Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/24/2017
10:30 AM
Dan Larson
Dan Larson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons Why You Should Take Ransomware Seriously

The threats keep getting more sophisticated and the stakes keep getting higher. Is your organization ready to meet the challenge?

According to a recent ransomware report from the Institute for Critical Infrastructure Technology (ICIT), 2016 saw a wave of ransomware attacks that were increasingly sophisticated and stealthy. The FBI forecast that the haul from ransomware would reach a billion dollars last year, and it seems as if no industry is safe from being targeted. As ICIT reports, even critical infrastructure entities such as healthcare organizations have become prime targets, with hospitals in the US and Germany paying ransoms rather than risk their patients’ lives.

Why is this alarming increase occurring? ICIT argues that it's due to the highly profitable nature of ransomware attacks coupled with inadequate enterprise defenses. Combined, these two factors are attracting a more advanced breed of cybercriminal  who is motivated by the potential of a bigger payout, faster and more anonymous — and thus less risky — than the advanced persistent threat exploits often used to steal credit card numbers and other sensitive data.

Compounding these challenges is the fact that law enforcement agencies have not provided a unified response to the ransomware threat, in some cases advising victim organizations to pay the ransom to retrieve their data. At the same time, criminal hackers have developed ways to circumvent standard security measures such as sandboxing and intrusion prevention systems. 

If that's not enough to convince you, here are four more reasons to take ransomware seriously: 

  1. Ransomware continues to evolve. Whether your organization is the victim of a ransomware exploit that encrypts files or a type that encrypts the master boot record and blocks access to an entire system, the standard solutions you have in place may not be enough to protect you. New variants of ransomware are continually being developed. They employ an array of techniques aimed at circumventing your security, including deleting Volume Shadow Copies, making it impossible to restore from backup files or avoiding detection by hiding in Microsoft macros or JavaScript files. The criminals who develop ransomware have become so sophisticated that many are offering ransomware as a service, widening the pool of potential victims.
  2. Standard security solutions may not protect you. Ransomware's ability to quickly change and mutate utilizing polymorphic or fileless malware has exponentially increased opportunities for ransomware to find its way into your organization. Conventional endpoint protection that relies on signature-based detection isn't up to the task of finding ransomware before it strikes. Adding solutions such as whitelisting, the ability to detect indicators of compromise, or machine learning can increase your protection, but in some cases will be unable to prevent an attack. And unlike malware infections that slowly exfiltrate your data so that postinfection detection may minimize loss, in the case of ransomware, prevention is often your only recourse. Once ransomware enters undetected, your data is immediately encrypted and inaccessible, or your systems are locked down.
  3. Compliance may be at stake. Most organizations retain sensitive data that is subject to regulatory legislation mandating its protection. When a breach happens and data is exposed, the victim organization must inform its customers and partners, and can incur substantial fines if regulations are affected. Ransomware attacks may not result in protected data being stolen, but organizations are still responsible for alerting all their constituents if an attack occurs. This can cause significant damage to an organization's brand. As Dark Reading reports, the Federal Trade Commission (FTC) has come down hard on companies that fail to protect their customers’ data. FTC Chairperson Edith Ramirez recently suggested that a company's failure to take action to prevent a ransomware attack could result in enforcement action — even if the company hasn't been the victim of an attack.
  4. Data recovery can be complex and costly. The cost and complexity of recovering files after a ransomware attack are why many companies, particularly smaller organizations, choose to pay the ransom. Even with a comprehensive backup system, in today's widely distributed organizations, files can be located across hundreds of devices. Though the attack may begin on one laptop, the ransomware could have access to other systems connected to the laptop, resulting in a costly drain on IT resources as they struggle to map and contain the damage. Even worse, if you’re the victim of a new ransomware variant that’s able to delete your backup files, recovery won’t be an option.

The Best Defense Against Ransomware
To combat the escalating level of ransomware sophistication, organizations need a multifaceted approach with complementary prevention and detection methods. One important method is to focus on indicators of attack (IoAs), a form of behavior-based detection that looks at the underlying actions taken by the threat rather than trying to pattern-match a new file to a signature. An IoA can prevent multiple variants and versions of ransomware families, including new ones not detectable by known signatures or features. Coupled with endpoint detection and response, machine learning, and proactive threat hunting by security experts, organizations can ensure that they have the prevention capabilities in place to alert teams of ransomware attempts before encryption can be initiated.

Related Content:

Dan Larson is Technical Director at CrowdStrike. He's a 10-year veteran of the information security industry with expertise in endpoint protection, encryption, embedded security, endpoint detection and response, as well as security management and advanced threat protection. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7981
PUBLISHED: 2020-01-25
sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.
CVE-2019-0141
PUBLISHED: 2020-01-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-7596
PUBLISHED: 2020-01-25
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
CVE-2020-7980
PUBLISHED: 2020-01-25
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
CVE-2012-6613
PUBLISHED: 2020-01-25
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.