Ransomware TICby Amy Weiss, The Imaging Channel

A quick disclaimer to start things off: ransomware is a topic that is almost impossible to keep current on. Just like a new car loses value as soon as it’s driven off the lot, by the time ink meets paper on a magazine’s pages the ransomware field will have changed. This article was started just before the WannaCry ransomware outbreak hit the British National Health Service (NHS), eventually infecting (as of this writing) more than 75,000 users in 99 countries. Think technology changes fast? Market leadership in ransomware changes faster than you can say “cybersecurity.” So what facts can we count on to remain relatively solid? Let’s take a look.

What is Ransomware?

Put simply, ransomware is a type of malware that prevents access to computers, files or systems. The two common types are lockers and encryptors; names that are fairly self-explanatory. Lockers lock users out of their operating systems or keyboards, or in some cases out of their mobile phones. Encryptors, commonly known as cryptware or crypto-ransomware, encrypt the contents of a system or computer using a private key that only the attacker possesses — until the ransom is paid. The recent WannaCry variant was the latter; the NHS experienced hospital computers showing ransom messages demanding $300 worth of bitcoin — an online currency favored by hackers for ransomware payments because of its ability to operate outside standard financial systems.

Perhaps one of the most disturbing elements of ransomware is its method of distribution. Like most other software, ransomware is a business. A ZDNet article describes variants of ransomware with analysis of market share and methods of distribution that include ransomware-as-a-service (RaaS) — yes, just like almost everything else these days, ransomware is available in an as-a-service model, typically from an underground market on the Dark Web. And that ease of access to software and models is one of the things that has enabled its propagation.

“The use of ransomware has been around a long time but really started to rise in 2012 from a variant known as Reveton,” said William MacArthur, threat researcher for RiskIQ, a digital threat management firm. “Since then, it has skyrocketed in use by threat actors of every skill level. First of all, it’s as easy to use as downloading it off the internet and getting started, and spinning up entire campaigns is simple and efficient. Once someone comes up with something that works, a ton of actors hop on the bandwagon so to speak and start using it, which makes it hard for good guys to defend against.”

Typical ransomware attacks come in the form of phishing emails or popup ads on websites. Unsuspecting users click seemingly harmless and necessary files — fake invoices or files that look like common attachment types such as .pdfs, .jpgs or .doc files containing the infection. Often the messages are personalized — known as “spear phishing”— offering a more powerful incentive for unsuspecting users. A Trend Micro report from back in 2012 showed that at that time, more than 90 percent of cyberattacks began with a spear phishing email. Common subject lines contain language like “Attn: Invoice” that look like a common scan-to-email attachment.

“Ransomware is so dangerous because your defenses against it are often only as strong as your least cautious employee — when one person clicks on an email … the entire network is compromised,” noted MacArthur.

How to Prevent Ransomware, or (Worst Case) Fight It

An intrusion protection system (IPS) — network security and threat prevention technology that monitors network traffic flows — is critical to your network security. A good IPS will detect and prevent ransomware activity on the network.

“The best way to protect against malware is to have a strong security solution in place, and that means a strong network security policy for the IT team and a strong end-user policy,” said Barry Weiss, network architect at the University of Central Florida. “Backup is important, but it’s an after-the-fact repair. Prevention should be your top priority. Once you’re already compromised, someone else is in control of your data, so a strong security strategy to prevent the exploit is the most important thing.”

Security software should also do posture assessments — evaluations of system security based on the settings of your specific system — checking to make sure you have the latest antivirus updates and code, and ensuring all necessary updates are in place, plugging potential security holes. Your VPN  or security software vendors will frequently include posture assessments with their offerings.

“For a company with a lot at stake, a posture assessment is one of the best investments for end-user computers,” says Weiss. “It ensures the most up-to-date security settings, antivirus definitions and Windows patches are on each user’s computer, saving the IT team the time and effort of doing it manually.”

Because end users are such a point of vulnerability when it comes to attacks, user education is also key. It’s more than just awareness though, and in fact, “unsuspecting” isn’t always even the right term for the users who click on malicious links. A study done by researchers at Germany’s Friedrich-Alexander University (FAU) showed more than half of email recipients and 40 percent of Facebook users clicked on links from unknown senders, and most of these users were not unaware of the potential consequences of their actions; 78 percent had answered a questionnaire prior to the study saying they were aware of the risks of unknown links. When asked why they clicked, most said it was due to curiosity. “I think that, with careful planning and execution, anyone can be made to click on this type of link, even if it’s just out of curiosity,” said  FAU’s Dr. Zinaida Benenson in the report on the findings. “I don’t think 100 percent security is possible. Nevertheless, further research is required to develop ways of making users, such as employees in companies, more aware of such attacks.”

