In acknowledgment of National Cyber Security Awareness Month (NCSAM) 2016, we at The State of Security weighed in on how organizations can leverage the right people, processes and technology to defend themselves against common IT security threats. We covered a variety of risks, including POS malware, browser vulnerabilities and stolen IT assets. Noticeably absent from our discussion was ransomware. That's because encryptors, locker malware and the like are in a whole class of their own. Not much of a surprise when you consider how prevalent ransomware infections are these days. To illustrate, security firm Malwarebytes commissioned Osterman Research to conduct 540 surveys with organizations based in the US, Canada, Germany and the UK, and ask them about how ransomware has affected their business. More than one-third (39 percent) of organizations told Osterman they had experienced an infection between 2015 and 2016. Of those that experienced an attack, nearly an equal percentage (37 percent) decided to pay the ransom. Many more didn't, which caused anywhere from 11 percent to 82 percent of non-paying organizations to lose critical data based on their country of origin. Ransomware clearly poses a threat to corporate data, which is why organizations need to invest in defending themselves against a crypto-malware infection. Here's a three-pronged approach that an help most organizations prevent a ransomware attack.
Foiling the Phish with Email Filters
To protect against ransomware, organizations must invest in anti-phishing tools. That's because ransomware often piggybacks off of phishing attacks and spam email attachments. Computer security researcher David Balaban understands the close relationship between ransomware and phishing, which is why he recommends organizations instruct their employees to avoid falling for phishing scams:
"Most ransomware infections come from spam and malicious attachments. So ad hoc security awareness training program for employees is very important here. Instructors should emphasize the risks associated with suspicious email attachments, including rogue documents with macros."
Of course, training only goes so far, especially in light of how phishing attacks continue to grow in number and sophistication. In response to that concern, Balaban feels organizations should supplement their training with anti-phishing technology such as email filters:
"Implementing several email filters to block spam and emails with executable attachments is an effective countermeasure."
Anti-Malware Strategies Begin with Patching
Phishing attacks and spam mail aren’t the only distribution vectors for ransomware. Exploit kits like RIG also play an active part in spreading crypto-malware around. Unlike phishing scams, exploit kits don't rely on social engineering techniques. They instead scan computers for unpatched software vulnerabilities. If they find a juicy bug, they exploit it and leverage that attack to infect the vulnerable computer with ransomware. How can organizations defend themselves against these malicious software packages? Matthew Pascucci, security architect, privacy advocate, and security blogger, says the best defense against exploit kits is a robust endpoint security posture centered around patching:
"Companies need to review their endpoint security and determine if their anti-malware and endpoint security is up to par. This includes patching, configuration changes via GPO, etc."
Exploit kits thrive on unpatched software. With that being said, if they stay on top of software patches, organizations might still run into exploit kits every so often. But RIG and its buddies won't be able to find a flaw they can exploit, which means they won't be able to infect a computer with ransomware.
When All Else Fails, Back Up Your Data
Let's face it: we can't protect against every IT security threat. No matter how many defenses we might have in place, sometimes things slip past and enter our network. A well-crafted phishing email might make it past our employees, for example, or an exploit kit might abuse a zero-day vulnerability on a targeted computer. In those types of scenarios, it's useful for organizations to have thought ahead and invested in ransomware preparedness by backing up their critical data. Travis Smith, senior security research engineer at Tripwire, couldn't agree more:
"In the event of a ransomware infection, businesses may be forced with a financial decision to determine if a ransom should be paid or not. By having backups of critical data, businesses can easily restore encrypted files back to their former glory. However, backup procedures should be tested regularly to ensure the data being backed up is valid. Continuous testing of these procedures drives the overall cost of restoring data down to a point which can be lower than the typical ransom."
No one ever wants to use their data backups. But a working data recovery plan could save companies a lot of time and money in the event of a ransomware attack.
Conclusion
Ransomware is too complex a threat to be stopped by a single defensive measure. That's why organizations need to practice defense-in-depth and adopt multiple techniques, including the use of email filters, patching, and data backups, to keep their data safe from crypto-malware. For more information about ransomware, please click here. We still have yet to discuss one more IT security threat for Week 1 of NCSAM. What risks do you think we've missed? How would you protect against them? Please let us know in the comments!
