How PAM Helps to Protect Your Business from Ransomware AttacksAnirban Banerjee
With each passing year, the field of cybersecurity becomes more increasingly complex as new kinds of risks and attacks start to emerge. And with over 4,100 data breaches that exposed more than 4.2 billion records, last year proved to be the beginning of several seismic shifts that are now threatening to redefine the entire cyber security landscape in which security professionals will have to plan for chaos instead of trying to prevent it.
International multi-million dollar virtual bank heists, state-sponsored attacks, and the overall increase in the risk of cyber attacks, give everyday headaches to security professionals as they try to protect their data and ensure business continuity. Now, with the proliferation of new attack methods such as ransomware attacks, attackers are starting to switch their focus from individuals onto businesses.
All too often, the only way to recover after a ransomware attack is to pay the fee to the attacker. And since only one such attack can infect several endpoints within an organization, and encrypt a great amount of valuable data, businesses are willing to pay a much larger ransom than individuals. Unlike individuals who pay anything from a couple of hundred to a couple of thousand dollars, ransom fees that businesses pay can total to hundreds of thousands of dollars. According to FBI, the cost of ransom fees in the first quarter of 2016 was more than $200 million dollars.
Unfortunately, that amount will probably continue to increase in the years to come. Since there is nothing much one can do after being hit with ransomware, except mitigate their losses or pay, the only way to avoid the unavoidable is to prevent ransomware attacks from happening in the first place.
A brief history of ransomware
When people first hear about ransomware, they are stunned with disbelief. A ransom note, often written in poor English, saying that they have been locked out of all their files and that they have to pay a ransom in order to regain access. Based on the number of headlines in the news sites all over the Internet, some might think that the ransomware is just some weird new method of cyber-attack. But the weirdest thing about ransomware that it has been here for almost 30 years and goes all the way back to the era of floppy disks!
Simply put, ransomware is a type of malware whose goal is to prevent the user from accessing their data. While there are various types of ransomware such as crypto and locker-based, most victims usually discover the attack when they see an extortion message on their computer screens which says that their data and their files have been encrypted and that they have to pay a fee in order to get their files decrypted. To ensure that the user receives the ransom note, and to give him viable means to pay the ransom, ransomware is very specific when it comes to files which are encrypted. Only user files are encrypted while all system files are left untouched. After the files have been encrypted, the malware deletes itself and leaves a document with instructions on how to pay the ransom.
Back in 1989, Joseph L. Popp, an evolutionary biologist with a PhD from Harvard, sent 20,000 floppy disks to the attendees of the World Health Organization’s international AIDS conference. The disks, when inserted, encrypted the victims´ files, turned on their printers, and printed a ransom note stating that they have to pay $189 in order to decrypt their files. Considering that the disks claimed to contain AIDS education software (they really included a software which measured the risk of contracting the disease), the first case of ransomware went down in history by the name of AIDS Trojan.
Soon after the first research paper on the subject of cryptovirology was published in 1996, researchers created a proof of concept malware that used RSA and TEA algorithms to encrypt files. It did not take long for ransomware to appear in the wild. Ransomware such as Archiveus, Krotten, and GPCoder caused significant problems back in 2005. GPCoder proved to be the most troublesome to deal with due to its 1024-bit RSA encryption algorithm which made recovery attempts with brute force difficult.
In 2012, a mass-deployed ransomware trojan with the name of Reveton targeted victims by representing itself as a law enforcement organization. Its success was mostly contributed due to the fact that the law enforcement organization depended on the geolocation of the target.
Image 1. Variants of the Reveton Ransomware by country (Source: http://www.northeastern.edu)
According to Brian Krebs, cyber security reporter for Washington post, Reveton was earning as much as $44,000 per day and per country targeted, which amassed to $1,3 million per month and per country. These “revenue” results spurred other enthusiasts to join the game and quickly after Reveton, new variants such as Torrentlocker, Cryptowall, Teslacrypt, Locky appeared.
Ransomware today & tomorrow
Over the years, a lot has changed in the field of ransomware. Floppy disks have been replaced with phishing campaigns, exploit kits, and malvertising, and dollar amounts were replaced with equivalent amounts of Bitcoins. One thing that remains for certain is that ransomware is here to stay.
New-age ransomware with advanced ways of distribution continues to target users all over the world today. Often having a pre-built infrastructure, new ransomware is able to deploy new strains very easily and uses crypters to make reverse engineering attempts very difficult, if not impossible.
Even the revenue amount has increased. One of the largest exploit kits on the market, Angler Exploit Kit, was targeting up to 90,000 users every day and generating more than $30 million each year. And they are not the only one. Locky, a very aggressive ransomware variant, uses the same TTPs (Tools, Techniques and Procedures) as Dridex campaigns – phishing attacks with weaponized MS Office documents.
Image 2. An example of a regular text file and what it looks encrypted (Source: Wikipedia.org)
Ransomware is becoming an increasing threat due to its many variations and its severe impact on business continuity and potential loss of data. Often, attackers need to compromise only one endpoint to gain their foothold and access to the network. As new variants and crypto families continue to emerge on an almost daily basis, individuals and business find it hard to stay ahead of the attackers.
The art of defense
Since existing defense solutions often fail to detect ransomware or prevent it from infecting and spreading within the network, businesses are facing severe risk of high ransom fees and data loss. However, all is not lost since there are many actions one can take in order to mitigate the risk of ransomware:
- Regular backups: a business that often backup their data can avoid paying the ransom since the cost of potential data loss will be minimal.
- Regular updates: most ransomware use existing vulnerabilities and businesses with up-to-date systems have a much lower risk of being infected.
- Constant activity monitoring: monitoring all network activities enables security teams to identify and prevent potential malicious activities before they are able to cause any damage.
- Employee education: ransomware such as Locky which we mentioned above, uses spam and phishing methods to infiltrate the network and educating employees on security best practices further mitigates risk.
Last but not least, enforcing endpoint security by combining privilege access management and application control, gives businesses an effective way of mitigating risk of ransomware. By doing this, businesses can easily remove local administrator rights which some ransomware require, as well as to control applications, thus preventing unknown applications from executing.
With Privileged Account Management, businesses can do exactly the above – combine privilege account management and application control. By controlling local admin privileges, business significantly reduces the attack surface as it allows trusted applications to run while preventing ransomware that requires admin rights from executing. Besides focusing on protecting the outside network parameter, PAM adds several protection layers on the inside by protecting admin credentials, controlling privileged users access and monitoring their activity across all IT resources. PAM is an easy-to-deploy solution that is able to protect your complete network infrastructure: from traditional physical data centers to virtual and cloud platforms such as AWS and Rackspace. Each attempt of misuses automatically revokes access privileges and sends out alerts to your cyber security teams.
Also published on Medium.