Ransomware: this is what you need to know and what you can do!
Ransomware has become a major threat and high risk to many individuals and organisations worldwide. It is a very destructive variant of malicious malware that impacts systems and makes critical files and sensitive information inaccessible until a ransom is paid. The currency is typically bitcoins and if unpaid within 72 hours, the key to unlocking the data is deleted making it almost impossible to recover. Previous variants have also starting deleting data within the 72 hours making the urgency to unlock the systems more time sensitive. The impact this can have to organisations is temporary loss of systems and access to sensitive information, downtime of operations, financial impact or loss and reputation damage.
The most recent variants of #Ransomware #WannaCry #WannaCrypt and #WannaCrypt0r 2.0 is believed to have been exploiting the EternalBlue vulnerability developed by the NSA meaning unpatched Windows systems are exposed to this latest variant. This variant of #Ransomware has been known to have infected more than 230,000 systems in more than 150 countries making it one of the most destructive Ransomware’s to date. The recent revelations of the stolen NSA exploits with Microsoft releasing patches as recently as March 14th to mitigate these risks have found companies rushing to patch systems unfortunately not fast enough to prevent this attack. Some of the first techniques using these sophisticated cyber-attacks surfaced a few years ago when Kaspersky Lab discovered a fileless malware that was targeting financial, government and telecommunications. These fileless malware had been used to record administrator credentials and passwords that allowed the attackers to gain access to almost anywhere within the network and infrastructure and ultimately used to withdraw money from ATM’s.
It is important to note that more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. And per Verizon Data Breach Investigations report threat actors used stolen passwords 95% of the time in the most common types of attacks.
The destructive nature of Ransomware and the impact it has had to individuals and organisations globally has led the Department of Homeland Security, US-CERT and the FBI to release alerts to help organisations take this threat more seriously before it is too late.
Ransomware has become incredibly effective and efficient that many organisations have resulted in paying the ransom, sometimes costing thousands of dollars. It was found that it was more cost effective to pay the ransom (no guarantee however) than restore a backup.
Organisations should consider multiple security controls too reduce the risk of Ransomware, which are also considered best practices for cyber security and will also reduce the risk of other malicious malware threats.
What steps can be taken? What can you do!
- Educate Employees into their responsibility and the IT Policy. Statistics indicate that 1 in 5 employees will open and click on emails containing malicious malware. Educating employees on how to identify targeting phishing emails containing malicious malware will be a major risk mitigation to all organisations with some achieving more than 50% reduction in cyber risks as a result of good training and security awareness programs and can be a very cost effective solution, this not only protects the employees on corporate systems but also allows the employees to use that same knowledge to protect their own personal systems, information and families from the same threats.
- UNDERSTANDING HOW HACKERS OPERATE WILL GIVE YOU CYBER ADVANTAGE. In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organisation’s structure, clients etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favoured by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like Ransomware – the basic security most companies adopt – and gain access, which, for most attackers, is easily done. Organisations should use similar analysis techniques to identify which types of threats like Ransomware will target and use that knowledge to deploy security controls to mitigate the risks.
- Backup critical and sensitive data online and offline. In the situation that Ransomware has impacted the organisation then it is ultimately important that a recovery plan is considered, critical and sensitive data can be easily restored to get the organisation operational again. Offline backups are important in the case that the Ransomware is able to spread across the network and also make the online backup systems unavailable as well. A good backup plan can reduce the impact that Ransomware has on an organisation though while it will provide the ability to restore it is not considered a preventive security control but a business continuity measure and can also be used for other types of disaster recovery situations.
- Least Privilege and Application Whitelisting. By removing Administrator privileges or Super Privileges from users will reduce the possibility of an employee unknowingly opening or clicking on a Ransomware, or in the situation where the employee visits a supplier website or public website that is infected and distributing the malicious software and prevent the malicious software from getting the privileges required to make the system unavailable stopping the malware in it tracks. This however sometimes makes employees unable to perform certain functions to do their day to day tasks and this is where application whitelisting together with least privilege enables and empowers the employee to continue doing their day to day tasks with little to no disruption and at the same time keeping them safe from malicious software, application whitelisting, reputation and intelligence allows an organisation to analyse software or an executable prior to providing the application with the privileges they need to perform the tasks required, it checks whether it is coming from a trusted source, software library, reputation and whether the current system security controls increase the risk and as well as inform a security analyst of the request and intervene if required. Using least privilege and application control together is one of the most effective ways an organisation can reduce the risk against Ransomware and other variants of malicious software.
- Password and privileged account management should be a major concern for every organisation. Implementing effective security controls can be the difference between a properly defending yourself against a simple perimeter breach or experiencing a cyber catastrophe.Companies should provide suitable training for employees on best practices for password choices. Often, when a very complex password is required, many employees revert to writing them down due to difficulty in remembering them. Or, they might use the same password for corporate and personal social accounts. This leads to a possible external threat, which companies should continuously assess.If your company is giving employee’s local administrator accounts or privileged access then this type of ineffective password management seriously weakens the organisation’s cyber security. It could mean the difference between a single system and user account being compromised or compromise of the entire organisation’s computer systems. Advanced Persistent Threats that use privileged accounts often result in major data loss, malicious activity, and financial fraud or worst case Ransomware.Organisations should quickly ensure that they continuously audit and discover privileged accounts and applications that require privileged access, remove administrator rights where they are not required and adopt two-factor authentication to mitigate user accounts from easily being compromised.
- Keeping Systems patched and up to date. Another security control which today has shown that many organisations while they continue to patch systems is not quite as effective as it should or could be. Most of the breaches or impacts of Ransomware has been using known vulnerabilities and exploits to expose weaknesses in systems in order to infect the system with malicious software. By keeping systems security updates current will significantly reduce the risks of malicious software exploiting those vulnerabilities.
- Anti-Virus should be keep up to date and scan all attachments and downloads prior to executing them. While Anti-Virus is no longer the only security control required it is still a basic essential risk mitigation that should be deployed. It is not as effective but can still help detect many of the known malicious software that can impact an organisation.
Originally written by Joe Carson CISSP, EMEA, Product Marketing and Global Strategic Alliances, Thycotic.
Joseph Carson is a cyber security professional and ethical hacker with more than 25 years’ experience in enterprise security specialising in blockchain, endpoint security, network security, application security & virtualisation, access controls and privileged account management. Joseph is a Certified Information Systems Security Professional (CISSP), active member of the cyber security community frequently speaking at cyber security conferences globally, often being quoted and contributing to global cyber security publications. He is a cyber security advisor to several governments, critical infrastructure, financial, transportation and maritime industries. Joseph is regularly sharing his knowledge and experience giving workshops on vulnerabilities assessments, patch management best practices, the evolving cyber security perimeter and the EU General Data Protection Regulation. Joseph serves as Chief Security Scientist at Thycotic and Advisory Board for CyberRescue.