Despite rumours of the demise of ransomware, it is still very much alive and kicking. A Sophos survey of 3 100 organisations found that 30% of cyberattack victims had been hit by ransomware. Additionally, and of concern, nine in 10 respondents said their organisation was running up to date cybersecurity protection at the time of the attack.
“Most organisations have at least some form of IT security in place. So why are ransomware attacks slipping through the net? Hacking is becoming easier while attackers are becoming more sophisticated in their approach and ‘Exploit as a Service’ (EaaS) programs that take advantage of vulnerabilities in existing software products are increasingly accessible. These kits make it simple for less tech-savvy criminals to initiate, complete, and benefit from a ransomware attack,” says Ross Anderson, Sophos Product Development Manager at Duxbury Networking.
Criminals use skillful social engineering to prompt users to run the ransomware’s installation routine. They try to trick users into activating the ransomware with emails that encourage the recipient to click on a link or open a file. In addition, producers of ransomware operate in a highly organised fashion. This includes providing a working decryption tool after the ransom has been paid, although this is by no means guaranteed.
There are multiple ways that a ransomware attack starts. Common techniques include:
Malicious emails
Poisoned websites redirecting you to exploit kits
Remote Desktop Protocol (RDP) and other remote access holes.
How do ransomware attacks unfold?
After initial exposure, attacks typically fall into two different categories:
‘Fire and forget’. These types of automated attacks target multiple organisations with the hope of securing a high quantity of smaller ransoms. A good example is WannaCry. Thousands of organisations were hit by WannaCry at the same time. These hackers use automated, ‘fire and forget’ techniques, where the attack is launched and spread to as many computers as possible. Due to the automation and number of attacks, the attacker is oblivious to the stages of the attack.
Targeted ransomware. This is a very manual attack, typically focuses on one victim at a time and often demands much higher ransom fees. The attackers gain access to the network and move laterally; identifying high-value systems in the process. Strains of this type of ransomware, overcome challenges as they arise, making them particularly deadly.
Staying secure against ransomware is not just about having the latest security solutions. Good IT security practices, including regular training for employees, are essential components of every single security setup. Anderson suggests applying these 10 best security practices to mitigate the effects of ransomware:
Patch early, patch often. Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash, and more. The sooner you patch, the fewer holes there are to be exploited.
Backup regularly and keep a recent backup copy off-line and off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop, or even an accidental delete. Encrypt your backup and you will not have to worry about the backup device falling into the wrong hands. Furthermore, a disaster recovery plan that covers the restoration of data and whole systems.
Enable file extensions. The default Windows setting is to have file extensions disabled, meaning you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to spot file types that would not commonly be sent to you and your users, such as JavaScript.
Open JavaScript (.JS) files in Notepad. Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.
Do not enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so do not do it.
Be cautious about unsolicited attachments. The crooks are relying on the dilemma you face knowing that you should not open a document until you are sure it is one you want, but you cannot tell if it is one you want until you open it. If in doubt leave it out.
Monitor administrator rights. Constantly review admin and domain admin rights. Know who has them and remove those who do not need them. Do not stay logged in as an administrator any longer than is strictly necessary and avoid browsing, opening documents, or other regular work activities while you have administrator rights.
Stay up to date with new security features in your business applications. For example, Office 2016 now includes a control called ‘Block macros from running in Office files from the internet’, which helps protect against external malicious content without stopping you from using macros internally
Regulate external network access. Do not leave ports exposed to the world. Lock down your organisation’s RDP access and other management protocols. Furthermore, use two-factor authentication and ensure remote users authenticate against a VPN.
Use strong passwords. It sounds trivial, but it really is not. A weak and predictable password can give hackers access to your entire network in a matter of seconds. Make them impersonal, at least 12 characters long, using a mix of upper and lower case and adding a sprinkle of random punctuation Ju5t.LiKETh1s!