Endpoint

1/24/2017
10:30 AM
Dan Larson
Dan Larson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Reasons Why You Should Take Ransomware Seriously

The threats keep getting more sophisticated and the stakes keep getting higher. Is your organization ready to meet the challenge?

According to a recent ransomware report from the Institute for Critical Infrastructure Technology (ICIT), 2016 saw a wave of ransomware attacks that were increasingly sophisticated and stealthy. The FBI forecast that the haul from ransomware would reach a billion dollars last year, and it seems as if no industry is safe from being targeted. As ICIT reports, even critical infrastructure entities such as healthcare organizations have become prime targets, with hospitals in the US and Germany paying ransoms rather than risk their patients’ lives.

Why is this alarming increase occurring? ICIT argues that it's due to the highly profitable nature of ransomware attacks coupled with inadequate enterprise defenses. Combined, these two factors are attracting a more advanced breed of cybercriminal  who is motivated by the potential of a bigger payout, faster and more anonymous — and thus less risky — than the advanced persistent threat exploits often used to steal credit card numbers and other sensitive data.

Compounding these challenges is the fact that law enforcement agencies have not provided a unified response to the ransomware threat, in some cases advising victim organizations to pay the ransom to retrieve their data. At the same time, criminal hackers have developed ways to circumvent standard security measures such as sandboxing and intrusion prevention systems. 

If that's not enough to convince you, here are four more reasons to take ransomware seriously: 

  1. Ransomware continues to evolve. Whether your organization is the victim of a ransomware exploit that encrypts files or a type that encrypts the master boot record and blocks access to an entire system, the standard solutions you have in place may not be enough to protect you. New variants of ransomware are continually being developed. They employ an array of techniques aimed at circumventing your security, including deleting Volume Shadow Copies, making it impossible to restore from backup files or avoiding detection by hiding in Microsoft macros or JavaScript files. The criminals who develop ransomware have become so sophisticated that many are offering ransomware as a service, widening the pool of potential victims.
  2. Standard security solutions may not protect you. Ransomware's ability to quickly change and mutate utilizing polymorphic or fileless malware has exponentially increased opportunities for ransomware to find its way into your organization. Conventional endpoint protection that relies on signature-based detection isn't up to the task of finding ransomware before it strikes. Adding solutions such as whitelisting, the ability to detect indicators of compromise, or machine learning can increase your protection, but in some cases will be unable to prevent an attack. And unlike malware infections that slowly exfiltrate your data so that postinfection detection may minimize loss, in the case of ransomware, prevention is often your only recourse. Once ransomware enters undetected, your data is immediately encrypted and inaccessible, or your systems are locked down.
  3. Compliance may be at stake. Most organizations retain sensitive data that is subject to regulatory legislation mandating its protection. When a breach happens and data is exposed, the victim organization must inform its customers and partners, and can incur substantial fines if regulations are affected. Ransomware attacks may not result in protected data being stolen, but organizations are still responsible for alerting all their constituents if an attack occurs. This can cause significant damage to an organization's brand. As Dark Reading reports, the Federal Trade Commission (FTC) has come down hard on companies that fail to protect their customers’ data. FTC Chairperson Edith Ramirez recently suggested that a company's failure to take action to prevent a ransomware attack could result in enforcement action — even if the company hasn't been the victim of an attack.
  4. Data recovery can be complex and costly. The cost and complexity of recovering files after a ransomware attack are why many companies, particularly smaller organizations, choose to pay the ransom. Even with a comprehensive backup system, in today's widely distributed organizations, files can be located across hundreds of devices. Though the attack may begin on one laptop, the ransomware could have access to other systems connected to the laptop, resulting in a costly drain on IT resources as they struggle to map and contain the damage. Even worse, if you’re the victim of a new ransomware variant that’s able to delete your backup files, recovery won’t be an option.

The Best Defense Against Ransomware
To combat the escalating level of ransomware sophistication, organizations need a multifaceted approach with complementary prevention and detection methods. One important method is to focus on indicators of attack (IoAs), a form of behavior-based detection that looks at the underlying actions taken by the threat rather than trying to pattern-match a new file to a signature. An IoA can prevent multiple variants and versions of ransomware families, including new ones not detectable by known signatures or features. Coupled with endpoint detection and response, machine learning, and proactive threat hunting by security experts, organizations can ensure that they have the prevention capabilities in place to alert teams of ransomware attempts before encryption can be initiated.

Related Content:

Dan Larson is Technical Director at CrowdStrike. He's a 10-year veteran of the information security industry with expertise in endpoint protection, encryption, embedded security, endpoint detection and response, as well as security management and advanced threat protection. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.