InfoSecurity Professional INSIGHTS Archive: August 2019
2019 Threat Hunting Report
Organizations realize that proactively uncovering security threats pays off with earlier detection, faster response, and effective denial of future exploits that can damage business operations. Gain insight into the goals, adoption, and benefits of threat hunting in a survey conducted by Holger Schulze of the Information Security Community. Download Now »
Resilient Preparations to Ease the Pain of Ransomware
By Matt Gillespie
Ransomware no longer captures the headlines that it did when WannaCry suddenly spanned the globe two years ago, but the category’s reign of disruption continues.
Verizon’s 2019 Data Breach Investigations Report finds that ransomware is the second most prevalent type of malware. Dave Hylender, a senior risk analyst with Verizon, describes ransomware in 2019 as “prevalent and ubiquitous. It’s quite lucrative for the attacker; it’s high yield and low risk, and I don’t expect it to be going away soon.”
That finding is at odds with some observers’ claims that ransomware is being displaced by other, more novel threats, such as cryptocurrency mining attacks.
On that point, Hylender is skeptical: “We hear about other things, like last year there were a few articles talking about how emergent crypto mining is, and that ransomware has had its day and is on the decline … It’s still No. 2, and I don’t think it’s going away. Crypto mining was approximately 2% of the incidents that we saw in our data set, whereas ransomware was [more than 20%].”
Advance measures to keep ransomware at bay
Preventive controls to keep ransomware from installing on target machines in the first place are the clear starting point for a mitigation strategy. In that context, protecting against ransomware is a subset of the larger sphere of general anti-malware measures.
Organizations should inform the measures they take with the knowledge that the most common vectors of infection are email and malicious websites. For example, Hylender suggests, “Don’t allow a patient-zero, end-user device to easily propagate and spread ransomware to more critical assets, and don’t use devices with high availability requirements to surf the internet or receive external email.”
At the same time, contingency planning must assume that controls designed to prevent infection and to limit its spread will be circumvented. Ransomware-specific threat modeling and assessment is key to reducing the potential impact of attacks. Hylender emphasizes the need for specific planning: “Having a plan in place to respond to ransomware incidents if they do happen is an absolute must-have as opposed to a nice-to-have. We need to have a plan to get back up and running quickly [as well as] what we can do more slowly or at a more measured pace.”
Incident recovery scenarios that prioritize mission-critical and business-critical functions let staff deliver on core business functions while the larger recovery takes place.
As part of that orientation, backup and restore is a critical part of data protection. Frequent copies of critical data—stored offsite and isolated from production systems—are a key way to blunt the potential effects of a ransomware attack. Similar to a disaster-recovery approach, Hylender emphasizes the need to identify critical data assets in advance and to have standards and procedures that ensure ongoing availability of those assets, come what may.Steering clear of ransom demands
Like any cyber threat, prevention and response measures against ransomware are first and foremost about protecting against business interruption and data loss. At the same time, avoiding being forced to pay a ransom is an important goal in its own right, because payment effectively has a higher cost than just the amount turned over to the criminals.
As Hylender puts it, “I can understand the panic mentality that causes people to just want to pay the ransom, but that is exactly why these attacks persist. If people would stop paying these ransoms, we might have a better chance of stopping these attacks from being so prevalent.”
Organizations that are both infected and unprepared put themselves at the mercy of their attackers. It's not uncommon for organizations to weigh the cost of paying the ransom against the cost of recovering on their own. Some will inevitably decide that capitulating makes financial sense, as part of the normal cost of doing business.
In addition to helping perpetuate the ongoing specter of ransomware for the industry as a whole, paying the ransom is no guarantee of making the problem go away. The perpetrators are inherently unconcerned with the welfare of the organizations they compromise, and their primary goal is to interfere with operations and collect the ransom, rather than to ensure the recovery they promise.
In the final analysis, diligent preparation is the only viable protection against ransomware. Prevention and response tailored specifically to this class of threats is critical for every organization, and business continuation in the face of attempted or even successful ransomware attacks is not only possible, but mandatory in our time.
Matt Gillespie is a technology writer based in Chicago.