The ransomware epidemic shows firms are failing the security basics
Its not just anti-malware, but a holistic security review including policies and processes that's needed to minimise the risk of ransomware says Raimund Genes - with basics such as data segmentation being ignored.
Raimund Genes, CTO, Trend Micro
It seems like every other IT story in the news these days is about yet another ransomware outbreak. In the past few months we've seen it lock down hospitals, universities, businesses and others as greater numbers of hackers seek to cash in on this relatively quick and easy way to make a buck. The bad news is that as long as it remains this profitable for the black hats, these attacks will continue. We need to focus more of our efforts on prevention – and in many cases this means going back to basics with some simple best practice security steps.
Although ransomware volumes have soared over the past year, it isn't a particularly new concept. Back in 1989, the AIDS trojan was pre-loaded onto around 20,000 floppy discs and handed out to attendees of the World Health Organisation's AIDS conference. Labelled as “AIDS Information – Introductory Diskettes” they socially engineered the victims into opening them up on their machines. The trojan itself hid the victim's directories and encrypted the names of files on the C drive, with users told to pay US$ 189 (£132) to get access back.
Fast forward 27 years and more sophisticated ransomware is being spammed out at an astonishing rate, with the same kind of social engineering techniques tricking users into opening malicious attachments or clicking on malicious links. In fact, Trend Micro discovered more than twice as many UK enterprise infections in February than in the entire first three months of 2015. And there were more UK SMB ransomware infections in February this year than in the first three quarters of 2015 combined.
But with the malware authors innovating all the time to stay one step ahead of the white hats, even advanced anti-malware may not detect and block all the many strains of ransomware out there. Instead, IT security bosses should use this opportunity to revisit their policies and processes as part of a more holistic response to help minimise the risk of infection.
Back to basics
The truth is that organisations should not be suffering to the extent they are. If a user is able to open ransomware on their machine due to the permissions given, then the ransomware shouldn't be able to encrypt files across the network and cause an enterprise-wide IT shutdown. The fact that this has clearly happened to so many firms is an indication that their baseline security is not working.
Network segmentation is the first step I'd recommend to ensure any infection is contained. It's a basic security principle, which will limit the effect of ransomware inside an organisation. Then there's backing-up: again organisations are getting the basics wrong. They must ensure at least one back-up media is always offline, so that if ransomware hits an IT system, it doesn't also encrypt the backed-up files.
Whitelisting is another option to help reduce risk. This means only trusted programmes will be allowed to run on your network – so any ransomware will effectively be blocked at the front door. The technology is now good enough to make this a genuinely effective alternative to blacklisting, especially as new variants are sometimes not picked up by anti-malware tools. Of course, it can't be utilised for all users like developers, but the average office worker is protected by having access only to known good files.
Other time-honoured best-practice security steps include disabling macros and ensuring users can't switch them back on – this really should be a no brainer by now. User Rights Management and access controls (UAC) also need to be tweaked to further lower the risk of infection. Users should never be given admin rights, and if UAC is properly configured it will stop ransomware before it has a chance to wreak havoc.
One final piece of advice that could go a long way to improving your resilience to ransomware is user education. But I don't just mean telling your staff how to spot suspicious activity, and not to click on malicious attachments or follow dubious-looking links. This approach won't resonate enough with them to yield the best results. Instead, IT leaders need to hire pen testers to fire fake ransomware attacks at employee inboxes every six months. By releasing the results of these tests, IT departments can motivate staff more successfully to be careful in the future.
Some organisations balk at the price of pen testers, but really they will end up paying for themselves if it prevents a ransomware attack. Aside from the cost of the ransom itself, there's a potentially huge hit to the organisation's bottom line if IT systems are out of action for a matter of hours or even days. A one-off bill of £10,000, for example, might seem a lot initially, but in this context it really isn't.
The FBI raised a lot of eyebrows in security circles when reports emerged suggesting it had recommended some firms pay their ransom if they were unable to crack the encryption. But the truth is that some of the better-designed ransomware variants will make it impossible to recover data otherwise. Some argue that this is fuelling cyber-crime, but in reality you were already doing that before, by failing to adequately secure your systems.
So let's look at the ransomware epidemic as an opportunity for IT security teams to revisit their strategies and get those all-important basics right. It might even make user access control sexy again.
Contributed by Raimund Genes, CTO, Trend Micro