Censys: The World of Attack Surface Management
Ransomware first emerged in 2012, but has been around in one form or another for quite some time since way back when.
Ransomware is a type of malicious software that generally uses a pop-up of some description on your computer in order to block access unless you make a payment, or “ransom”.
A lot of ransomware can be dismissed without too much trouble, but more advanced forms can encrypt individual files on a victim’s computer, making them inaccessible.
Generally speaking, ransomware seems to trouble victims more than other types of malware because whereas other malware just causes wanton disruption generally, ransomware seems highly personal because it directly threatens the user and feels like a hold-up.
It can be infuriating for that reason alone, but the destruction that ransomware causes can cost a lot of money to deal with.
The largest ransomware attack of 2017 was said to be NotPetya. The US blames Russia for almost everything these days so it was not surprising that they blamed Russia for NotPetya too.
Whoever was the culprit, White House spokeswoman Sarah Sanders said NotPetya had “spread worldwide, causing billions of dollars in damage across Europe, Asia and the Americas”, according to Reuters.
Sanders laid into Russia a bit more: “It was part of the Kremlin’s ongoing effort to destabilise Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.
“This was also a reckless and indiscriminate cyber attack that will be met with international consequences.”
It may well have been Russia, or it could have been the US, or China, or some country in Europe, or even the stone-faced hackers of Easter Island. We have no idea.
But NotPetya wasn’t the only large-scale ransomware attack in 2017. Others were WaanaCry, Locky, CrySis, Numacod, Jaff, Spora, Cerber, Cryptonix, and Jigsaw.
Those are plucked from a list of top 10 “nastiest” ransomware attacks of last year, as compiled by WebRoot.com.
But rather than worry about where the ransomware originated, what’s probably much more important to the average enterprise is how to deal with ransomware with the minimum amount of disruption to everyday business activities.
To try and help in this area, EM360º has put together a list of companies you could turn to for advice and practical solutions.
Most IT companies can probably help with ransomware, but below are those who have made supporting companies with ransomware problems a special priority.
For Barracuda Networks’ SVP, International, Chris Ross, being proactive is essential. “By being proactive and preparing for every eventuality, businesses can decrease the likelihood of a successful and costly attack,” says Ross.
And while Barracuda can certainly help, Ross also suggests contacting a group called No More Ransom, which is partnership initiative between international police and the enterprise community.
Barracuda protects the online portal of No More Ransom.
“Businesses using these initiatives have the benefit of multiple toolkits and a range of experts,” says Ross.
Matt Middleton-Leal, general manager, EMEA of Netwrix could be said to have an uncompromising attitude towards ransomware.
“Never pay the ransom,” is one of the best practices Middleton-Leal urges enterprises to consider. Other suggestions include limiting user privileges, segmenting the network, and backing up in read-only mode.
The last three are probably proactive or preventative measures, but Middleton-Leal acknowledges that: “The growing sophistication of ransomware attacks combined with new evasion techniques makes them extremely challenging to detect.”
He adds: “Withstanding a ransomware attack requires a coherent strategy focused on two objectives: firstly, speedy discovery of attacks in progress and secondly, prompt action to minimize the impact on systems, operations and data.”
Because it’s such a subtle and complex type of attack to deal with, Middleton-Leal says early identification is “critical to stopping a ransomware attack”, so, therefore, he advises gaining visibility into user activity to detecting an attack in progress, if possible.
Trend Micro is another one of the superlarge cybersecurity companies, with a market capitalisation of around $8 billion.
And like Netwrix and many other cybersecurity companies, Trend Micro emphasises prevention as a way to deal with what it sees as a “dramatic rise of ransomware-related issues, especially the sophisticated crypto-ransomware”.
Ransomware has become more complex over time and can affect home users as well as commercial organisations. and protection become more challenging.
Trend Micro says that ransomware enters the computer or network through such things as email spam, phishing attacks, or malicious web downloads.
Trend Micro suggests that, for the highest level of protection, organizations should deploy multiple layers of protection on endpoint, gateway, and mail servers.
Check Point Software Technologies is one of the largest cybersecurity companies in the world, with a market capitalisation of around $17 billion.
The company also sets up and runs incident response teams for companies which have mission-critical operations.
Last year, its incident response teams were in the right place at the right time – or the wrong place at the wrong time, depending on your point of view – to help the UK National Health Service deal with the WannaCry and NotPetya attacks. I
n fact, the Check Point incident response had set up new cybersecurity measures to deal with an attack months before WannaCry hit, and those measures prevented WannaCry from affecting the NHS computer systems Check Point was protecting.
