As ransomware warfare rapidly evolves, the focus of cybersecurity must focus on prevention AND practical mitigation strategies. Enterprise C-suites must acknowledge they are at risk, transfer as much risk as possible and, most importantly, work to mitigate ransomware when it occurs.
By Rick Orloff
Executives want to understand what the best return on investment (ROI) is relative to real-world threats against enterprise data. As ransomware warfare rapidly evolves—offering an ROI of as much as 1425 percent to its perpetrators—the focus of cybersecurity must focus on prevention AND practical mitigation strategies. Enterprise C-suites must acknowledge they are at risk, transfer as much risk as possible and, most importantly, work to mitigate ransomware when it occurs.
Ransomware looks better and better
Ransomware delivered via email can be a link to another site, or a Trojan attachment that looks like a perfectly ordinary file i.e., a resume for HR, an invoice for A/P, an RFP for Sales. When it’s opened, it delivers “extortion malware” that requires the victim to pay a ransom to recover his or her data. Drive-by ransomware, like a tick or flea, is capable of jumping into the bloodstream of prospective hosts (your network of connected computers) when a user visits infected websites or receives malicious files.
Once installed, ransomware encrypts and renames files as fast as it can move through the directory, often (and unfortunately) deleting shadow files. Where live backups are being used, ransomware moves to attack accessible drives. Where employees use sync and share services like Dropbox or OneDrive, the infected files, now encrypted, sync to their mirror images.
High ROI, faster and better delivery
Cyber attackers are rapidly evolving and diversifying the ransomware arsenal to increase the steady cash flow with more complex ransomware strains and more creative infection strategies. From personalized landing pages to actually hacking a device’s boot-up process, stopping these techniques is much more complicated than training employees to avoid suspicious links.
In any case, attackers increasingly skip the phishing lure and go straight to brute-force attacks on internet-connected devices with remote access vulnerabilities. For the skilled hacker, this technique is more reliable than phishing, and immediately gets the attacker much deeper into an enterprise network, allowing them to compromise more devices and ransom more data.
If you can’t do it yourself, ransomware is easy to come by
Much as eBay acts as the middleman for sellers of all sizes, several web-based “businesses” popped up in early 2016 to act as proxies for data extortionists. These sites offer cyber thieves three options: Lock up the victim’s data and use the site as a payment proxy for the ransom; “dox” the victim, posting the stolen, sensitive information on the site to add extra urgency to the payment demands; or sell the stolen data to a third party and let it manage the exaction or utilization of the stolen data in some other way. These web vendors provide an easy Bitcoin-based payment interface, and take a cut of every payment. It’s a business 101 approach for attackers.
The business of ransomware
Stealing or locking up data isn’t the tough part of the ransomware business (flawed systems and manipulated users make that way too easy). It’s the payment side—making direct contact with a victim and exchanging currency—that poses the highest risk for the attacker. To avoid getting caught during the payment process, some ransom vendors specialize in streamlining the payment processing between the criminals and their victims.
Comparisons to eBay, Uber or Airbnb, are apt (and alarming) in this context. These disruptive innovations made it easy for the little guy to go into business for himself, with little risk. Online vendors specializing in criminal services, like payment processing, effectively lower the risk of entry into the ransomware business.
Insofar as ransomware continues to impact businesses around the globe, it has few false positives for its perpetrators. When they infect a system, they have an opportunity to make money. If the infection fails, there are no associated risks or costs, so failure isn’t a strong deterrent.
The ROI of recovery
A very simple strategy of continuous, automatic endpoint backup gives the enterprise the ability to recover in real-time without paying a ransom—ever.
No matter how complex and advanced the ransomware exploit, continuous, automatic backup and recovery—at a cost of $100 per device per year—nullifies ransomware. Think of it this way: If every company were diligent about effective and meaningful endpoint backup and recovery, the ransom business would dry up. Take these to heart:
- When employees are phished, visit poisoned websites, or are otherwise infected by ransomware, real-time recovery of endpoint backup can roll back clean versions of every file, including system files.
- While File Sync and Share (FSS)—born to synchronize—dutifully imports the virus to its mirror mate, endpoint backup rolls back every version of every file.
- When a device is stolen, drowned, wiped clean by an employee on his last day, or its hard drive fails, real-time recovery can roll it back, word for word, digit for digit, byte for byte.
- When an employee or partner exfiltrates data that exposes intellectual property, customer, or patient data, real-time recovery technology can identify who did what, and when.
For more information, please visit http://www.code42.com/neverpay/
About Rick Orloff:
Rick brings to Code42 more than 20 years of deep information security experience. Prior to joining Code42, Rick was vice president and chief information security officer at eBay, led and built a variety of global security programs at Apple (AAPL), and directed global security at Lam Research (LRCX). Rick is currently an active member of several advisory boards focused on new and emerging security technology companies.
Throughout his career, Rick has driven meaningful and actionable results across a range of security areas, including global threat management, cyber intelligence, geospatial correlation of data and security operations centers.