(Authored by Sharda Tickoo, Director – Technical, Trend Micro India)
With an evolving digital landscape and the rapid proliferation of sophisticated cyberattacks, security can no longer be relegated as an afterthought by organizations. The world continues to witness numerous cyberattacks – from Wannacry to the latest Maze attack, with each attack being more unique and complex than the preceding one, and making businesses succumb to huge losses. What’s common between these attacks, you may ask – they are all ‘ransomware’. This ‘cyber pandemic’, as we would like to call it due to its inherent nature of spreading far and wide, has spread its wings across countries leading to concerns around the security of data. Its enormity can be gauged from the fact that almost 62% of organizations globally have experienced a ransomware attack in the past year, as reported by an industry survey by CyberEdge. And, which will likely continue to do so in the foreseeable future, with newer and stealthier attacks underway.
A case in point is the recent Maze ransomware, which created headlines the world over. What’s unique about this ransomware is that it not only encrypts the data but steals it, and with the threat actors threatening to publish the data, which makes it exponentially more devastating. On why organizations should look at ransomware as the proverbial ‘elephant in the room’ and not just shelve the topic aside, let’s delve a bit in into demystifying few of the aspects, which include – ransomware transmission; whether it’s ever a good idea to pay up a ransom, and if ‘prevention’ might be the best ‘vaccine’ in dealing with it.
Infectious modes of transmission
How lethal is ransomware, and why do many of the cyber experts still consider it to be the numero-uno cyber threat even today? All the findings and the industry data validate this fact, with one such finding by Cybersecurity Ventures, a global cybersecurity research firm predicting that – ‘globally, businesses in 2021 will fall victim to a ransomware attack every 11 seconds, down from every 14 seconds in 2019.’ Its proliferation has further been accentuated because of the COVID-19 outbreak, as more and more employees continue to work remotely, and there is less protection due to remote access. It is likely that the users are more susceptible to falling prey to COVID-19 themed malicious emails.
What’s the modus operandi of a ransomware attack and its transmission? Phishing emails are the most common way through which ransomware penetrates an organization – as attachments masquerading as a file that victims tend to trust. However, there are several other vectors through which ransomware can also permeate, which includes endpoints, cloud workloads, networks, web gateways, files, mobile phones, and even instances seen across Linux servers.
Typically, ransomware encrypts data using different file formats or extensions with different Advanced Encryption Standard (AES) keys, and hence decryption becomes almost impossible.
‘Ransom’ in ransomware – not a good thing
This is a perennial question, whether to comply with the demands of the ransomware actor or not. It’s important for an organization that has been breached to understand the attackers’ unseen motive, which in many cases is to get a quick return on investment. According to a joint study by PwC India and Data Security Council of India (DSCI), the data breach cost in India has gone up by 8% in 2 years, which is alarming. We notice that many-a-times organizations are ready to pay a ransom to speed up the recovery of their data and systems. However, it’s important to note that paying it does not guarantee that the users will get the decryption key or unlock tool required to regain access to the infected system or hostage files and may only further encourage threat actors to attack organizations. As long as the ransom scheme, or the ‘cyber heist’ as we like to call it, continues to be profitable, cybercriminals will continue to leverage it on vulnerable targets.
Prevention and Remediation – Keys to defend
In the current parlance, to deal with ransomware an occasional intake of medicine won’t suffice, and a ‘vaccine’ is the order of the day. This is where ‘prevention’ could be the panacea or much-needed vaccine that organizations should prescribe to rather than looking at the knee-jerk reactive approach to ransomware attacks, which is the current practice.
Despite the prevalent ideals of digital transformation, lack of basic security hygiene, legacy systems with outdated operating systems, and unpatched vulnerabilities are still a reality. As per Gartner’s analysis of clients’ ransomware preparedness, globally over 90% of ransomware attacks are preventable. There is no silver bullet when it comes to stopping ransomware. As part of a layered defense strategy against ransomware, organizations should have multiple security controls in place across email, endpoints, networks, and servers. Since these are correlated, centralized security visibility across all these layers from a single console helps to reduce IT complexity and to stay on top of the ransomware threat.
Let’s observe some of the best practices that organizations and users can adopt to strengthen their defenses against ransomware and mitigate risks:
- Back up important files using the 3-2-1 rule—create 3 backup copies on 2 different media with 1 backup in a separate location.
- Enable virtual patching, especially for operating systems that are no longer supported by the vendor.
- Ensure emails are safeguarded with sandboxing technology and anti-spam solution, and there is an advance scanning & detection technology in place for mail endpoint & network traffic.
- Implement multi-factor authentication and least privilege access policies to prevent abuse of tools that can be accessed via admin credentials, like RDP, PowerShell, and developer tools.
- Regularly update software, programs, and applications to protect against the latest vulnerabilities.
- Increase awareness of how ransomware spreads, i.e., through spammed emails and attachments.
- Avoid opening unverified emails or clicking links embedded in them.
The hard question that CISOs, CTOs, CIOs, and all the security and IT managers should ask themselves is that, in the eventuality of a newer ransomware threat, are they really prepared well enough to deal with it.