Tim Simons, UK Security Product Manager

What is ransomware?

Ransomware is a piece of malicious software designed to encrypt data on a target system, rendering it inaccessible without a secret key that was used to encrypt it. Encryption is a mathematical process designed to hide information from being seen by anybody other than the holder of the key used to encrypt it.

This provides whoever has that key the facility to extort the original data owner (individual or business) into paying a recovery fee, or the data will be lost permanently – hence, the name ‘ransom’.

Why does the problem exist?

Simply put, it is a very lucrative business.

Whilst sophisticated criminal enterprises exist entirely modelled on the end to end delivery of ransomware and execution of extortion (including customer support lines to help you understand how to make payments using crypto currency and apply the keys to get your data back), it is also relatively easy to execute for amateur and opportunist hackers.

Should you be concerned for your organisation?

Frankly, yes. Given the overwhelming majority of cybercrime is now financially orientated, it can certainly be assumed that you have data you wish to keep and continue to operate the business. Therefore, if faced with no other option, you are likely to pay the ransom.

Even if this is financially viable, which is likely as the ransom is often ‘tailored’ to an organisation’s means and cost of disruption, the process of paying it in itself presents a risk. The hackers may not actually unlock the data after payment, and it puts businesses in a position of having to deal with shadowy criminals.

Last year, the US even took steps to add sanctions to a group of individuals known to be members of a hacking group called ‘Evil Corp’. Effectively, this made any transaction with them and paying the ransom an illegal act in itself.

How do you get infected?

The typical approach is to send phishing emails, encouraging people to click on links or open documents containing malicious code that will execute and infect the computer. The software may then use other software vulnerabilities to propagate elsewhere on encrypt, and destroy files and other systems that the originally infected computer can see. These often include collaboration areas where users store files.

A more sophisticated attack may target an organisation with a more in-depth social engineering campaign, targeting individuals to get a foot hold into the systems first. Once access is gained, they may spend time performing reconnaissance to understand a bit about the target systems and organisations, which data is sensitive, where the backups are stored and, perhaps importantly, how much can they charge for the ransom.

In other cases they may simply come straight through the front door using unpatched vulnerable system.

Needless to say, there are many approaches that can be taken.

How can you stop it?

It is not possible to guarantee prevention entirely. However, there are steps organisations can take to limit the risk, as well as ensuring they have a way to recover.

• Email is the most common vector exploited by ransomware gangs. A combination of staff security awareness training and good email protection is the best place to start. Secure email gateways in combination with anti-phishing tooling to quarantine malicious attachments, and alert the end user to social engineering attempts or fake login pages masquerading as enterprise services.

Look for malicious activity on networks, end points and authentication systems using a SIEM platform. Hackers will often use compromised credentials to gain access and snoop around an organisation’s network before the strike. Unusual network traffic internally or leaving the organisation, or suspicious user activity can be a sign of a comprised system.

Apply governance and a least privilege approach. Control your permissions and access to systems and data physical and logical. Use strong passwords and authentication mechanisms, like Multi-Factor Authentication (MFA), and maintain an account management platform to protect privileged account information.

Run good end point protection platforms and anti-virus/anti-malware tools on all end points, and apply application whitelisting on managed devices. Where possible, limit local permissions and capabilities to users so they cannot install software and block removable storage devices.

Segregate networks and filter traffic through firewalls internally and externally. Only allow ports and services that are required between platforms to function. Use network traffic inspection to look for anomalies and threats.

Keep security up to date. Security vulnerabilities on your network are visible to the outside world, and can be exploited easily if they are left open. Run regular vulnerability assessment scanning and patch, or remediate quickly focusing on critical vulnerabilities first.

Proxy your web traffic. Internet proxies provide a centralised way of providing safer access to the web, detecting and blocking malicious websites. Consider a cloud based service to provide this for users in any location.

Finally, plan for the worst, backup your data and have it somewhere else! This may sound obvious but there are some important points to consider. Ransomware gangs know that removing your ability to recover from backups leaves you in a much weaker position. After all, if you still have them you have a route to recovery so their leverage is less. There is no point having your backups in an offsite cloud platform if the hackers can gain access to those too once they have enough control of your on premise platform. Use a third-party provider who applies the governance on your behalf to the change, modification and retention of backup data through a separate set of authentication and authorisation mechanisms.

How Proact can help

Our team of experts can help you with all of the above to mitigate cyber threats. Proact’s Security Operations Centre works 24/7 to help keep our customers’ most important asset safe and secure. Speak to our team