Ninety-six percent of organizations suffered an email attack in the second half of 2017, according to email security vendor Agari. Attacks aren’t just aimed at big business – small businesses are equally vulnerable: ThreatMetrix states that 60 percent of small U.S. companies suffered some form of cyberattack in 2016.
The recently identified Annabelle attack was remarkable in its multiple modes of proliferation, while Qkg tried to undermine behavioral security algorithms by only infecting newly-created files. Fortinet’s FortiGuard Labs warns, “Ransomware continues to morph and leverage new delivery channels such as social engineering (e.g., crypto-mining).”
Ransomware-as-a-service is also proliferating. One security firm recently identified a variety of ransomware that is being distributed to criminals for free on the Dark Web. The people behind these attacks aren’t playing games. Typically, they demand payment using digital currency to return access to your data to you. On average, attackers demand at least $1,000 to give you back control.
What happens when you’re hit?
The first signal that something has happened may be a warning sign on your enterprise notebook screen when you try to log on in the morning. In the background the ransomware will contact its command and control server to let it know a system has been subverted and a set of digital encryption keys (controlled by the attacker) will be created. And you will be asked for money to free your machines.
What happens next is one or more of the following – costly – consequences:
- Accept the data is gone and start over
- Hire security experts to attempt to rescue systems
- Purchase new systems
- Delete old systems and restore from backup
- Pay the ransom
Ironically, the last choice does not guarantee a successful recovery. One recent study claimed ransomware victims have paid over $25 million over the last two years. Was it worth it? CyberEdge surveyed over 1,000 worldwide businesses that had been hit by such an attack to find that half of those who paid a ransom never regained access to their files. They lost their data and they lost their money.
As digital transformation brings essential business systems online, criminals and hackers are more determined than ever to exploit enterprise IT. In this ever-changing threat landscape, enterprises must ensure detection systems are flexible enough to spot newly emerging threats. They also need to ensure their IT systems are sufficiently resilient to survive any attacks that do get through.
What’s a good strategy to minimize damage?
Prevention is much better than cure. At best, it involves three complementary strategies working together: People, Processes and Protection.
Your employees are both your greatest security weakness and biggest security asset. It makes sense to empower them with knowledge of how to spot and avoid attacks (particularly phishing) and should have access to antispam, phishing, and web protection tools. It’s also important to ensure there’s no blame culture – your people need to feel they can admit to a security error if they make one – it’s so much better to learn of a problem early than for it to nest deep inside your systems, preparing the way for a ransomware attack. Criminals will exploit social conditioning to target specific users and imitate colleagues in malware-laden emails.
Don’t assume existing security systems will be enough. Enterprises users must ensure security patches are installed and employees are in line with any existing security protocols, but to survive a ransomware attack the best mitigation is always going to be effective system sandboxing and regular (protected) backups. “Segregating networks and leveraging backups can help organizations limit damage and be resilient in the event of a ransomware attack,” says Michael Daniel, President and CEO of the Cyber Threat Alliance. That way, if your systems are seized in a ransomware attack you can simply ignore the incident and reinstall your machines from your backup. This single step hugely reduces your vulnerability to such attacks. “Cybercriminals can’t hold your data hostage and extort you for ransom if you have another copy of it,” warns Forrester’s recent Ransomware Protection report.
Malware continues to evolve. Some attacks use a multi-vector swarm of different vulnerabilities to undermine protection. Such threats must be met with “integrated, collaborative, and automated security approaches that can pit swarm versus swarm,” Fortinet states, observing that good threat intelligence systems can share attack data and orchestrate effective responses from beyond proprietary enterprise infrastructure. Such systems deploy an array of protective technologies: Anti-exploit technologies will identify executables that may have infected your systems and also monitor for usage patterns that may warn an attack is taking place. Endpoint security systems: Network protection, firewalls and email virus checkers will also play their part – and all known ransomware variants should be picked up by your existing systems.
Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.