If you thought it was bad when the FBI reported last year that ransomware was on the rise, you should read the forecasts for this year. According to SonicWall’s most recent Annual Threat Report, “ransomware attacks grew 167 times since 2015, from 3.8 million in 2015 to 638 million in 2016.”
This year, TrendMicro sees a 25-percent growth in the number of new ransomware families available for use in breaches. Reports of the encroachment of ransomware on government, law enforcement, critical infrastructure, and health and safety are already climbing.
CSO details the victims, ransomware and what has changed, what is at stake, and how to shunt ransomware attacks.
Ransomware revolution: victims unlimited
Several factors affect what entities attackers choose as they use ransomware more profitably. Whether an organization oversees lots of critical data or infrastructure is a factor. “Dated systems that contain vulnerabilities that the industry did not consider when the systems were developed control a great deal of critical infrastructure,” says Brandon Gunter, IT consulting senior manager at Moss Adams.
These vulnerabilities and the severity of encrypting critical infrastructure are attractive to criminal hackers. In July, RockwellAutomation reported a ransomware attack on the “manufacturing automation industry” in the form of a malicious file named “Allenbradleyupdate.zip” containing ransomware malware. These incidents are already occurring.
The ability to affect larger numbers of people is a factor. “Every government branch has millions of Americans’ data. The DMV has plenty of PII,” says Tyler Moffitt, senior threat research analyst at Webroot. Surround those millions of records with ransomware and either the DMV will have to effectively recover it or pay the ransom to avoid the damage to Americans. Ransomware took down more than 2,000 San Francisco Municipal Transportation Agency fare payment systems for subway trains in November, leaving passengers abandoned.
The urgency with which agencies must restore access to data and systems is a factor. “Consider a ransomware attack on a police network or 911 dispatch center, making those civil functions inoperable could result in many criminals getting away with preventable crimes,” says Kevin Hyde, managing director at Layer8. Driven to get back online, these agencies could be tempted to pay a ransom quickly. Ransomware has been hitting police departments since 2013. Some ransomware is “so impenetrable that even FBI agents have at times advised victims to just pay up and get their data back.”
The list of organizations and systems affected by some or all of these factors is lengthy. The list includes the Department of Defense, financial institutions, large retailers, power grids, water treatment plants, government agencies, law enforcement, and street security cameras, which comprise critical infrastructure and/or house valuable data, according to our experts.
What has changed?
Larger sites and companies are increasingly more attractive victims of ransomware for many reasons. It has been feasible for ransomware to enslave critical infrastructure since the industry began connecting its vulnerable control systems to the internet. The growing prevalence of IoT and the mounting pressure to manage systems more effectively is leading the industry to purposefully or unintentionally connect many critical systems to the internet through backend organizational networks, putting them at risk, says Gunter.
Meanwhile, bigger and more profitable ransomware targets have become appealing to attackers as profit from other areas levels off or declines. “Data breaches have become so prevalent that cyber criminals have had difficulty finding buyers of data on the Dark Web. So, they are turning back to the victims themselves to sell back their stolen or encrypted data,” says Justin Fier, director of cyber intelligence and analytics at Darktrace.
Company functionality, reputations, and profitability are at stake with ransomware. “Ransomware encrypts essential documents such as customer data or for example the labeling machine required for shipping out products,” says Moffitt. What is a company to do when it can’t maintain trust with customers and can’t deliver its goods?
Public health and safety are at risk with ransomware. “The next generation of ransomware will focus on denying basic resources such as clean water, electricity, gas, and sewer systems,” says Gunter. Some degree of societal breakdown is foreseeable here.
Consumer confidence, privacy, and identities fall victim to ransomware. “We are entering an era of trust attacks where threat actors work to undermine credibility and faith in our institutions. If consumers can’t trust an organization to keep their PII secure, how does the company recover?” asks Fier, who held mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems, and Abraxas.
Time, effort, and investment are all at stake. “Companies can sink significant resources into recovering from a ransomware attack as with any other kind,” says Hyde. So you pay whether you pay the ransom or simply suffer the impact of lost data.
More ransomware? No, thank you!
Since ransomware will eventually find your enterprise, prepare by implementing an information security governance model that you align with the business objectives and the risk assessment of an organization, says Gunter, who held security positions with Deloitte, KPMG, and Clearwire. “Use a security road map, implementation strategy, and security breach response plan to better protect critical systems and drive down risk."
The enterprise should then continually identify risks as these occur, implement risk remediation and mitigation strategies, secure operations, monitor and identify new risks, and come full circle to update and improve the security strategy and road map, explains Gunter.
Enterprises should then take several practical steps down-in-the-trenches to mitigate ransomware, including mature endpoint security measures. “Reputable, multilayered endpoint security that protects web browsing, controls outbound traffic, safeguards system settings, proactively stops phishing attacks, and continuously monitors the individual endpoint can prevent malware infections and ransomware,” says Moffitt.
The business should ensure that its business continuity/disaster recovery plan and backup and recovery tools are entirely separate from the data and systems that could fall under attack by ransomware. “There are many automated on-site and cloud-based backup solutions that will leave you with options even if ransomware hits network drives,” says Moffitt.
There are measures to address ransomware that starts with phishing emails that contain macros, which prerecord commands that will run automatically, in this case unleashing malware and, ultimately, ransomware attacks. You can disable macro functionality in the trust center in Microsoft Office.
There are maneuvers for isolating harmful file activities. In Microsoft Windows, you can use policy settings to restrict actions by potentially malicious files with specific extensions, such as .exe for executable files, inside directories where this presents a risk during a ransomware infection. “It’s not 100-percent effective, but if you can reduce the number of variants that could pose a threat by even 20 percent, it will be well worth the investment,” says Moffitt.
Ransomware attacks can include abuses of the Remote Desktop Protocol (RDP) port, port #3389. By changing the port assignment for remote desktop applications and encrypting it where possible, you can mitigate exploits that use this vector, according to Moffitt.
There are solutions in addition to backups for organizations whose data is already locked. Resources such as No More Ransom can help enterprises to unlock encrypted systems using keys and software tools that can (in some cases) decrypt locked data.
User education is always a necessity and a great opportunity to make a dent in the user errors that make these attacks possible. “Malware will continue to thrive and be a viable business as long as staff are unaware and uneducated about the risks of the internet. Providing the basics will protect users at home and in the office,” says Moffitt.
According to Hyde, who brings extensive experience with the National Security Agency and U.S. Cyber Command, enterprises should whitelist good sites, blacklist known bad sites, and continually update these based on suspicious traffic. “The enterprise should invest in applied forensics and threat intelligence services, lock down user accounts, prevent writing to system files and settings, and keep a detailed image of base computer systems for immediate deployment,” says Hyde.
“Ransomware is devastating and damaging regardless of the target,” says Fier. Future attacks on critical infrastructure and business reputations could end some companies and degrade our quality of life.