Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/22/2016
02:10 PM
Sean Martin
Sean Martin
Slideshows
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

How To Lock Down So Ransomware Doesn't Lock You Out

Ransomware has mutated into many different forms - and it's not always easy to catch them all, but here are some things you can do.
Previous
1 of 7
Next

Image Source: imsmartin/eSentire/KnowBe4/Securonix

Image Source: imsmartin/eSentire/KnowBe4/Securonix

With the introduction of the CryptoLocker Trojan in September 2013, the cyber-plague we now know as ransomware was unleashed on the Internet. From its simple beginnings, ransomware has mutated into many different forms — and it’s not always easy to catch them all.

“There are now well over one hundred different strains, and the end is nowhere in sight,” says Stu Sjouwerman, founder and CEO of KnowBe4.

The sheer number of malware variants demonstrates ransomware’s strong appeal, where many aspiring cybercriminals — big and small — are trying to muscle their way onto the scene with increasingly sophisticated digital tools.

“It is only a matter of time before one of these guys gets smart and starts analyzing the files on disk or file server to see which are recent and/or shared, or sit in a directory that indicates high value like accounting, design, or software development,” Sjouwerman predicts.

To date, traditional signature-based computer security products have been unable to effectively combat ransomware. And the problems are getting worse, because there’s so much for the bad actors to gain, and nothing for them to lose.

Igor Baikalov, chief scientist at Securonix, explains ransomware's allure this way: "...the barriers to entry are low, the payoffs are high, operations are scalable, and risk is negligible compared to the physical hold-up in a dark alley.”

Meanwhile, ransomware continues to evolve and competition amongst the criminals is fierce — and it spans the globe. 

“These mostly Eastern European cyber mafias are investing a lot of money in ‘new feature’ development such as new strains that function as a worm, strains that obtain admin privileges, a strain that adds a DDoS bot to the machine, and others that literally pull some encrypted files off the victim machine up into their control and command server — this bring us into data breach territory,” Sjouwerman says.

Criminals are moving quickly. The industry must move faster to combat these threats, experts say.

“Within the year, we will see fully-automated ransomware targeting all machines on a company’s network, using multiple methods of attack and delivering multiple types of payloads,” Sjouwerman says.

Here's how to build a defense-in-depth strategy to help you prepare for a ransomware attack — with the goal of not having to pay the ransom.

Note: imsmartin would like to thank Chris Whidden, Solution Engineer at eSentire, Stu Sjouwerman, founder and CEO of KnowBe4, and Igor Baikalov, Chief Scientist at Securonix, for their contributions to this slideshow.

Related Content:

 

 

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as ... View Full Bio
 

Recommended Reading:

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NisosGroup
50%
50%
NisosGroup,
User Rank: Apprentice
6/26/2016 | 10:49:03 AM
Re: Mapped Drives versus Collaboration platforms
Terry,

 

I was intrigued by your question. I queried my team who responded as follows. If that's not a robust enough answer or you need actual technical assistance with the issue, do let me know.

"It's a short hop for sharepoint library- stored files to be accessed by WebDAV UNC paths.  Windows internally will do the file get/put for an attacker of the file path.  If ransomware used MRUs, it could grab the paths as start points for attacking sharepoint libraries and files stored within. The best part about Windows being "smart" regarding file path interpretation is that it makes the issue trivial."
TerryB
50%
50%
TerryB,
User Rank: Ninja
6/23/2016 | 12:42:09 PM
Mapped Drives versus Collaboration platforms
It's well known now that legacy mapped network drives from servers can be encrypted by a ransomware attack. I've yet to see an article that discusses whether that ability exists to attack Sharepoint database server from a compromised client. 

It seems like the Web Front End of Sharepoint would protect the database server. But I've noticed the "Recent Documents" ability in things like Excel shows links to documents in Sharepoint Doc libraries. Can ransomware traverse those links and encrypt either the web front end or database server of Sharepoint?

I've struggled to motivate the biz unit I work at to move the majority of documents from legacy mapped drives into our Sharepoint install. I'm very curious if this a benefit I can use to increase the priority of that.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/23/2016 | 7:22:41 AM
Some great advice
Some good advice in this piece. Don't be the lowest hanging fruit, make sure security is as high as you can make it and educate the users.

I'd also recommend finding a different way to share files and folders among workers other than email attachments, that way you can just assume all email attachments are malicious and delete them. It's often not worth the risk.

There are many better ways to share data now any way. 
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32598
PUBLISHED: 2021-08-05
An improper neutralization of CRLF sequences in HTTP headers ('HTTP Response Splitting') vulnerability In FortiManager and FortiAnalyzer GUI 7.0.0, 6.4.6 and below, 6.2.8 and below, 6.0.11 and below, 5.6.11 and below may allow an authenticated and remote attacker to perform an HTTP request splitting...
CVE-2021-32603
PUBLISHED: 2021-08-05
A server-side request forgery (SSRF) (CWE-918) vulnerability in FortiManager and FortiAnalyser GUI 7.0.0, 6.4.5 and below, 6.2.7 and below, 6.0.11 and below, 5.6.11 and below may allow a remote and authenticated attacker to access unauthorized files and services on the system via specifically crafte...
CVE-2021-3539
PUBLISHED: 2021-08-04
EspoCRM 6.1.6 and prior suffers from a persistent (type II) cross-site scripting (XSS) vulnerability in processing user-supplied avatar images. This issue was fixed in version 6.1.7 of the product.
CVE-2021-36801
PUBLISHED: 2021-08-04
Akaunting version 2.1.12 and earlier suffers from an authentication bypass issue in the user-controllable field, companies[0]. This issue was fixed in version 2.1.13 of the product.
CVE-2021-36802
PUBLISHED: 2021-08-04
Akaunting version 2.1.12 and earlier suffers from a denial-of-service issue that is triggered by setting a malformed 'locale' variable and sending it in an otherwise normal HTTP POST request. This issue was fixed in version 2.1.13 of the product.