Ransomware attacks have been responsible for bringing entire cities to a crippling halt this year and methods are constantly evolving. Scott Gordon, InfoSec Evangelist, Pulse Secure, discusses how enterprises and organisations can fortify their networks by implementing layered defences and applying secure access solutions.
In the last few months, mounting ransomware gangs have hit a broad range of targets which sent big aftershocks into the commercial world.
In April, ransomware shut down the website of Ukraine’s Energy Ministry. The next month, an Indiana hospital paid over US$50,000 to unleash itself from the grip of a ransomware attack. The Leominster, Massachusetts school district caved into the demands of a cybercriminal and paid US$10,000. Police declined to investigate, labelling the effort ‘impossible’ and later told reporters that the school district did the right thing by paying off its attackers.
But among the most significant ransomware attacks so far of 2018 is its attack on the city infrastructure of Atlanta. The attack hit the city’s computer systems and online portals; the police lost surveillance footage, city attorneys lost years of documents including criminal evidence, job applications were suspended; court dates were postponed and city services, in large part, ground to an incontrovertible halt. Atlanta was still picking up the pieces weeks later. The attackers wanted a meagre US$50,000 and ultimately the city paid more than US$2.5 million – but the final bill looks like it may come to well over US$11 million.
The ransomware landscape has undergone some changes in the last year. Malwarebytes highlighted a 90% increase in detected ransomware attacks in 2017, while noting that the growth in the number of ransomware families has largely held steady, possibly driven by the popularity of a few select families. Another F-Secure report noted that ransomware users were moving to more targeted tactics and instead of casting wide nets to catch as many victims as possible, they were honing their sights on high value targets.
Increasingly ransomware is moving away from targeting individual consumers and narrowing its focus on businesses, who have greater cash reserves (if not infosec insurance) and more to lose whether from IT resumption cost or hours of business paralysis. Symantec’s 2017 Internet Security Threat Report revealed that 42% of ransomware attacks were focused on business targets.
That focus on target sensitivity has increased focus on healthcare targets. A 2018 report from Cylance listed healthcare as the top target for ransomware families in 2017. Most recently a Wisconsin-based medical facility was infected with RISE ransomware, putting the data of thousands of patients at risk. Earlier in the year, a Chicago-based healthcare records provider found its services paralysed by a ransomware attack. That attack trickled down to hundreds of its customers – medical practices – who were unable to access patient’s medical records.
The ill-gotten gains of these attacks can be leveraged two-fold. Not only can the hospital be blackmailed for thousands but that stolen data can also be sold for prices far higher than a comparative tranche of breached data can.
Ransomware families are also being reengineered to suit the needs of the modern cybercriminal.
SamSam malware for example – the source of Atlanta’s woes – requires attackers to enter a password before executing its payload, meaning a more controlled distribution of its damage. Xiaoba ransomware has been modified to keep up with the times and steal cryptocurrency – an ever more popular activity for cybercriminals – while still destroying its victim’s files.
Data Keeper gives users free access, allowing them to customise their malware. Once it has been generated, Data Keeper shares the profits with its users every time their ransomware successfully claims a victim.
These developments are striking and ransomware gangs are likely to refine their tactics and technology in the years to come. These illicit innovations notwithstanding, what worked in 2016, will work in 2018.
Any strategy to deal with ransomware must extend to every level of your environment, from your endpoints, IoT devices and email gateways right through to your data centres and cloud resources. A layered approach, with secure access, active endpoint security and network visibility, will effectively reduce endpoint security threats and increase fidelity to discover and mitigate malware activity.
If a user has inadvertently disabled their endpoint security, such as their personal firewall or if their anti-malware protection is out of date, secure access solutions can identify this threat. If that user clicks on a phishing link and infects their company-owned laptop with a case of SamSam, a Network Access Control solution could prevent that infection hitting the company network and infecting more endpoints. And a network monitoring, firewall or web proxy solution could identify command and control communications to known malicious sites controlling the ransomware.
When ransomware hits your network, it is going to try to identify as many systems as it can to exploit vulnerabilities, gain control over system and invoke encryption and data exfiltration as much as possible. A layered approach will allow you to more efficiently isolate infected systems, possibly to its patient zero, quarantining the compromised endpoints and preventing malware before it can materially spread or attack.
Better yet, it will help make an attackers job that much harder. While ransomware authors are always finding ways to work around security solutions, enhancing security mechanisms at different areas of your environment will give a ransomware attack groups more obstacles than it can handle.
However, security must still support the smooth operation of a network and its constituents, so any layered security solution will have to allow seamless accessibility, protection and resource availability for users.
Layered defences, including the application of secure access solutions, can help fortify your network against ransomware threats, automatically isolating its propagation and killing malicious activity quickly before it can infect the whole network and wreak damage.
Click below to share this article
