Ransomware is “a type of malware that prevents users from accessing their system or personal files and demands payment in order to regain access.” The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card.
Ransomware is a severe threat not only for individual users but also for corporate network environments because it allows cyber criminals to gain a lot of money in a short amount of time. While some ransomware strains demonstrate strong coding skills and great sophistication, ransomware distribution platforms allow conducting a ransomware campaign without needing to have a developer background. When browsing the dark web, it is not uncommon to find shady websites promoting ransomware-as-a-service platforms. These malicious actors offer, for a fee, the same services a legit cloud provider would, such as development, tech support, customized dashboards, etc., without any need for the attacker to know any programming languages. The cybercriminals running it offer the attackers all they need, including binaries, documentation, detailed instructions and tech support.
Ransomware attacks are often successful because corporate organizations have security gaps with their patch and configuration management policies. Most organizations apply updates and patches only after testing them in a demo environment, which might create a window of opportunity for attackers to successfully exploit a vulnerability that the latest patches would have remediated.
Recent ransomware strains like Ryuk, often delivered through large botnets such as Emotet or TrickBot, have become more sophisticated and lethal. The city of New Orleans was recently forced to declare a state of emergency after a Ryuk ransomware attack took place on December 13, 2019. The infection spread so fast and dramatically that the city was forced to order all employees to power down computers and disconnect from Wi-Fi.
Another recent ransomware attack took down a US Coast Guard base for around 30 hours and was reportedly triggered by an employee who opened an infected email.
Many surely remember the WannaCry ransomware outbreak, which successfully compromised a very large number of computers over a short time frame in May 2017. Not everyone knows, though, that Microsoft had released a patch to fix the underlying SMB vulnerability some months before this widespread infection started occurring, but most individual and corporate users had not applied this patch yet.
Had most Windows users applied the patch earlier, the WannaCry outbreak would have likely been much more contained than it actually was.
Source: https://www.cyber.nj.gov/threat-profiles/ransomware-variants/ryuk
Should You Pay the Ransom?
This is a very controversial topic. Government and law enforcement agencies mostly recommend not to pay.
An efficient and secure backup policy can minimize the risks related to a ransomware infection. If backup copies are created regularly and stored securely (including offline), the victim user/organization can have a much better chance to resolve this situation without suffering excessive damages.
However, sometimes the answer to this question cannot be so clear-cut. Much depends on how valuable the information being held for ransom is for the organization and on how much downtime an organization can afford. Even with an efficient and secure backup policy in place (and tested regularly!), there may be situations when an organization cannot afford to lose data or having its servers and workstations down, even for a limited time.
Backups are normally performed on a fixed schedule. A company having a large website, forming the bulk of its business, cannot afford to lose, for example, the transactions finalized over the day, or even over the last hour because it could mean losing millions of dollars. Additionally, if an organization’s business relies on proprietary information and said information is being held for ransom, the organization may seemingly have no other choice but to pay.
However, paying the ransom does not always guarantee that the files held for ransom will actually be decrypted.
Many ransomware attackers will provide the decryption key after receiving the related Bitcoin payment, while others do not. Sometimes a bug or some other technical issue prevents the provided decryption key from working to successfully decrypt all ransomed files. Often the decryption process, even if works, is extremely slow and unreliable.
Whether the attackers and their decryption tools release your files or not, this is definitely a situation your organization does not want to be in.
What Enterprises Can Do to Stop Future Attacks
Use Prevention vs. Detect & Respond Solutions
What good is a cybersecurity solution that detects attacks after they have happened? Or worse, misses the threat completely, like the Dominion
National or AMCA attacks. Utilizing prevention methods that can stop zeroday and other known and unknown advanced attacks is crucial for a robust security framework. A preventative approach will also take the
pressure off IT/Sec-Ops and minimize attacks due to human error.
Arm Employees with Training and the Right Set of Tools
As you noticed from the list of attacks, most attacks occur through online social engineering schemes that manipulate users to open the doors
for hackers. One of the most common examples of this is a fileless attack.
