Ransomware: Epidemic or Natural Selection?
With the seemingly-explosive increase of ransomware hits in the news, one would think we're doomed to a future wrought with extortion through denial of resources. The fact of the matter is that the criminals have the upper hand and are successfully taking advantage of advanced malware to prey on less-than-prepared organizations. Guns have been broughten to the veritable knife fight and, sadly, some companies don't have many options other than biting the bullet and paying up.
But why now? With the uptick in advanced threats and emphasis on cybersecurity initiatives, you'd think corporate America (or anyone) would be better prepared - maybe you'd even expect to see a decline in compromises. It's actually partly because of these advanced threats that ransomware has gone through such a resurgence.
Today's ransomware uses very similar tools, tactics, and protocols that the bad guys have employed for the big-ticket breaches. The use of stealthy infection and injection methods, command and control servers, and credential harvesting are now available to the non-State-sponsored adversary. Heck, you can buy ransomware-as-a-service if you look hard enough. The proliferation of hacktools has basically made them available to the mainstream criminal and these evildoers are cashing in.
But as stated, advances in and availability of malware is part of the issue - the other part, unsurprisingly, is lack of proper defenses. The way we deal with advanced threats is by monitoring for odd behavior that indicates a compromise, then we call in the reserves to kick the threat agents out. The over-simplified contemporary security mantra is 'we know the bad guys will get in, we just need to be prepared to evict them when they do'. Not knocking this way of thinking by any means as it is very effective at dealing with people trying to steal your data, but this offensively defensive technique is not as effective when it comes to preventing people from holding your data for ransom. The infection and subsequent hostage situation is the 'odd behavior' so your security alerts start blaring only after an asset has been locked up.
So where does that leave us? Squarely in the midst of evolution. Artificial intelligence and machine learning are gaining momentum as viable solutions to identify (and, more importantly, prevent) weird stuff from happening but they're not fully accepted as proven technology by the masses. So while we're waiting for The Oracle to lead us into enlightenment and stop ransomware in its tracks, we need to rely on good old-fashioned security - and it starts with awareness, patching, and backups.
Awareness is a two-way street: your end users need to know how to react to questionable situations AND your security staff needs to know the latest trends in what those hackers are up to. A good threat intelligence program is critical in keeping security awareness training relevant and dust-free. Did you know that ransomware can infect you by clicking a seemingly clean ad? Yep, whitelisted adspace can be spoofed and will deliver a sheep in wolf's clothing (wait, reverse that). Threat intelligence will also help your security team tweak spam and phishing filters to quarantine the right things and ignore irrelevant triggers (we don't want to bog down critical systems here).
Patching seems almost too obvious to even bring up here so if you can tell me that 100% of your enterprise is patched to the latest version of whatever and all of your virus definitions were updated sometime between yesterday at this time and now, then move along little doggy and go play some Candy Crush. Otherwise, you've got some work to do. Go run a scan for unpatched servers on your network and realize that intruders can too. It's not that hard to locate prime targets and it only takes one to tango in this case.
In a perfect world, we wouldn't need backups (I suppose that depends on your definition, though). But, imperfect as is it, we're here and we sometimes face situations where complete reimaging is the best way to get back online. Ransomware is such a situation because the other two options are: pay the ransom or hire a really good forensics team to get your data back. Paying the ransom doesn't guarantee anything, so that's out. Forensicating requires a lot of time and that means a lot of money, so that's out. The old adage of ounces of prevention saving gallons of strife (or something like that) is true here and, by investing in a robust backup plan so that compromised resources can be quickly rebuilt in the face of ransomware, you'll be ahead of the curve. The operative word here is 'robust' - put some thought into your backup program to ensure #1 - backups are know-good and #2 - backups are frequent enough so you won't lose data by restoring.
Obviously, there are more in-depth things to prevent ransomware and other malware from pwning your network but for blog's sake, I'm only covering the basics here. Reach out if you want to discuss more.