Over the past year, 36 percent of organisations have admitted to being victims of ransomware. In addition, there has been more than a 100 percent increase in the volume of named ransomware variants, from 90 in 2016, to nearly 200 in 2017. Ransomware activity has exploded across the world as cyber-criminals have realised its relative simplicity of use and virtual untraceability. That combined with the fact that ransom payments can be made in cryptocurrencies like Bitcoin more easily than ever, obfuscating ‘clean' funds with dirty money through services like tumbling, mixing and coin laundering, is the reason why many cyber-criminals are turning to ransomware as their weapon of choice.
Mobile devices have also not been immune to the growing risk of ransomware. Secureworks' recent State of Cybercrime report identifies several instances of malware for sale on Russian-speaking forums that are advertised as being capable of spying on all functions of an Android phone, encrypting files on the device and demanding payment. Whilst at present this is a less-targeted and smaller-value approach than targeting companies with ransomware, it is actually more likely to succeed. This is because individuals are unlikely to have the security knowledge and resources that organisations have to defend against these threats.
Large-scale ‘scale over substance' ransomware attacks in 2017 devastated individual and corporate communications. However, some of the most infamous strands, WannaCry and NotPetya for example, were relatively poorly designed. WannaCry, which leveraged an exploit disclosed by the Shadow Brokers group and spread via a Windows Server Message Block (SMB) worm to vulnerable systems across the world, was designed with a kill switch and unsavvy handling of bitcoin payments. NotPetya overlooked the extortion element common to other ransomware campaigns, yet showed just how vulnerable organisations continue to be to such attacks.
But what happens when we begin to see well-designed operators establish reliable distribution methods regularly, for example utilising spam or exploit kits and/or vibrant affiliate programs? Unlike poorly designed and under-resourced operators that are unable to establish long-term distribution, well-designed operators will leverage legitimate software and pass the ransomware through multiple release iterations to make them much harder to stop and protect against.
Attacks like WannaCry and NotPetya are the beginning, and organisations need to be prepared for what's next in order to survive and thrive in an era where threat actors are becoming more commonplace, more intelligent and better resourced.
Be responsible, use protection
WannaCry spread across corporate networks seven weeks after Microsoft Windows patches were made available, six weeks after the patch warnings started to appear, and four weeks after the Shadow Brokers group released the working exploits – so organisations had ample time and information available to ready themselves for such an attack.
Cyber-security is everyone's responsibility and is not just a technology discussion, but a cultural one. Protection starts with the training and educating of all staff and those with access to corporate networks, including outsourcing companies and affiliates, to ensure that they are completely aware of the cyber-security risks and how to respond in the event of an attack. Making sure that the operating system, antivirus, and malware detection software is patched and up-to-date, and applying patches as they become available, is of paramount importance.
Being properly prepared for a ransomware attack is also critical to business longevity. Organisations need to have a backup and recovery strategy for all critical files. This means backing up data on a regular basis, and having more than one method. So, if you use the cloud or remote services, have a copy that is not connected to the infected systems. Also make sure to:
- Exercise caution when it comes to links and attachments in emails and sent through social media sites. Even if it comes from someone you trust, if it looks suspicious, don't open it.
- Familiarise yourself with and get alerts regarding known Ransomware file extensions.
- Establish a back-up strategy that will allow you to recover quickly and prevent the backup data from being encrypted.
- Create and rehearse annually an IR plan that includes a scenario for being targeted with ransomware.
Cyber-criminals are becoming more goal-driven and patient, with more time, and increased access to vast, modern technical resources. Both organised and forum-based criminals are working constantly to find innovative and efficient ways to steal information and money with the lowest risk to their personal freedom, and ransomware looks set to be the battering ram they call on to smash corporate networks wide open. If we wish to stay one step ahead, combining the user of Artificial Intelligence with Human Intelligence to develop an acute awareness of the online criminal threats, techniques, and markets is our best defence. Either way, organisations must choose to embrace the challenge of cyber-security, leveraging the right tools and alliances that can enable them to see more, know more, and defend faster.
Contributed by Ian Bancroft, Vice President & General Manager EMEA at Secureworks
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.