Brian Vecci, technology evangelist, Varonis
Brian Vecci, technology evangelist, Varonis

Organisations in all industries, from healthcare to government and financial services to manufacturing are getting attacked daily by new and more insidious flavours of ransomware. For organisations with legal obligations to prevent data from improper alteration or destruction, such attacks can cause all manner of issues. In May a new strain of ransomware called “Jigsaw” was making good on threats to delete files of itsvictims every hour, with all files deleted if the ransom wasn't paid within 72 hours.

Ransomware developers are continuously adding more deadly functions to their creations, with examples such as Cerber adding DDoS capabilities, and Microsoft reporting a new ransomware variant that has the power to spread like a worm. Even Mac users are no longer safe, with cyber-criminals who have previously only targeted Windows operating systems having expanded their customer base to include Mac OS with a strain known as KeRanger. Although we are now seeing many different strains of ransomware, they all have one thing in common – they have become very profitable for cyber-criminals.

Right now, many perceive ransomware to be a sophisticated and hard-to-prevent attack. People notice it because ransomware isn't subtle at all – you get a very clear pop-up on your screen and when you do the first questions IT administrators will ask themselves are; which users have been infected? What else got encrypted? When did it start?

For many years a common paradigm in IT has been to keep user data on network drives–departmental shares, home folders, etc. Not only do network drives make sharing files possible, but they minimise the amount of data stored on endpoints. If nothing of importance is kept on local hard drives, a single machine can be lost or destroyed and it has minimal impact on business continuity.

Unfortunately, storing files on network drives won't necessarily keep them safe from ransomware because the OS treats mapped network drives just like local folders. Some strains of ransomware, such as Locky, will even encrypt files on un-mapped network drives.

When attempting to avoid ransomware, prevention, detection and mitigation form the cornerstones of recovery from these kinds of attacks. What makes ransomware so insidious is that it so easily exploits vulnerabilities on the inside of the security perimeter, a weak spot for so many organisations.

Here are three reasons ransomware is so dangerous:

1. Many organisations aren't monitoring how employees use file shares at all — the huge repository of files that newer ransomware strains target. You can't catch what you can't see, so it's extremely difficult to catch ransomware without monitoring file share use.

2. What's worse is that users typically have access to far more files than they need, and a lot of files are accessible to any employee. This means that once ransomware gets in it can wreak all kinds of havoc. Even a single compromised user can lock up huge amounts of data.

3. Finally, since most have no record of who modified (or encrypted) which files when, huge recovery exercises are needed to make sure that nothing was missed. Recovery from these attacks can often mean bringing entire file shares down while backups are restored.

Best three ways to combat ransomware:

1.   1.   The best way to combat ransomware is to ensure that all user file system activities are monitored and analysed. By doing so you can detect ransomware and other insider threats through any significant changes that may occur in the file system, ie a large number of deletions. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behaviour is observed, you can detect the creation, encryption, or deletion of files.

2.    If endpoint security tools won't help prevent ransomware, what will? User Behavioural Analytics (UBA). UBA  compares what users on a system are normally doing — their activities and file access patterns – against the  non-normal activities of an attacker who's stolen internal credentials. By monitoring normal user behaviour  and logging each individual user's actions, UBA is able to derive a profile that describes what it means to be  that user, making it easier to spot anomalous behaviour.

3.  Finally, operating off a least privilege model is a great way to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups such as “Everyone,” and “Domain Users” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company.  By removing them and operating on a least privilege model, it makes it that much harder for attackers to encrypt all your files.

Contributed by Brian Vecci, technology evangelist, Varonis