Carbon Black data shows that ransomware instances grew by more than 50 percent in 2016 compared to 2015. In fact, ransomware emerged as the fastest-growing malware across all industries in 2016, with major increases seen at technology companies, energy and utility companies and banking organisations. As a result, we do not expect ransomware to slow down anytime soon, and seeing as its on track to be a £800 million crime in 2017, it is still paying significant dividends for attackers.
Not only this, but ransomware is quickly evolving in sophistication as well. Payloads are increasingly infecting hundreds of machines at once. This was witnessed just last month when a string of ransomware attacks on MongoDB databases left roughly 27,000 servers compromised, with the attackers demanding significant financial reward in exchange for the stolen data.
Cyber-security news was dominated in 2016 by the go-to ransomware family for attackers, Locky. Only released last year, Locky ransomware is typically delivered via a phishing email that prompts a targeted victim to enable malicious macros via Microsoft Word. These macros then run a file that delivers an encryption Trojan, preventing the victim from accessing their files. Following the file encryption, the victim receives a message with instructions on how to pay a Bitcoin ransom to decrypt the files.
Having gained notoriety in February 2016, data shows that Locky was used in one out of four ransomware-based attacks last year and has evolved several times since then. Most recently, attackers have been using Facebook instant messaging to spread Locky ransomware.
When it comes to ransomware, prevention is the most effective defence. So how can organisations protect themselves against ransomware?
1. Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure its working. In addition to this, secure your offline backups. If you're infected a backup may be the only way to recover your data. Ensure backups are not connected permanently to the computers and networks they are backing up.
2. Block access. Configure firewalls to block access to known malicious IP addresses and logically separate networks. This will help prevent the spread of malware. If every user and server is on the same network, newer variants can spread.
3. Train your employees. Implement an awareness and training programme. End-users are targets, so everyone in your organisation must be aware of the threat of ransomware and how it's delivered.
4. Scan all incoming and outgoing emails. Scanning ensures threats are detected and executable files are prevented from reaching end users. Furthermore, enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.
5. Block ads. Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.
6. Only assign administrative access unless needed. If a user only needs to read specific files, the user should not have write access to them.
7. Leverage next-generation antivirus (NGAV) technology to inspect files and identify malicious behaviour to block malware and malware-less attacks that exploit memory and scripting languages.
8. Categorise data based on organisational value and implement physical and logical separation of networks and data for different organisational units.
While ransomware continues to generate headlines, it is still only a piece of the overall malware scope. Even with its rapid growth, ransomware still only accounts for two percent of total malware seen in 2016.
With ransomware attacks not showing any sign of depleting, it is also essential that organisations looking to defend against ransomware in 2017 are well versed in the prevention methods presented above.
Contributed by Eric O'Neill, national security strategist, Carbon Black