The bottom line is employees can be the first line of defense against such threats. They must learn how to spot phishing schemes, not download
attachments without context, even when sent from an existing contact.
Don’t Assume Your System is Secure; Perform Continuous Threat Monitoring
Develop an understanding of the current threat environment and take appropriate measures to protect yourself from attacks. Evaluate your
existing security solution stack and practices and periodically employ third-party pen testers to do in-depth vulnerability testing. Gain visibility across your environment, so you know what software and systems have weaknesses. Once identified, prioritize the most critical vulnerabilities so you can mitigate those first.
An average organization has more than 200 apps: there are ample opportunities for bad actors to find weaknesses, and that is just the apps IT knows about—shadow IT increases the risk. Gartner estimates a third of successful attacks next year will involve shadow IT. No organization can address all vulnerabilities, even with the best IT teams and technology in place—therefore, a preventive solution is key.
Manage Third-Party Risks
Most companies rely on a variety of vendors, suppliers, and partners—and those relationships bring unwanted exposure to the business. Even with a strong security posture, attackers can simply find the weakest link in the supply chain and use it to gain access. Segment your network and limit third party access to critical infrastructure. Establish security checks and
thresholds for partners and vendors.
Cybersecurity Should Be a Culture, Not a Practice
A strong cybersecurity culture goes beyond employee training and awareness. Everyone in the company—from the board of directors
and C-suite executive leadership to every line employee—should view themselves as a critical part of strong security defense. Board and senior leadership should make cybersecurity a priority. Executive leaders should emphasize a cybersecurity culture of “no-fear” where an employee can raise appropriate alarms if they make a mistake, instead of sweeping it under the rug from the fear of getting fired.
Devise Comprehensive Incident Response Plans
Incident response (IR) should never be treated as an ad-hoc process. Assume that your security parameters are already compromised. Your security team should already have a well-defined methodology and IR playbook that is updated continuously based on new attack vectors that can be quickly implemented to quarantine, block, or eliminate malicious network traffic.
How AppGuard Can Help
Every cybersecurity company talks about how great their products are — that’s how marketing works. But business leaders have noticed that for all the talk about how effective today’s malware detection and response software is, hackers keep finding new ways to breach the data repositories companies spend so much time and effort to protect.
AppGuard is different because our patented technology guards and isolates processes that start from an application, no matter how trustworthy they look. That’s a radically different approach than “detect and respond” cybersecurity strategies. It doesn’t rely on alerting IT or security operations teams so they can check out suspicious activities. AppGuard stops the processes before they can cause harm.
Since we don’t operate in a “detect and respond” model, AppGuard doesn’t require extensive whitelisting, updates or connection to a central server. That means human error and overworked IT/security operations teams don’t contribute to risks for AppGuard users. AppGuard delivers complete endpoint protection on a zero-trust basis.
We’re the only solution that prevents breaches from both known and unknown cyber threats, and in our nine-year history, users have never reported a breach.
AppGuard has endpoint security locked down with products designed for a range of use cases, including:
- AppGuard Enterprise, a centrally managed, host-based endpoint protection solution that prevents malware and all advanced attacks from harming the system.
- AppGuard Server, a zero-trust, host-based endpoint protection agent for Windows and Linux servers, centrally managed from the same system as agents for laptops and desktops.
- AppGuard Solo, a self-managed, zero-trust, host-based endpoint protection agent for laptops and desktops that is ideal for small businesses and non-technical users.
- AppGuard TRUSTICA Mobile & IoT, a centrally managed, host-based solution for making employee mobile devices safe to use for the enterprise without intrusive co-administration.
So, if you’re looking for an edge over competitors, take a look at AppGuard’s products. With AppGuard, you can prevent breaches from occurring while focusing on your core strengths. There’s a cybersecurity crisis — let’s not waste it. Use AppGuard to create a safer connected world.