Hackers have found a new drug: ransomware. Ransomware encrypts data and then holds your files hostage until a ransom is paid. Like all addictive drugs ransomware provides hackers with instant gratification, and it is also bringing them hefty profits.
One of the great advantages of cloud computing is the ability to aggregate and anonymously share information among users for the benefit of all. At SlashNext we use cloud computing to track cyber threats as they emerge and share that threat intelligence with the entire cloud in real time. If we detect that one customer gets attacked with a particular malware, we will automatically inoculate all other cloud connected participants against that infection before the malware progresses to their business. This greatly limits the spread of known malware and zero day infections.
Observing from cloud level gives us a global perspective on the spread of specific malware. In the last two weeks for example, we have seen a four-fold increase in ransomware – a particular type of malware that encrypts a user’s data until a ransom is paid. If the infected machine is connected to a corporate network and accesses a shared company file server, those files may also be encrypted.
When the encryption process completes, the ransomware posts a banner on the infected machine’s screen letting the user know what has happened and offering to sell a program to decrypt the data. Hackers “generously” offer a discount for immediate purchase and state that the price of the decryption program will increase within a short time; and that after a given period, the decryption program will no longer be available and the data will be “lost forever”.
The damage from a ransomware infection can be irreparable and catastrophic. For many companies, it is often more cost effective to pay the ransom than to attempt to reconstruct the encrypted data from scratch. This makes ransomware very lucrative for hackers and therefore very dangerous. Hackers are incentivized to launch worldwide ransomware campaigns against enterprises of any size.
Many of the “hacks” reported in the press involve attacks that may take many months to complete. For example, it is estimated that hackers spent over 20 months inside Excellus’ network before finally extracting patient data.
By contrast, ransomware provides hackers with instant gratification. Because victims can be infected within hours of releasing a ransomware into the wild, hackers start seeing ransom payments within days – no need to wait 20 months for a payoff – and the profits can be significant. The cyber threat alliance estimates that just one ransomware variant has netted its creators over $325M US dollars.
We believe that the current spread of ransomware and quick increase in the number of infections is driven by its lucrative nature and the “high” that hackers get by watching their bitcoin accounts grow hour by hour.
The Wolf Pack
Malware operates like a wolf pack. There is seldom a lone malware. Typically, once a malware is installed, its first job is to reach back out to the internet to download additional malware. For example, we have seen that locky (a ransomware that infected Hollywood Presbyterian Hospital) is dropped by another seemingly unrelated malware called symmi. To avoid a ransomware infection, it’s important to remediate *any* malware found within your network.
Protecting Your Business
Businesses should deploy active cyber defense systems, but should also take some practical precautionary steps to minimize the likelihood of being infected by ransomware (or any type of malware):
- Daily Backups – A current backup is the best defense against a ransomware attack. If you have a backup of your data, no one can hold you hostage. An infected machine can simply be re-imaged and data re-loaded from the backup with no loss of business continuity. Ransomware is successful because few organizations keep current backups.
- Education – Your entire employee population needs to understand how phishing campaigns work and which email attachments are likely to be malicious. In particular, they should be trained to maintain awareness of
- Who is sending the email – especially those with attachments.
- URLs that have been subtly modified to redirect them to a hacker’s site (www.wellsfargo.com is not the same as www.wellsfrago.com)
- Common social engineering tricks which can be used to dupe people into clicking on something they shouldn’t.
- Regular employee training sessions are a vital part of your security portfolio.
- Current software – Make sure that operating system patches and application patches are up to date.
- Show extensions – By default, Windows hides file extensions. Change that setting to show file extensions and educate your work force on which file extensions are used by hackers. Everyone should understand that .COM, .EXE, .SCR, .VBS, .ZIP are high risk.
- Disable Macros – Turn off macros in Word, Excel, PowerPoint, etc. Instruct users how to explicitly allow a macro to run, but only when necessary.
- Disable browser plug-ins – Disable ActiveX, Java, Flash, Silverlight, Acrobat, and other browser plug-ins. Instruct users how to explicitly allow a plug-in to run but only when necessary and only when they trust a web site.
- Limit access to shared file servers – Not all users need access to every file server in the company.
- Password Authentication – Force password authentication to access servers *each* time a user accesses the server.
While Windows machines are most commonly attacked, Linux, OSX and Android devices are also targeted. Don’t forget to secure those devices as part of your comprehensive plan.
These precautions will dramatically reduce a network’s attack surface by closing many popular attack vectors and should be common practice in your company.