Inevitably, your business will be affected by ransomware or malware of some type – it’s basically impossible to protect all of your systems all of the time.
Which is why getting some insurance makes sense. Finding out what can and can’t be covered by insurance would be a good start. Blending insurance with cybersecurity measures would seem to be the best way to ensure business continuity from a financial standpoint.
James Burns, cyber product leader at CFC Underwriting, says: “It’s important to note that the impact of a cyber-incident extends far beyond the initial financial loss, to the long-tail of systems repair and reputational damage.
“Although ransom fees are generally higher for larger businesses with more valuable data, smaller companies can find it just as hard to get back on their feet or simply stay in business following a similar attack.
“With any organisation affected by an attack, the priority is to be able to get back to business as quick as possible. The cost of business interruption is steep, and the insurance industry has a vital role to play, serving as a lifeline to get a business back on its feet by avoiding, or limiting the impact of, a total knockout.”
Carbon Black offers a preventative ransomware solution it calls Cb Defense, which is said to have been tested against a set of fresh and prevalent commodity, master-boot infector, file-less and other types of samples from 42 crypto-ransomware families collected in the wild.
Rick McElroy, security strategist at Carbon Black, whose background includes the US Department of Defence, says Cb Defense “stopped every sample” in those tests, which were conducted by an independent security company called MRG.
Ransomware is not your average malware, says McElroy. To protect against this ever-changing threat, Cb Defense monitors the stream of events that lead to a ransomware outbreak, uncovering it no matter what variant comes your way.
Like the rest of the companies on this list, Timico says one of the most important things to put in place in dealing with ransomware is bringing senior stakeholders onboard.
Without support from senior colleagues, some of the preventative measure may not be possible to implement.
Timico is also one of the companies which says, “Don’t pay the ransom.”
The company says, even if you do pay the ransom, it’s still highly unlikely you will get your data back, or if you do it will be in an unreadable format.
“It’s not just a case of the data loss and financial cost to the business,” Nabeil Samara, chief digital officer at Timico.
“A ransomware attack can have a debilitating effect, with long-term consequences across the business, with the company even breaching terms of any regulatory bodies that the business holds themselves accountable to.”
Wombat Security Technologies
A cybersecurity specialist, Wombat grew out of what was claimed to be the largest national research project in the US on combating phishing attacks at the world-renowned Carnegie Mellon University in 2008.
Alan Levine, security advisor to Wombat, says that while it might be tempting to pay the ransom when confronted by ransomware, it is not advisable.
“Paying a ransom is a slippery slope,” says Levine. “After all, you can’t count on honour amongst thieves.”
He provides the example of Kansas Heart Hospital, which was hit by ransomware a couple of years ago. The hospital decided to pay the ransom, but then another payment demand was made by the same ransomware.
“It’s essential to plan ahead,” says Levine. “Data loss is too critical for an ad hoc response. Ensure that your most important data is backed up and isolated – ransomware can extend past a single machine to move laterally inside your network and compromise servers and backups, on-premise and in the cloud.
“Cold storage of mission-critical information can offer a failsafe in the face of an extreme attack. And, to stop ransomware from getting into your system in the first place, you need to actively address known vulnerabilities.
“If patching has become a pain point for your organisation, you absolutely need to figure out the source of that pain and work to ease it — no excuses.
“You should also assess your end users’ tendency to fall for a ransomware attack, because each instance is a failure of your cyber defence program. Phishing simulation tools can allow you to do this without exposing your network.”
Ivanti describes itself as a unified IT and security company, and ransomware has, understandably, been one of its main concerns, especially over the past year or so.
Simon Townsend, CTO, Ivanti, says the company has noticed that ransomware attacks follow similar patterns every time: phish user, exploit and infect the system, propagate to more systems, encrypt data on local system, post ransom and get paid.
Townsend says the answer is “layered security”, or “defence in depth”, as he calls it.
“This approach ensures that no single security control is a point of failure,” says Townsend.
“Primarily, patching is the fundamental way to reduce cyber risk because it reduces the attack surface. If your antivirus has to defend against 1,000 vulnerabilities, it will be harder-pressed than if it has to defend against 10.”
Norton is one of the largest and most well-known antivirus and cybersecurity software applications.
We could have picked any of them, and here Norton – which is owned by Symantec – sort of represents all of them. The other well-known ones are Kaspersky, BitDefender, Webroot, FireEye, and so on.
Most cybersecurity-oriented companies and applications like these tend to diligently track threats such as ransomware, providing information as well as software updates, all of which would be useful if you are intent on keeping malware out. Most Popular