As with other paradigms in the field of IT security, ransomware is one of a number of methods chosen by attackers to attain financial gain by capitalising on weaknesses in company policies and infrastructure.
Ransomware is a well-known type of malware amongst consumers and businesses alike, due to the significant increase in successful ransom campaigns over the last few years. At its core, ransomware is an effective form of cyber-extortion, whereby upon successful infection, corporate and personal data is encrypted and rendered unusable, and may only be recovered by paying a ransom to the attacker (usually in the form of crypto-currencies), or by recovering the original copies of the encrypted data from backups. The biggest contributor to the continued success and growth of ransomware is undoubtedly the revenue-generating capabilities of this type of cyber-crime.
Ransomware attacks are primarily conducted through increasingly sophisticated and believable phishing campaigns in which users are fooled into clicking on links to websites hosting malicious content, or into opening attached Microsoft Office documents loaded with macro-based malware.
An effective ransomware campaign may be defined by the amount of revenue generated through ransom payments made by its victims. This figure may be correlated with the infection statistics of an individual campaign to generate an infection-to-payment ratio. The recent WannaCry outbreak had a surprisingly low ratio, which indicates that although the number of infected PCs topped the scale in terms of sheer numbers, not many victims actually had to resort to paying the ransom. This would indicate that the majority of affected systems had resilient backup systems in place, and were able to restore data. As a result, attackers would most likely change tactics in order to cater for increased user awareness, and countermeasures employed to mitigate ransomware risks.
Emerging ransomware tactics include ‘Doxing’, where attackers capture corporate data and threaten to release it publicly rather than destroying it, forcing companies to pay a ransom to prevent disclosure of sensitive information. Another form of data theft perpetrated through ransomware infection is the active searching and theft of user credentials, to be used in a secondary attack to coerce a victim into paying a ransom. Another effect directly attributed to a low infection-to-payment ratio, is an increase in the damage caused by a ransomware attack to reduce the chances of successful recovery.
The risks faced by victims of a successful ransomware attack are not industry-specific, although certain risk-types may have higher impacts on certain industries.
The key risks associated with a typical ransomware attack are primarily data-centric, and include data loss, data theft, and doxing.
Other ancillary risks attributed to a ransomware attack include company reputation and credibility, loss of customer trust, and brand damage. New generations of ransomware may also introduce FUD elements (Fear, Uncertainty and Doubt) in the form of extortion through doxing and the implementation of undetectable Advanced Persistent Threats within a company's network. These may be triggered at will by attackers, or programmed to trigger automatically.
The following mitigation techniques for ransomware provide some useful strategies in order to curb the risk of falling victim to these attacks:
Since the majority of ransomware is spread via phishing campaigns, the weakest link is usually the employee who unwittingly clicks on a phishing link or malicious attachment within an email, and initiates the ransomware infection. Security awareness training, showing users how to recognise phishing attempts and adopt safe online browsing practices, is a must for any organisation.
Having a properly tested and robust backup strategy can be the solution to many ransomware related problems, since the objective of a typical ransomware attack focuses on rendering data indecipherable. An effective backup strategy to adopt is the 3-2-1 rule: have at least 3 full copies of data, using 2 different mediums (disk / tape), and keeping at least 1 copy offsite.
Patch management strategies
Having a proper patch management strategy in place can reduce the risk of vulnerabilities on any device connected to a network being exploited. Third party tools are available to allow companies to define, control and implement patch management strategies across enterprises.
Segregation and isolation of environments
The Wannacry ransomware variant, which demonstrated worm-like traits and spread itself over networks, illustrates the importance of never keeping all resources on one network. Rather, companies should introduce segregation and the isolation of resources within their networks, and complement this with coherent network access controls to resources and users within a company network.
Network access controls should complement segregation and network isolation policies. These restrict access to data and resources based on roles (RBAC or Role Based Access Control), and normally work hand in hand with BYOD (Bring Your Own Device) and Mobile Device Management policies, allowing or preventing the use of personal devices within a company's network.
Encrypting company data using secure and centrally controlled methods, prevents attackers from effecting data theft with the intent of coercing a company into paying a ransom, by threatening to release the stolen data publicly. Encrypting financial information, personally identifiable information, and other sensitive forms of company data, can substantially increase confidentiality, and reduce the risk of doxing attacks actually being effective.
Avoid paying the ransom. This solution will make a difference in the long term, and if adopted by the majority of ransomware victims, will curb the popularity of ransomware by reducing the overall revenue generated by ransoms. One should keep in mind that although instances exist whereby the ransom is paid, the decrypt key may not always be retrieved.
As with other paradigms in the field of IT security, ransomware is one of a number of methods chosen by attackers to attain financial gain by capitalising on weaknesses in company policies and infrastructure; once the effectiveness of typical ransomware attacks is reduced through the proper implementation of information security policies, attackers will always seek (and will usually manage) to find other methods of obtaining wide-scale illicit funds.
Vigilance by IT security professionals, staff, and management, is therefore essential in contributing to the mitigation of malware related risks to organisations.