7 steps to guard against ransomware attacks
Predicting the future of the internet that uses sensitive and personal information as its fuel is not for the faint of heart.
One dystopic prediction is an Internet of ransomed things full of hijacked smart devices. And the burning question we will all face is, “To pay, or not to pay?”
It may actually be an easy decision — and the only viable option if caught unprepared. However, paying the ransom incurs a cost; it rewards criminal activity and strengthens the incentive for such attacks throughout the industry. And with attacks like WannaCry and NotPetya, there is no guarantee of recovery. Some versions of malware like “Boneidleware” and “leakerware” are disguised as ransomware but designed to destroy or steal data with no recourse.
To put an end to ransomware, or at least slow it, we have to look at how ransomware gained popularity and momentum. It has evolved over three decades, gaining more capabilities — it’s now easier to spread, better at encryption, and more creative at monetizing attacks. The dozens of ransomware variants use different encryption algorithms and exploits to deliver the payload – making them harder to track or stop.
Ransomware started off as Scareware —malware that threatened to contact the “Cyber Police” with the victim’s IP address, embarrassing browser history, or webcam photo unless payment was made. Others demanded purchase of fake antivirus software. This was followed by ransomware that locked PCs, encrypted the Master Boot Record, or specific file types. More recently, cyber criminal platforms providing “Ransomware as a Service,” have further lowered the bar.
For a cut of the profits, the platforms allow the buyer to customize the message, payload, and payment address. And as devices proliferate, the attack surface expands as well. Last year, White Hat hackers made the first proof-of-concept for malware that locked a smart thermostat and demanded a ransom.
Mobile ransomware is also seeing tremendous growth, mostly via fake mobile video apps that lock the device. This type of ransomware denies access to both business and personal data on devices that straddle the gray area of ownership. Rooted and jailbroken devices are the most susceptible since unvetted apps and customizations are installed from underground app stores.
As ransomware evolved, the campaigns did as well. Campaigns that previously took months and years of preparation are now executed in a matter of hours and days. They are launched from virtual encampments within the safety of “bulletproof hosting providers” in countries where cybersecurity policies and laws are lax, search warrants are not honored, or extradition agreements are not in place.
Bulletproof providers, compromised IT servers, and more recently, cloud hosting providers house the command and control servers, exploit kits, data stashes, and dark net markets — the weapons and spoils of a cyber war. A war that is waged campaign by campaign, in large part by criminal organizations driven by financial gain. Your data has value – preventing you from accessing it is a deceptively simple way to fund a criminal organization. From their bases, cyber criminals build their siege engines and launch their attacks, quickly adapting as needed.
For example, the plague of pharmaceutical spam used the same botnets as ransomware is using today. This means that the adversaries will be more and more agile in developing strain upon strain of ransomware – the rate and pace of attacks will continue to accelerate. However, even with all the innovations, modern ransomware is mostly spread the same way — targeted or spam emails with malicious attachments or links to infected web sites. If it ain’t broke, cyber criminals will keep using that same method.
To protect against ransomware, we need to harden the target – harden the users, harden the apps and harden the data.
Just like in traditional warfare, cyber warfare requires preparations to reduce the attack surface, protect against vulnerabilities, and contain the blast radius. It requires a new security architecture built from the ground up to protect the users, apps, and data being targeted. But, the most important and likely easiest defense against ransomware is to negate the ransom by having up-to-date (and tested) backups.
As new and creative methods of ransoming, hijacking, and extorting are being devised, there are a few additional steps that will help put a stop to, or at least slow, the explosive growth of ransomware:
- Back up – Have at least three copies of your data. Store the copies on two different types of media and keep one back up copy offsite in case of physical theft.
- Educate – Raise individual and organizational awareness of unsolicited and suspicious emails and web links.
- Privilege – Operate under a model of least trust. Reduce privileges and don’t run applications in administrator mode. All hardware and software admin names and passwords should be changed and deleted immediately. Otherwise, you may be leaving an easy backdoor open.
- Sandbox – Sandbox the email client and web browser using virtualization or the cloud. This will prevent or decrease the likelihood of ransomware spreading to other machines.
- Block – Move from using blacklisting to whitelisting. Only allow known good domains instead of only blocking known bad ones. This ensures fewer bad actors can get in.
- Contain – Build security zones using network segmentation, trust levels, and access controls.
- Harden – Update and lockdown the OS and critical applications – disable macros and active content so files aren’t left out for the taking (or destroying).
In the end, we depend on an Internet that is connected via smart devices that are susceptible to being hijacked and our data ransomed. We must prepare and fortify ourselves so that paying the ransom is not our only option.