The ABCs of fighting back against ransomware
BY Raj Samani
After slowing slightly in mid-2015, ransomware has regained its rapid growth rate overall. According to the June 2016 McAfee Labs Threats Report, total ransomware grew 116 percent year-over-year for the period ending March 31. Total ransomware rose 26 percent from Q4 2015 to Q1 2016 as lucrative returns continued to draw relatively low-skilled criminals. An October 2015 Cyber Threat Alliance analysis of the CryptoWall V3 ransomware hinted at the financial scale of such campaigns. The researchers linked just one campaign’s operations to $325 million in victims’ ransom payments.
This spurt in ransomware attacks can be attributed to three key reasons. The first driver is the syndication of the activity into ransom as a service with offers of revenue sharing to operatives facing the target recipients. The second driver is the development of polymorphism in ransomware generating a unique threat signature for each attack. And the third driver is the increasing sophistication within the malware, widening the scope of damages.
With Middle East organizations becoming a target for ransomware attacks, it is incumbent on the company to take action and ensure that their data and organizations are not held ransom. The following are ways to prevent systems from getting infected:
Protecting Devices from Malware
Using the best-in-class endpoint anti-malware products, which regularly update and recognize changing ransomware, is an important step in protecting systems. Professional vendors work hard to keep products current and immune to indirect new variants, and protect the data residing on devices. Repelling malware also prevents systems from being leveraged to attack other devices or penetrate deeper in to an organization
Secure Communication Networks
Another important step in protecting systems is to install network filters, firewalls, and application gateways to block both the ingress of ransomware malware (sites, files, exploit payload droppers, etc.) as well as block outbound requests by installed ransomware to connect to their command and communication services. Many of the ransomware families attempt to connect to external destinations to receive instructions, download tools or provide intelligence to the attacks. Blocking such connections can be of great benefit to potential victims, disrupting the infection cycle.
Keep Software Current
Pitching and updating software is important in reducing the risks of exploits. This is a basic practice, but is still under practiced in the industry. Many older malware variants are still successful because victims have ignored applying available software updates to close exploited holes.
Using security sandbox technology to test suspicious software and files is an important step in safeguarding devices. The most comprehensive security solutions leverage miniature test environments where suspicious files can be allowed to run. This offers a safe zone to watch for malicious activity and determine if the files represent a significant risk.
Having good backups, offline if possible, and the processes to quickly restore files if needed is a safety net. If all else fails, important data can be restored to clean devices.
It is important to verify that all critical data is being saved and to test the backup/restore process regularly.
Proper user training to avoid mistakenly opening infected files, weakening security defenses, or being lured to malicious sites is an important preventative measure. Most security controls can be bypassed by trusted users. Therefore, it is essential to educate users on the risks, importance of security policies and following good security practices.
Limiting user and client access permissions to reduce the impact of a ransomware infection is essential. Limited privileges to only what is needed by users is a good start to building strong defenses to ransomware and minimizing damages.
Ensuring your organization’s data is not ripe for the taking is a daunting task, especially with the steady rise of ransomware as an attack vector. By adopting a planned approach involving both end users and IT administrators, and implementing integrated security solutions that protect, detect and correct, businesses can avoid the unplanned downtimes and losses associated with such malware attacks.
Raj Samani is the VP and CTO of EMEA, Intel Security.