Ransoms, in whatever guise, have been around for many years and remain an incredibly effective way for criminals to get what they want. Ransomware is no different to other forms of blackmail and exploitation, simply the same rules applied to the digital era. With ransomware, attackers can threaten to take down or deface a website, lock a company out of its servers using encryption or release sensitive corporate data unless victims pay a ransom.
Indeed, ransomware has been dubbed the fastest growing ‘industry’ in IT security, affecting big and small organisations alike, in every industry. Unlike more targeted attacks or malware with espionage-related goals, ransomware is opportunistic and generally not targeted at any specific individual or organisation. Ransomware is typically delivered via phishing emails, drive-by downloads, or malvertising. Anyone with an email address or a web browser is a potential victim and ransomware’s growth in popularity is not random. There are several factors which are enabling this growth, and will continue to do so.
In recent years, sophisticated encryption technology has become more prevalent and more accessible. Operating systems now have built-in encryption capabilities to leverage and encryption as a whole has improved. This not only makes legitimate encryption easier, but it makes a ransomware author’s job easier as well. This has led to the most effective form of ransomware: crypto-ransomware.
Another contributing factor is anonymity. Anonymous networks has made it far easier to obscure the path from the victim machine back to the server and ultimately the perpetrator. For the cybercriminal, the path to profit is clear and direct with the risk of payments being traced to the payee being very low. Bitcoin has become the currency of choice. Not regulated by any government, and, with Bitcoin laundries readily available, cybercriminals can essentially take payments directly from their victims and escape identification.
However, hope is not entirely lost for businesses looking to combat these threats and prevent a ransomware attack. The following preventative measures should be considered:
- Application control is a highly effective defence against ransomware. By closely managing devices and only allowing IT approved applications to run, regardless of how ransomware finds its way onto a computer, it will not be able to execute unless it is specifically authorised as it will effectively be blacklisted. Some application control/whitelisting software also covers memory injection protection against advanced in-memory exploits, where the ransomware is delivered through a drive-by download and tries to exploit a vulnerability in the browser or a browser plug-in such as Flash or Java.
- The next effective defence against ransomware is to keep systems’ fully patched. All ransomware needs is to find and exploit some vulnerability that hasn’t been remediated due to the turning off of automatic updates. Most exploits are of vulnerabilities for which a patch has been issued by the vendor, i.e. Microsoft. With a patch and remediation plan in place, a business can automatically identify and patch operating systems, Microsoft security and non-security vulnerabilities, third-party applications and mobile devices.
- User education is another valuable tool in preventing ransomware attacks. Commonly, ransomware is delivered as a PDF, ZIP, or DOC file attached to a phishing email. The believability of phishing emails has increased, and busy users are likely to click on the attachments without a second thought. Educating users about which phishing emails are being currently circulated, going directly to websites rather than clicking links, and not opening attachments is a good start in reducing the number of successful infections.
- Enforcing secure browser configurations will also contribute to a strong defence against Any settings related to third-party websites should be restrictive, as well as any tracking settings. Consider prompting for some plug-ins rather than allowing them to execute automatically.
By Matthew Walker, Vice President Northern Europe at HEAT Software
