Ransomware Strikes Again
Ransomware Strikes Again
Another major cyberattack is crippling computers and operating systems across the globe through the spread of malicious software. Known as Petya, this Ransomware attack is spreading rapidly through networks like the recent WannaCry or WannaCrypt attacks that infected more than 300,000 computers in 150 countries. While it’s too early to know the true backdrop of this attack, it appears to be linked to the same exploits used in the WannaCry attack.
What is Ransomware:
Ransomware is a type of malicious software that holds data hostage for financial gain. Historically, these attacks are carried out through the encryption of files, or threats to publish or delete files until a ransom is paid. These attacks are usually carried out by exploiting system vulnerabilities, typically initiated by a user being tricked into accessing a link or file. Once infected, the ransomware encrypts important files and documents on the device, until the ransom is paid. The payment demands are usually required to be made in the form of digital currency.
Should companies pay the ransom?
This is the basis of regular debate amongst security professionals. While some companies take the bait, and pay the ransom in hopes of having access to their files and systems, there is no guarantee that you will receive the decryption key to access your files. Additionally, by paying the ransom companies and individuals are funding the cyber criminals and cyberwarfare to create more attacks. As it relates to the most recent Petya attack, initial research shows that the email address associated with the ransom have been restricted, limiting the ability to communicate the decryption key. Although, the email address was shut down, this attack appears to have netted the criminals more than $7,000, which had been deposited to their bitcoin wallet.
How to protect your organization:
As with any information security related attack, one tool or layer of defense will not protect an organization. The attack vectors and tools have grown in sophistication and require a multi prong approach to combat.
- Risk Assessment – Understanding your organization’s environment and risks are critical to building a defense strategy. Without accessing the environment, systems and threats, environment mitigation strategies are unable to be implemented.
- Training – End users are the organization’s last line of defense in almost every attack. While they are the last line of defense, they are also the weakest link for every organization. Consistent and relevant training can save an organization from an attack. One effective means of training that we have seen to resonate with individuals is to not only focus on the threats to the organization, but also focus on personal level threats. Users are more likely to have a vested interest in items that will affect their personal life then an organization. That being said, by getting them to “think” will provide a strong layer of defense.
- End User Controls – Employees are typically the last layer of defense so maintaining strong controls around their functionality and protection is vital. While one control or solution will not protect against all attacks, maintaining several layers will greatly assist in the added protection to the global controls, such as firewalls, IDS, IPS, etc. When examining how to protect the users, administrators and management should look at tools and solutions that both detect and prevent a malicious event. Detective and preventive measures should include, but are not limited to, virus and malware protection, content filtering, email filtering, attachment blocking, restriction of administrative rights, etc. Additionally, where possible, a whitelisting approach should be implemented, in addition to the other controls.
- Vulnerability Management – Maintaining on-going vulnerability management programs can assist in keeping systems secure and protected from published known vulnerabilities, like those which were used in the Petya and WannaCry attacks. A vulnerability management program should include regular system patching, monitoring, scanning, and remediation. Those vulnerabilities which can’t be remediated should be mediated with additional controls.
- Data Backup – Knowing your data and backing up data is also a vital in recovering from such an attack. Without data backups, any encrypted data is typically lost and unrecoverable. Maintaining a backup schedule in accordance with an organization’s business continuity plan and recover point objectives will assist in limiting the potential loss data and ease in the recoverability.
While any one control or solution will never prevent an attack, having multiple layers to prevent and stop an attack is key and those layers need to be properly configured and monitored. Any organization can implement solutions and controls; however, if those solutions and controls are not properly configured and monitored, those solutions and controls will lack the protection needed.
Ransomware is only going to continue to raise an attack vector as it’s a quick, easy, and cost-effective means for cyber criminals to make money. The tools being used for such attacks are easily obtainable for even the novice criminal and require very limited sophistication or knowledge. In addition to the attacks affecting computers, mobile devices are likely to be the next node to be widely targeted. These devices are carried around by everyone and exploits can be initiated directly through an SMS message or a fake app. Organizations need to be vigilant and constantly enhancing their control and monitoring environments to keep pace with the cyber criminals!
Written by Jeffrey Johns.