Organizations – small and large are struggling to address the influx of ransomware attacks, and therefore, threat actors are continuing on their masquerade, attacking the most vulnerable industries and organizations.
In the last decade, ransomware attacks have significantly increased against end-users and endpoints, and as such, defending against such an attack has continued to plague security professionals. Threat actors have embarked on perfecting their tools not only to achieve maximum effect but also leveraging cutting edge technology to force their victims to pay on almost every occasion.
Among the cutting-edge technology used, AI is at the forefront helping to improve the effectiveness of malware attack defenses. However, in the same breath, the evidence shows threat actors have begun to use AI to weaponize ransomware and use it to plot efficient and well-thought-out attacks.
With that said, Microsoft is currently using monotonic models – a class of hardened malware detection learning model they added to their Antivirus – Microsoft Defender ATP. This model was developed by researchers from UC Berkeley to make models robust against adversaries.
What is Ransomware?
Ransomware is a type of “Malware that requires the victim to pay a ransom to access encrypted files” according to Mariam Webster. This ransomware prevents or in some cases, limits users from accessing their systems or files; locking systems screens or users’ files and demanding they pay a ransom in a currency of the attackers choosing online. Upon payment, the attacker would provide the victim with a decryption key to gain access to the system or files.
A brief history
Ransomware should not be new to us. Between 2005 and 2006, we saw the first case of ransomware infection in Russia. Trend Micro published a report documenting a variant known as TROJ_CRYZIP.A. Not only did it zip certain file types and left the password-protected zip file on the user’s system, but also it created a ransom note in the form of a text file, demanding the user pay $300 in exchange to retrieve the files.
In 2011, Trend Micro published another report involving the SMS Ransomware threat known as TROJ_RANSOM.QOWA. This variant asked its victims to dial a premium SMS number and would continue to display the ransom page until users dial the premium number and paid the ransom.
In 2012, Ransomware began to spread outside of Russia and made it to Europe; from there we saw the dawn of Reveton ransomware that impersonated and targeted law enforcement agencies. Known to many as the Police Ransomware or Police Trojans, they informed their victims – police officers, they were caught doing an illegal activity online.
However, in 2013, we saw more advance and sophisticated ransomware; Crypto-ransomware and CryptoLocker demonstrated behaviors that security experts had never seen in the past. The malware encrypted files and locked systems, forcing users to pay the ransom even if the malware was deleted.
In fact, some of the most egregious attacks were shaped by the Crypto-ransomware and CryptoLocker. Fast-forward to 2017, and we’ve seen the WannaCry/Wcry Ransomware attack that was downloaded from Dropbox URLs; this malware began exploiting SMB servers that were recently patched, making it the largest ransomware attack to date.
In addition, a bit closer to home, in 2019, the RobbinHood ransomware variant struck the Baltimore city government system. This attack disrupted water bills, property purchases, and other city charges. The threat actors were demanding 13 bitcoins (roughly $96,151.00 USD at the time).
In a recent survey, 67% of infections were through spam/phishing emails while 36% was a lack of cybersecurity training, and 30% of the infections were because of weak passwords/access management related policies. Moreover, these numbers are predicted to rise significantly if organizations don’t take the appropriate steps to combat the inherent vulnerabilities, and most importantly, take further steps to address poor user practices, report clickbait activities, and malicious website/web ads.
In most cases, and because of the anonymity of cryptocurrencies, attackers demand payment in bitcoins. However, as we’ve seen over the last few months, there have been alternatives such as iTunes and Amazon gift cards as viable payment options. With that in mind, there is no guarantee that paying the ransom will ensure that the victim gets the key to the kingdom.
Which industries are most vulnerable?
All industries are vulnerable to ransomware attacks. However, some industries have been more susceptible than others. Moreover, they all have the same vulnerabilities that lead to ransomware attacks: end-users, endpoints, Spam/phishing emails, lack of cybersecurity training, weak passwords/access management policies, and poor user practices.
Listed below are some of the most vulnerable industries that have been susceptible to ransomware attacks:
- Businesses – Small, Medium, and Large (Catch-All)
- Government and Law
- Banking/Credit, and Financial
- Energy & Utilities
Steps to protect your organization?
To protect organizations from ransomware attacks, organizations must embark on long-term protective measures that would safeguard data, end-users, and endpoints. As such, the following measures should be taken:
- Conduct quarterly Security Awareness Training: Providing this security training, educating users on how to avoid phishing and social engineering attacks, reporting security threats, spot potential malware, follow industry best practices and internal IT policies, and to adhere to compliance regulations (PCI, DSS, HIPAA, GDPR), and applicable data privacy.
- Carry out vulnerability scanning: To identify potential risk exposure in applications, software, and your organization while prioritizing key issues.
- Implement a vigorous backup and disaster recovery plan: The plan should also be tested on a regular basis as deemed necessary based on your organization’s financial health.
- Disable unused and nonessential services: This will help prevent the malware from spreading to the corporate network.
- Install the latest updates: It’s imperative that security vulnerabilities identified by vendors or other security professionals are remedied quickly to address high-profile threats that were released out of sync from the anticipated patch schedule.
- Restrict user and local accounts: This is a very crucial step; implementing privileged access management solutions and restrict admin access where appropriate.·
Key recommendations for CIO’s and Security professionals
Ransomware attacks have changed the security landscape for all organizations; threat actors are at the precipice of cutting-edge and bleeding-edge technology, crafting their next move and looking for their next victim. As such, it’s important that organizations – small and large thwart ransomware attacks as quickly as possible, and implement stringent and planned steps to stop the next attack on the most vulnerable.
As such, I recommend CIO’s and security professionals take the following defense in-dept approach to help safeguard organizations from further attacks. Remember, it’s not if your organization will be attacked, but when.
- Design and employ a robust End-user education solution; it will be critical to any aspect of a defensive approach to secure your organization.
- Protect Endpoints with reputable antivirus and continuous patch management, immediately remediating critical and high vulnerabilities. Patch, block and defend against suspicious emails, links, and attachments.
- Implement a compressive and robust Backup and Disaster and Recovery solution. This will aid in recovering your files when your systems are compromised.
- Implement a comprehensive access management solution that involves the separation of duties, and strong password policies.
- If you get infected, disconnect infected systems from the network but DO NOT Shutdown these systems because your forensic teams will lose critical forensic data.
Now you are in the know!
Do you have recommendations you would like to add to this list, comment below?