Charles Leaver – Ransomware Threats Are Increasing So Take Action To Protect Your Organization

Written By Dr Al Hartmann And Presented By Ziften CEO Charles Leaver

Ransomware that is customized to business attack campaigns has emerged in the wild. This is an apparent development of consumer-grade ransomware, driven by the bigger bounties which enterprises have the ability to pay out paired to the sheer scale of the attack area (internet facing endpoints and un-patched software applications). To the cyber attacker, your business is an appealing target with a huge fat wallet simply pleading to be overturned.

Your Company is an Enticing Target

Easy Google queries may currently have determined unpatched internet facing servers by the ratings throughout your domain, or your credulous users might already be opening “spear phishing” e-mails crafted just for them most likely authored by people they are familiar with.

The weaponized invoices are sent to your accounting department, the weaponized legal notices go to your legal department, the weaponized resumes go to your personnels department, and the weaponized trade publication articles go to your public relations company. That must cover it, to begin with. Add the watering hole drive-by’s planted on industry websites often visited by your employees, the social networks attacks targeted to your key executives and their families, the infected USB sticks strewn around your facilities, and the compromises of your providers, customers, and organization partners.

Business compromise isn’t really an “if” but a “when”– the when is consistent, the who is legion.

The Arrival Of Targeted Ransomware

Malware researchers are now reporting on enterprise-targeted ransomware, a natural evolution in the money making of enterprise cyber intrusions. Christiaan Beek and Andrew Furtak explain this in an excerpt from Intel Security Advanced Threat Research, February 2016:

” During the past few weeks, we have actually gotten information about a new campaign of targeted ransomware attacks. Instead of the typical modus operandi (phishing attacks or drive-by downloads that cause automatic execution of ransomware), the hackers gained persistent access to the victim’s network through susceptibility exploitation and spread their access to any connected systems that they could. On each system, several tools were utilized to discover, encrypt, and erase the original files as well as any backups.”

Careful reading of this citation immediately reveals actions to be taken. Preliminary penetration was by “vulnerability exploitation,” as is typically the case. A sound vulnerability management program with tracked and implemented exposure tolerances (determined in days) is mandatory. Because the cyber attackers “spread their access to any connected system,” it is also requisite to have robust network division and access controls. Think about it as a water tight compartment on a warship to prevent sinking when the hull is breached. Of unique note, the assailants “delete the initial files along with any backups,” so there must be no delete access from a compromised system to its backup files – systems must just have the ability to append to their backups.

Your Backups Are Not Current Are They?

Naturally, there must be current backups of any files that need to survive a business intrusion. Paying the ransom is not an effective alternative because any files created by malware are naturally suspicious and should be considered polluted. Business auditors or regulators can decline files excreted from some malware orifice as legally legitimate, the chain of custody having been completely broken. Financial data may have been altered with deceitful transactions, configuration data may have been interfered with, infections may have been planted for later re-entry, or the malware file manipulations may simply have had errors or omissions. There would be no way to place any confidence in this data, and accepting it as valid might even more compromise all future downstream data dependent upon or originated from it. Treat ransomware data as trash. Either have a robust backup plan – regularly evaluated and confirmed – or prepare to suffer your losses.

Exactly what is Your Preparation for a Breach?

Even with sound backups privacy of impacted data must be presumed to be breached due to the fact that it was read by malware. Even with comprehensive network logs, it would be unwise to show that no data had actually been exfiltrated. In a targeted attack the cyber attackers generally take data stock, examining a minimum of samples of the data to assess its potential value – they could be leaving money on the table otherwise. Data ransom demands might simply be the last monetization phase in a business breach after mining all other worth from the intrusion given that the ransom demand exposes the compromise.

Have a Thorough Remediation Strategy

One need to assume that qualified enemies have actually organized numerous, cunningly-concealed avenues of re-entry at various staggered time points (well after your crisis group has actually stood down and costly consultants flown off to their next gig). Any roaming proof remaining was thoroughly staged to misguide detectives and deflect blame. Expensive re-imaging of systems should be exceedingly extensive, touching every sector of the disk throughout its whole recording surface area and re-creating master boot records (MBR’s) and volume boot records from scratch. Some ransomware is understood to compromise MBR’s.

Likewise, don’t assume system firmware has not been jeopardized. If you can upgrade the firmware, so can hackers. It isn’t hard for hacking organizations to check out firmware hacking options when their business targets standardize system hardware setups, permitting a little lab effort to go a long way. The industrialization of cyber crime enables the advancement and sale of firmware hacks on the dark net to a wider criminal market.

Assistance Is Available With Great EDR Tools

After all of this bad news, there is an answer. When it concerns targeted ransomware attacks, taking proactive steps instead of reactive cleanup is far less unpleasant. An excellent Endpoint Detection and Response (EDR) tool can help on both ends. EDR tools are good for determining exposed vulnerabilities and active applications. Some applications have such a notorious history of exposing vulnerabilities that they are best eliminated from the environment (Adobe Flash, for instance). EDR tools are likewise proficient at tracking all significant endpoint incidents, so that investigators can identify a “patient zero” and track the pivot activity of targeted enterprise-spreading ransomware. Attackers count on endpoint opacity to assist with hiding their actions from security personnel, however EDR is there to allow open visibility of significant endpoint incidents that might signal an attack in progress. EDR isn’t really limited to the old anti-virus convict-or-acquit model, that allows newly remixed attack code to evade AV detection.

Great EDR tools are constantly alert, always reporting, constantly tracking, readily available when you need it: now or retroactively. You wouldn’t turn a blind eye to business network activity, so don’t turn a blind eye to enterprise endpoint activity.