Carbon Black’s data shows that ransomware instances grew by more than 50% in 2016 compared to 2015. In fact, ransomware emerged as the fastest-growing malware across all industries in 2016, with major increases seen at technology companies, energy and utility companies and banking organisations, writes Eric O’Neill. As a result, we don’t expect ransomware to slow down anytime soon, and seeing as its on track to be a $1 billion crime in 2017, it’s still paying significant dividends for attackers.
Not only this, but ransomware is quickly evolving in terms of its sophistication as well. Payloads are increasingly infecting hundreds of machines at once. This was witnessed just last month when a string of ransomware attacks on MongoDB databases left roughly 27,000 servers compromised, with the attackers demanding significant financial reward in exchange for the stolen data.
Cyber security news was dominated in 2016 by the go-to ransomware family for attackers, namely Locky. Only released last year, Locky ransomware is typically delivered via a phishing e-mail that prompts a targeted victim to enable malicious macros via Microsoft Word. These macros then run a file that delivers an encryption Trojan, preventing the victim from accessing their files.
Following on from the file encryption, the victim receives a message with instructions on how to pay a Bitcoin ransom before they’re able to decrypt their files.
Having gained notoriety in February 2016, data shows that Locky was used in one out of every four ransomware-based attacks last year and has evolved several times since then. Most recently, attackers have been using Facebook instant messaging to spread Locky ransomware.
Prevention is the best defence
When it comes to ransomware, prevention is the most effective defence. How, then, can organisations protect themselves against ransomware?
*Back-up data regularly
Verify the integrity of those back-ups and test the restoration process to ensure it’s working. In addition to this, secure your offline back-ups. If you’re infected, a back-up may be the only way to recover your data. Ensure back-ups are not connected permanently to the computers and networks they’re backing up
Configure firewalls to block access to known malicious IP addresses and logically separate networks. This will help in preventing the spread of malware. If every user and server is on the same network, newer variants can spread
*Train your employees
Implement an awareness and training programme. End users are targets, so everyone in your organisation must be aware of the threat of ransomware and how it’s delivered
*Scan all incoming and outgoing e-mails
Scanning ensures threats are detected and executable files are prevented from reaching end users. Furthermore, enable strong spam filters to prevent phishing e-mails from reaching end users and authenticate inbound e-mail using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) to prevent spoofing
Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk
*Only assign administrative access when needed
If an end user only needs to read specific files, the user should not have write access to them
*Leverage next generation antivirus (NGAV) technology
This will actively inspect files and identify malicious behaviour to block malware and malware-less attacks that exploit memory and scripting languages
*Categorise data based on organisational value
Implement physical and logical separation of networks and data for different organisational units
While ransomware continues to generate headlines, it’s still only a piece of the overall malware scope. Even with its rapid growth, ransomware only accounts for 2% of total malware seen in 2016.
With ransomware attacks not showing any sign of depleting, it’s also essential that organisations looking to defend against ransomware in 2017 are well versed in the prevention methods presented here.
Eric O’Neill is National Security Strategist at Carbon Black