If ransomware does make it past your defenses, however, being able to wipe the system is the best way to avoid being held hostage by ransomware, and this means a solid backup policy. But even backups aren’t as simple as they once were.

John Christly, Global CISO, Netsurion, a provider of remotely managed security services for multi-location businesses, said that “… even cloud-based backups can fail in your time of need if all you chose to back up was the data from your PC or server. What is needed is a full backup of your system, also called a ‘bare metal’ backup, which includes a backup of not only the data, but also of the boot volume, system state, applications, and system data, which combined, makes it easier to restore when needed. If you take the time to get a full backup like this in place and saved to a secure cloud vaulting system, then restoring a PC or server once ransomware has taken up residence on a system and locked you out becomes a manageable and possible event in most cases.”

How Susceptible are You?

Obviously, anyone can be the target of a ransomware attack, but certain industries make better targets than others. The WannaCry attack focused on healthcare, which is a prime target because of the sensitive nature of the information it is protecting — hospitals have a lot to lose. MacArthur notes that “Hospitals and healthcare networks are particularly vulnerable because updating their networks is disruptive to the crucial day-to-day operations, and their operating systems are very specifically designed.”

Healthcare is far from alone as a target, though. A Symantec report titled “Ransomware and Businesses 2016” noted the services sector (which includes healthcare) was the most affected business sector between January 2015 and April 2016, with 38 percent of organizational infections. Manufacturing was next at 17 percent; following behind were finance, insurance and real estate and public administration. “As yet, it is unclear why some sectors are more affected than others,” the report notes. “One possible explanation is that organizations with a higher level of integration with different internet services tend to have a higher exposure to infection risks, hence the large number of services sector infections.”

Consequences

In a Wired article titled “Why Hospitals are the Perfect Target for Ransomware,” Kim Zetter notes, “Hospitals are the perfect mark for this kind of extortion because they provide critical care and rely on up-to-date information from patient records. Without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.” Additionally, the potential fines levied against organizations that are out of compliance with regulations such as HIPAA are far greater than the amount of ransom demanded, often creating a scenario where it is cheaper and less damaging to simply pay the ransom.

It seems clear that ransomware isn’t going away anytime soon. As long as there is money to be made and IT targets to attack, ransomware will remain a very real threat. “It is designed to prey upon the unsuspecting, but rather than suck data out of a network, it cuts to the chase and asks for the cash up front,” said Christly. “The fact that NHS’s electronic systems — and now other companies’ systems’ globally — were so drastically affected by a ransomware outbreak should send alarm bells throughout all industries.”

The alarm bells are ringing, we’re sure, but what’s the next step? We write often about the continuing growth of the Internet of Things, and typically we view it as a positive, but the IoT and its wealth of connected devices are only increasing security risks for their users. As noted previously, end-user education is critical — and by this we mean the “pound it into their heads until you can’t pound any more, and then do it some more” type of education. And when that isn’t enough — because it’s not — good IT practices are essential. Systems that restrict access based on job type and level are important here, keeping access on a need-to-know basis. And of course, backups can be lifesavers. Expanded backups, multiple copies and the previously mentioned “bare metal” backup that is then backed up to a secure vault in the cloud make a good start.

It’s a common saying that the best defense is a good offense, and that definitely applies to the threat of ransomware. It is critical to have in place a solid network security plan and a strong IT security policy for your company. This means making investments in security software and creating solid end-user policies that keep users from unintentionally infecting their machines, and eventually the network. Often, the cost of these investments feels prohibitive up front — but think of the alternative.

If those lines of offense don’t stop the threat, you’ll need multiple lines of defense to back up your offense. Even then, it may not be enough, but being prepared is the most important step. Are you ready?

Resources:

Cisco: Ransomware Defense

http://www.cisco.com/c/en/us/solutions/enterprise-networks/ransomware-defense/index.html

Microsoft Malware Protection Center 

https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

Palo Alto Networks: Cybersecurity

https://www.paloaltonetworks.com/cyberpedia/cyber-security

Trend Micro: Ransomware 

https://www.trendmicro.com/vinfo/us/security/definition/ransomware

This article originally appeared in the June 2017 issue of The Imaging Channel