Why ransomware might be your biggest threat

Ransomware has matured and its threat level is now on par with APTs as attackers use better tools and learn from past mistakes.

1 2 Page 2
Page 2 of 2

Malwarebytes has also observed a resurgence in the use of web-based exploit kits to target businesses and deploy ransomware, particularly the RIG exploit kit. These are attacks launched through compromised websites that attackers know are of interest to certain business sectors or are visited by their targets' employees.

"Our theory as to why that is, is because there have been a lot of vulnerabilities discovered over the last couple of years," Kujawa says. "There's an expected focus on the Chromium engine that's used to run Chrome and will eventually run Microsoft's new browser. So, trying to exploit that browser will be very important to cybercriminals and exploit kits because a lot of people use that platform."

Harder-to-crack encryption

Security companies are always trying to find vulnerabilities in the file encryption implementation of ransomware programs to help victims recover their files without paying money. The decryption tools created as a result of those efforts are typically released for free and made available on the NoMoreRansom.org website maintained by Europol.

However, the ransomware programs used by the more sophisticated groups are quite mature. Attackers have learned from their past mistakes or the mistakes of other ransomware developers and have corrected implementation errors.

The code of some ransomware programs has been leaked online and is available to copy and improve. Operating systems also provide cryptography APIs, and there are well-scrutinized open-source crypto frameworks and libraries. All this means that the most popular ransomware programs are also the most dangerous because they use strong encryption algorithms and have no solution.

It's critical for organizations to have backup plans in place and a data restoration plan that is tested periodically. Backups should also be kept offsite or off network to prevent attackers from deleting or encrypting them as well. In some documented cases, organizations decided or were forced to pay the ransom because their backups were corrupted or the restoration process would have taken too long compared to just buying the decryptor.

Ransomware defenses 

First and foremost, organizations should take themselves off the easy target list by performing internal and external penetration tests and identifying any potentially vulnerable systems or severs exposed to the internet. Remote connections into the network such as VPN or RDP should have strong and unique credentials, as well as two-factor authentication (2FA).

Inside the network, companies should ensure that endpoints and servers are up to date with patches for their operating systems and the software they run. The networks should be segmented based on the principle of least privilege so that a compromise of a workstation in one department can't easily lead to a full network takeover. On Windows networks, domain controllers should be carefully monitored for unusual access.

Organizations that rely on MSPs or managed security services provider (MSSPs) should make sure the connections from those third parties are monitored and logged and that the software they use also has 2FA turned on. The network and systems access provided to third parties should be restricted to only what is needed to perform their job.

Organizations should have a clear inventory of the data that's critical for their business operations. The systems storing it should be strictly controlled.

Since many ransomware infections start with an infected workstation, the use of endpoint anti-malware software is important. So is removing unneeded plug-ins and extensions from browsers, keeping the software up to date and making sure employee accounts have limited privileges.

Train employees on how to spot phishing emails and question unsolicited messages that ask them to open files or click on links. Create a special email address monitored by the security team where employees can forward emails they believe are suspicious.

Finally, draft an incident response plan and make sure everyone involved knows their role and what they need to do if a compromise does happen, including communicating with your security vendor or MSSP and law enforcement. Don't treat commodity malware infections lightly; investigate them thoroughly, as they could be, and often are, an intrusion vector for more serious threats.

The IC3 and U.S. Cybersecurity and Infrastructure Security Agency (CISA) both have recommendations for preventing or responding to ransomware attacks. In February 2020, the National Institute of Standards and Technology (NIST) released two draft practice guidelines for best practices on dealing with ransomware. The draft guidelines are Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. NIST is accepting comments on them until February 26 and expects to issue final guidance later in 2020.

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
What is security's role in digital transformation?