RANSOM EVERY WHERE

The increased sophistication and attack velocity of ransomware has grown at an alarming rate over the last couple of years to the point where it represents the most immediate and potentially debilitating threat for organisations (and individuals). For the security sector it’s been known about for a decade or more, but given its increased availability, use and effectiveness at bypassing existing security protocols the need to take action is now. Richard Foulkes, cybersecurity consultant, suggests that, given the raised profile of the threat, education is the key factor in winning the war, against this opportunistic criminal enterprise.

Fanning the Flames
In the past ransomware was more like a DDOS attack where there may have been a particular target in mind, and if it was a more scattergun approach its effectiveness was compromised. More nuisance value, not particularly widespread and a general warning about ignoring dodgy sites and emails was often the only advice given (if any) within most organisations. In essence threat presentation and perception was way ahead of an ability to execute. What’s changed is the technology used and the attacker’s ability to be anonymously rewarded.

  • The arrival of CryptoLocker (and new age variants) brought encryption to the game and raised the stakes to devastating effect for some.
  • The appropriation of Tor (The Onion Router), originally developed for covert intelligence use and the evolution of Bitcoin has given the one thing criminals prize most – anonymity. The ability to operate and be rewarded anonymously has had the effect of pouring petrol on the fire.
  • As there is no honour among thieves, the spread of ransomware has accelerated through the sharing of technology – for a flat fee a non-hacker can have the tools to set off attacks (exploit kits, spear phishing, pen testing and sinister brute force attacks), a minimum return guarantee, often service level agreements and some form of support. It really is an ‘as a service’ operation and all enabled through the ability to remain anonymous of course.

These three accelerants have turned what was a smouldering problem into today’s raging inferno now threatening organisations and individuals creating a situation likely to become more serious unless action is taken now.

BORROW A CUE FROM NELSON MANDELA
While the headlines about compromises dominate – the recent NHS and medical sector vulnerability being a case in point – the realities are that all organisations are potentially affected and many have been and paid up, although the number taken down is rare. However, whilst the numbers who become disabled are very small, the number paying up is growing so complacency becomes a real danger here. SMB, multi-national or individual is irrelevant, attacks are indiscriminate and whilst most organisations know how attacks get in it only needs one chink in the armour to succeed – an untrained temp receptionist? It’s been seen many times before. No doubt some organisations will have robust defences and be aware of the dangers; a couple of factors need to be borne in mind:

The potential threat is huge and many may be very vulnerable given that new attackers (but growing rapidly) have immense reach and pay no heed to the ‘normal’ attack mode of entry, research, planning, they just hit out and hope to get lucky due to a minimal time to attack and execute. So, if the ability of the ‘attack force’ to grow is now cheaper and easier than ever, it may just be that, as an analogy, more crocodiles are heading to meet the wildebeests.

According to the FBI a significant minority (over 40%) of organisations affected pay up – fuelling the whole criminal endeavour. Incidentally, and this is never something we condone, but one line of thought suggests that paying is the best policy in a peculiar example of basic economics, more paying a small amount to get their business back benefits all. If pickings are many and easy, the attackers tend to be true to their word and release decryption keys, keeping the potential ransom costs low! It’s easy because they want it to be easy. Make it difficult and they’ll pluck a weaker wildebeest with little extra effort.

To fight back against this increasingly pervasive, demanding and unprincipled industry, requires a change in behaviour. A change in security behaviour and user behaviour. Perhaps the SMB sector is most vulnerable in this whole affair as they are the least likely to have up to the minute security profiles, capabilities, expertise and knowledge in house to realise the dangers and be able to know how to respond. To change behaviour do as Nelson Mandela said

“EDUCATION IS THE MOST POWERFUL WEAPON YOU CAN USE TO CHANGE THE WORLD”. BEING EDUCATED IS BEING SAFE
Education – the single most important, yet overlooked, factor in the fight against the attackers. Only by understanding the true nature of what they’re dealing with, how to combat it technologically and behaviourally within the business, and what to do once an attack occurs, an organisation be prepared and able to withstand an assault. A co-ordinated, comprehensive education programme is a must because ransomware is largely opportunistic. Denying the opportunity moves the threat elsewhere and doing it collectively diminishes the global effectiveness. The crocs start to go hungry if the wildebeest find a new, dry bed, crossing. There are several aspects to education that need to be considered for any organisations to be repellent to attackers and make their life more difficult:

  • Education of business owners about the realities of what’s coming down the line and the need to empower the security team to based on agreed plans and policies without seeking unnecessary approvals or permissions
  • Education of the security team about next generation security and why multi-layered strategies are now a reality. It’s the ‘when rather than if’ mind-set and where to go to report attacks
  • Education of users about staying vigilant, being aware and conscious of the role they play in protecting the organisation. It’s time for proper employee education programmes about what phishing email looks like for example. No longer is it good enough for a bit of general ‘water cooler’ advice to be given

Raise understanding and education and deploy an appropriate solution to raise defence levels and the resilience and security of all organisations becomes much greater. With the Things in the IoT proliferating and mobile endpoints multiplying next generation malware is only going to be more advanced and if no action is taken, far more effective initiatives like our CARM framework, allow partners to establish security need and recommend the appropriate solution to meet this, and allow for customer security to grow in line with changing needs. The CARM Framework gives customers the ability to protect, defend and react to attacks and feature solutions from vendors at the forefront of the fight against ransomware, like

SENTINEL ONE FORTINET PALO ALTO NETWORKS
CARM ensures there is the right solution for all organisations of all sizes, budgets and situations. It’s time to starve the crocodiles.
We’re all ransomware savvy at Exclusive Networks and we’ve a wealth of resources and knowledge ready to share to help make all customers aware of, resilient to, and safe from, ransomware attacks.