The year of the ransomware shakedown

The use of sophisticated prevention technology and tactics including threat intelligence, machine learning and proactive managed hunting, will be the only combination of tools to truly support enterprises in preventing damaging intrusions

In a recent ransomware report from the Institute for Critical Infrastructure Technology (ICIT), it was documented that 2016 saw a resurgence of ransomware attacks that are increasingly sophisticated and stealthy

The FBI forecasts that the haul from ransomware will peak this year and it has now become clear that no industry is safe from being targeted.

Even sectors of critical infrastructure and healthcare, emerged as prime targets for hackers with hospitals in the USA and Germany agreeing to pay ransoms rather than risk their patients’ lives.

What has brought on this significant increase? The ICIT report argues that the lucrative nature of ransomware attacks, combined with the fact that most enterprises lack sufficient defences, has attracted a more advanced breed of cyber criminal.

>See also: How to minimise the impact of ransomware

Since its emergence in 2005, the threat has now morphed into a devastatingly effective weapon wielded by a vast e-crime ecosystem, targeting organisations in almost every sector. Here are the critical reasons why organisations should be taking ransomware threats seriously:

Ransomware is constantly evolving

Whether your organisation is the victim of a crypto-type ransomware exploit that encrypts files, or a type that encrypts the master boot record (MBR) and blocks access to an entire system, the standard solutions in place may no longer be sufficient.

New variants of ransomware are constantly being developed. Cyber criminals employ an array of techniques in order to bypass security systems.

These include deleting volume shadow snapshots, making it impossible to restore from backup files; avoiding detection by hiding in Microsoft macros or JavaScript files; obfuscating API calls to hide from analysis tools.

The adversaries who develop ransomware have become so sophisticated that many of them are offering ransomware-as-a-service, giving their less knowledgeable counterparts access to the latest exploit kits and in turn widening the pool of potential victims.

Standard security solutions are out of date

The explosion of mobile devices and the Internet-of-Things has exponentially increased opportunities for ransomware. Conventional endpoint protection that relies on signature-based detection is no longer up to the task of finding ransomware before it strikes.

>See also: The evolution of ransomware: what lies ahead?

By introducing solutions that use machine learning capabilities to look at behavioural-based Indicators of Attack (IoAs), businesses can understand not only where the adversary is in real time, but where it has been and what its objectives are and will therefore be in a better position to prevent an attack.

For ransomware, prevention is often the only recourse. Once ransomware enters undetected, data is immediately encrypted and inaccessible, or systems are locked down.

Compliance may be at stake

Most organisations retain sensitive data that is subject to some form of regulatory legislation mandating its protection. When a breach happens and data is exposed, the victim organisation is obliged to inform its customers and partners.

Organisations often incur substantial fines if HIPPA, PCI or other regulations are impacted and risk losing customers’ trust and suffering serious reputational damage.

Ransomware attacks may not result in protected data being stolen, yet organisations are still responsible for alerting all their constituents should an attack occur.

This can have a detrimental effect to an organisation’s brand, resulting in the loss of confidence and customer loyalty.

Data recovery is no walk in the park

The cost and complexity of recovering files after a ransomware attack is the prime reason many companies, particularly smaller organisations like regional banks and credit unions, decide to pay the ransom.

Even with a comprehensive backup system, more and more attacks target back-up servers and infrastructure. Though the attack may begin on one laptop, the ransomware could have access to other systems connected to that device, resulting in a costly drain on IT resources as they struggle to pinpoint and contain the damage.

>See also: 6 steps to protect your company from crypto-ransomware attacks

Even worse, if organisations are the victim of a new ransomware variant that’s able to delete their backup files, recovery won’t be an option.

Since ransomware kits are now readily available on the Dark Web, there have even been cases where some less savvy hackers were unable to decrypt files, even after the ransom was paid.

A new approach to ransomware protection

The frequency and blatant nature of ransomware attacks clearly demonstrate that these threats won’t be defeated by standard security solutions alone.

While deploying standard defences such as blocking known threats, patching vulnerabilities and detecting indicators of compromise (IoCs) are critical first steps, a more advanced approach is required.

Many of the legacy tools end-users have in place at present cannot aggregate intelligence and look for anomalous behaviour across the enterprise to help them identify IoAs.

Lacking visibility into endpoints that are continuously monitored, businesses cannot quickly identify malicious activity in order to isolate and mitigate the impact on their network.

Unlike IoCs, IoAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.

>See also: Ransomware now costing big businesses in downtime

Next generation anti-virus solutions have the ability to protect against both known and unknown malware, and even attacks that don’t use malware.

Collected activity information can then be analysed and correlated with billions of known events across spotting anomalies and detecting IoA patterns to determine if an attack is underway.

The use of sophisticated prevention technology and tactics including threat intelligence, machine learning and proactive managed hunting, will be the only combination of tools to truly support enterprises in preventing damaging intrusions.

Sourced by Mike East, VP of sales, EMEA, CrowdStrike

This article is tagged with: