Simplified Cyber Security
Simplified Cyber Security
Simplified Cyber Security

Ransomware – The latest hit on the Cyber crime billboard

Every other news in Cyber Security is about ransomware attacks, either an organization has been hit or someone is realizing a decryption key for the attack or someone is asking for the decrypt key. In fact ransomware is among the most discussed topic in the security sphere. Symantec reported in 2015 that there was 35% increase in ransomware incidents and this will be surpassed in 2016 given all the cases we are seeing globally.

Why all the hype?

By definition Ransomware is a malware that infects computer systems and denies user access to infected system. The attacker then demands a ransom so as to give back user access to infected system hence the name “ransom-ware”. The attacker encrypts files( or entire drive in the case of Petya) in order to be provided with key/password to decrypt infected system user has to pay a ransom mostly in form of Bitcoins. Of course, its never assured that one will be granted access and even more scarily is whether the attacker will hold onto systems & data even after ransom has been paid. Some of nasty ransomware reported include; CryptoLocker, Locky, SAMSAM, Jigsaw, TeslaCrypt 3.0 (It even has versions!) , Petya etc.

Ransomware is gaining popularity among cyber attackers due to the immediate and almost guaranteed reward. The attacker hits ‘soft-spot’ for both organizations and individuals. Just like denial of freedom, the attacker knows that the target is desperate to regain access to their system and data hence they are willing to pay the ransom. It’s easy money for the attacker and just like any business they need to maintain customer loyalty and get ‘good’ referrals. If an organization can pay X Bitcoins when a branch office has been hit then if the ransonware hits entire organization the ransom value would be projected based on the previous ransom.   This is also applicable in industries i.e if an organization was hit and pays ransom then the attacker can predict what other players in the same industry can pay. Ransom in the range of 40 Bitcoin (Approx $17,000) has already been paid out for a single incident and this figure is on the rise.

The attacker is also taking advantage of the panic situation. Just like in a hostage situation, fear is being sold and the more fear is instilled the higher the chances of getting ransom paid. In addition the attacker also gives victims a time span to pay or they face consequences; files deleted or confidential information leaked etc. For an enterprise their systems are locked down meaning they can’t transact translating to losses and of course losing credibility with their stakeholders. Secondly, there is anxiety knowing that your critical data is in the wrong hands and you are not sure of their intentions. Lastly, organizations look at the cost of paying ransom and compare to value of their data and it makes sense to pay ransom than have to deal with the consequences. Unfortunately while this is happening the ransomware gains popularity and they off to the next victim and will hike the ransom give previous successful attacks.

 Easy to deploy

It’s not a surprise that most of the ransomware are sent out in form of phishing emails with links to download files/programs that are embedded with payloads. It could also be in the form of ‘scareware’ –fake notification that your system is infected with malware or client is running non-genuine version of Windows and other apps. The attacker then provides a download to resolve the issue which in actual sense now installs the ransomware. Social engineering proves to the easiest form of attack and there is guarantee of success when victim emotions are tweaked.

Healthcare industry seems to be the most targeted with obvious reasons. For a hospital to serve patients they need to keep referring to medical history, insurance cover, pharmacy inventory etc. In the case of ransomware attack, the hospital operations are crippled which again explains why they may opt to pay ransom so as to resume operations. Secondly, the healthcare industry has never generated that much interested in the deep web and in most cases they have their guards down in regards to cyber security. However, the cyber attack disruption is here to and it prudent for all industries to be prepared for the worst.

Back to the basics

It goes without saying that organizations can prevent ransonware attacks. It’s cheaper, less stressful to implement security measures to prevent rather than have to pay ransom to some crooks.

  • Backup your systems – It’s not just safe to backup systems but also important to test integrity and usability of the backup. The attacker can decide to lay low so as to get into systems backups. Secondly, separate data and system backup the ransomware could target either in the case Petya which manipulates MBR (Master Boot Record) taking over reboot process. Data backup separately can be restored to a different hardware without carrying the ransomware with it.
  • Least privilege – Limit access to users as per their Job Description. Admin rights should be locked as the user could betray entire enterprise security by installing whatever they are prompted.
  • Get the right tools- Security analytic and Threat Intelligence tools will be able to pick unusual activity and may just detect the ransomware in good time. Your traditional Anti Virus may not save you with advancements of the threat.
  • Patch/Update your systems – A ransomware can also take advantage of vulnerability in your systems. It’s interesting to note that organizations don’t patch up as it’s too tedious, we’ll wait till someone demands a ransom!
  • Cyber risk insurance – It’s high time to transfer the risk. Let your insurer cater for negotiations and ransom payments. Let it not be your pain.
  • Security Awareness training- We can’t run away from this one. Educating and engaging users on social engineering tactics could save the organization. A wrong click by one user can put you on the highway of ransomware victims.

After an attack thoroughly do a health check on your systems to determine what attacker had access to and ensure their footprint are non-existence.  From the incident learn your weakness and endeavor to improve your security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *

2018 © Villbo Group Limited.