The WannaCry and Petya exploits year put the spotlight on the dangers of new worm-type ransomware attacks. Yet while the outbreaks were a security wake-up call for many, rigorous patching and backup strategies still don’t go far enough to fully protect the enterprise against this emerging threat.
WannaCry, first discovered last May, marked a shift in the traditional ransomware landscape in that unlike typical mass-mailing attacks which target single users, this worm-like threat was self-propagating, meaning it could spread across an entire network of computers. In the case of WannaCry, the ransomware variant also exploited a critical vulnerability in Microsoft Windows called EternalBlue. While many companies knew about EternalBlue, they had not gotten around to patching for the exploit, which made the self-propagation activity much easier.
WannaCry’s impact was dramatic: Hundreds of thousands of computers in more than 150 countries were attacked, resulting in financial losses estimated to be in the billions of dollars. Beyond WannaCry and follow-on worm-like variants like Petya, incidents of ransomware are on the rise. Indeed, Symantec found that ransomware attacks jumped by more than one-third to over 483,800 incidents in 2016.
Enterprises are particularly vulnerable to the worm-type ransomware attacks because their systems are networked, thus hackers have a lot more to gain. Payout for a ransomware attack on an enterprise scale could run into the hundreds of thousands or millions of dollars while infiltrating a single computer might, on average, yield a few hundred dollars ransom. During the first six months of last year, for example, organizations accounted for 42% of all ransomware infections, up from 30% in 2016 and 29% in 2015, according to Symantec research, which attributes the surge, in part, to WannaCry and Petya.
“This raises the stakes in terms of ransomware because the more data [attackers] can encrypt, the higher the ransom they can command,” says Dr. Alexander Volynkin, senior research scientist for the CERT division of the Software Engineering Institute at Carnegie Mellon University. “When encrypting a single computer, the data may not be all that valuable, but if half of your computers are encrypted, the chances are good that data needs to be recovered and that increases the attackers’ opportunity to get paid.”
No Room for Complacency
While there is no one specific remedy to ward off a worm-type ransomware attack, the surge in activity should serve as a wake-up call for enterprises to reexamine their security practices and build a case for a multi-layered approach. With complacency not an option, robust back-up practices on their own won’t sufficiently inoculate against the threat of worm-type ransomware. Keeping all software up to date—web browsers, Microsoft Office as well as Windows—is critical.
“This really illustrates the value of patching ASAP rather than waiting a few months or not getting around to it,” says Dick O’Brien, principal editor at Symantec and the author of the 2017 Ransomware Report.
Conducting regular backups of systems and storing those backups offline—and preferably off-site—so they are not part of an enterprise network is another best practice recommended by CMU’s Volynkin. As part of this process, organizations need to codify a verification process that ensures the backups are capturing all the requisite data and that the restore operates properly in the environment, he adds.
Protective measures at the system-level are equally important. Email filtering services can help identify and stop malicious emails before they reach users, and endpoint protection services can go a step further by sterilizing and removing malicious content from attached documents before they reach a target. Intrusion Protection Systems (IPS) are another important layer in the stack, designed to detect and block malicious traffic from exploiting vulnerabilities, thus critical for preventing the installation of ransomware.
“The great thing about layers is that if one falls down, there’s another to catch it,” says O’Brien. There are a lot of different technologies available and they all work in harmony to reduce the risk of exposure.”
If an attack occurs, the goal is to limit the spread of the ransomware. Enlisting an outside security practice to help monitor ransomware families can provide a critical line of defense and can also aid in making a speedy recovery from the attack. For their part, companies should be sure to perform full network scans on their own so they can identify and isolate any infected computers from the enterprise network, Symantec’s O’Brien says.
In the end, as with most security threats, O’Brien contends prevention is important, but a cure may not be possible. “There is no way of eliminating the risk of ransomware completely—there are always new technologies appearing that no one is aware of,” he says. “The more preventive measures you take, the more likely you can reduce the chances of infection.”
If you found this information useful, you may also enjoy:
- Symantec Internet Security Threat Report 2017
- Secrets Revealed: Effective Protection Against Ransomware
- Finally, a Way to Isolate Phishers from Your Valuable Data