In recent months, ransomware campaign activity has increased exponentially. Over 27,000 incidents surged on the scene in early 2017 when a commonly misconfigured setting on open source database called MongoDB made hundreds of thousands of databases vulnerable to ransom. Threat actors logged on to victims' databases, backed up data offsite, deleted it, and offered to return it for .2 Bitcoins, which translates to $200. 

More on Security
Live at Interop ITX

While this might seem like a minuscule amount, there is logic behind it. If too much is asked, the propensity to pay declines. Plus, the volume of the attack yields serious dividends. Regardless, for those afflicted, losing access to important information to operate a business is extremely disconcerting, creating desperation and making them prone to pay up.

The Mechanics
There are two primary vectors into a commercial IT environment. The first is to assume remote access to a user's computer and traverse the network until administrator credentials to databases and data stores are gained. This is accomplished by sending an employee a phishing email that entices them to open an attachment or visit a compromised website that loads malicious code on their computer terminal. Once the computer is compromised, threat actors scan the environment and try to find a computer terminal used to access network data. After a foothold on an administrator’s computer is established, they can remotely encrypt or wipe data and then issue ransom demands. 

The second method is more of a frontal assault on the database servers. Most companies have public-facing websites and, as a result, threat actors will find a server with a vulnerable application, then exploit it to get a foothold in the data center. If an IT staff has not properly separated public-facing websites from database servers and file shares -  a common mistake with small staffs -  a threat actor can use that access to pursue the database. While this vector requires more sophistication, ransomware actors are increasingly pivoting in this direction, implying that more skilled actors are getting into the game.

The Response
With all of these new techniques in play, what can security teams do to mitigate the threat? The good news is that your IT staff is probably already doing many of the things needed to protect your environment. Here are a few best practices to help lower the risk further:

User Vector:

Website Vector:

Advanced Planning & Outside Resources:

At the end of the day, the decision will come down to the impact of the attack on your company's business. While ransomware actors in many cases return the data as promised, they may leave backdoors to return for more money, time and time again, or may not return data at all.

These present very unattractive options, so it is best to avoid falling prey in the first place. To be successful, advance preparation and applying proven best practices will be the most effective way to avoid a ransomware scenario completely. Having an entire organization aligned on how to avoid being a victim, from the IT staff to executive management, is essential to maintain the sanctity of data.

Related Content: