Ransomware: A new menace to business
Essam Ahmed highlights the dangers with this unprecedented variant of malware
Imagine receiving an email from a client, marked ‘urgent’. You click on it, but find yourself unable to do so. As you attempt in vain to open the email, your access to other files and applications is cut off, with an alarming and suspicious “Your computer has been locked” message flashing across the screen. That’s when it hits you: the system has been compromised, with your access to information completely cut off.
You have just become the unwitting target of ransomware.
Cyberattackers are more ambitious than ever, leveraging new capabilities that are afforded by leaps in technology, knowledge and skillsets. They have become more inventive, finding new ways to skirt defences and target individuals or entire organisations.
One of the most lethal tools in the modern cyberattacker’s arsenal is ransomware. Typically a malware, ransomware enables cyber extortion for immediate monetary gain. Cybercriminals can mask links to ransomware in emails and webpages to prohibit users from accessing their systems, demanding a payoff, usually in cryptocurrency such as Bitcoin.
A newly evolved way of cyber exploitation, organisations both large and small can be subjected to significant financial losses, sometimes amounting to millions of dollars.
According to FireEye Threat Intelligence, ransomware activity has been rising steadily since mid-2015. FireEye Labs detected a massive spike in ransomware activity in March 2016 in over 50 countries, including the UAE and Saudi Arabia. The impact of ransomware is immediate, compared to stealthier malware, such as those used in an advanced threat attack. As evidenced from recent headlines, there is growing concern among individuals, businesses and governments about the complex effects of ransomware, which include monetary damage and business downtime.
For an attacker, injecting an organisation’s assets with ransomware is a simple, two-fold process. First and foremost, the attacker embeds ransomware links into emails, attachments, spear phishing emails, URLs or the web, to circumvent an organisation’s network. Clicking on these fraudulent links activates the malware and swiftly infects the system, with no time given to the infected user to undo the action. Subsequently, the malware either encrypts all files or locks the user out of his/her computer. The demand for money, typically in digital currency, is conveyed through a ransom message that flashes on the screen.
The attacker makes it obvious that upon the payoff, a cryptographic key to unlock all files will be made available. In some cases, the message may also include a nefarious threat to publicise all sensitive data if the demand is not met.
Certain ransomware can travel from one computer to a connected server, thereby infecting an organisation’s entire network. Compared to other malware, the effects of ransomware are quicker and complex.
Attackers play on their victims’ fear of being vulnerable and provided with no relief whatsoever. Little do the victims know that paying the ransom does not ensure freedom from the attackers. On the other hand, the inability to pay can make organisations succumb to business downtime, loss of sensitive data or any other punishment of the attacker’s choosing.
Essentially, email-based ransomware is utilised for targeted cyberattack campaigns. In order to keep these attacks at bay, it is critical to equip IT systems to defend against ransomware, which acts as your smoking gun. A proactive, rather than a reactive, approach needs to be applied across various vectors that are overlooked by traditional IT infrastructure. The proactive approach depends on determining vulnerable gateways such as emails, URLs, websites etc. that can be compromised and used as a launching pad for attacks.
Enough is not good enough in this age of hyper-connectivity. Having said that, not all cyberthreats have the same impact, neither are all cyber defences equally effective. To safeguard themselves, enterprises are encouraged to implement access controls.
In addition, enterprises should evaluate backup strategies regularly and test those backups to ensure that recovery is successful. Copies of backups should be stored offsite in case onsite backups are targeted.
There are a few things that need to be kept in mind to efficiently counteract ransomware, which all security vendors need to offer. This includes effective monitoring of all critical vectors as ransomware relies on URLs to direct users to websites that host malware. The best defence would be adopting a layered approach to vet all emails that appear harmless, but might contain malicious malware. Security programmes should also offer inline protection so as to increase offline detection and deter the maximum number of threats.
Actionable threat intelligence is also vital for early detection and analysis of threats. Hence, the security infrastructure needs to be updated with threat intelligence at frequent intervals to increase its capability to provide the necessary warning signs and abridge the breach window highly vulnerable to criminal intent. In addition, real-time protection is integral to counteract and prevent ransomware attacks.
This is easier said than done, however every cybersecurity programme needs to be equipped with real-time protection to impede activation of ransomware. Unless, the demand for ransom has already been made and the files are encrypted, it’s too late to address this concern.
Cyber extortion has gained significant notoriety, with profits from highly publicised campaigns undoubtedly resonating among cybercriminals. Recent campaigns in which targeted victims paid the ransom demand reinforce the legitimacy and popularity of this particular attack method. With all said and done, it is obvious that visibility across all functions is important to better respond to threats. Every organisational process and asset needs to be aligned with the right technology. Failure to do so not only diminishes visibility over all vectors, but also hampers the ability of the security infrastructure to detect, identify and manage threats – and with ransomware attacks increasing in intensity, businesses need to ready themselves for this new menace.
Essam Ahmed, director of System Engineering for the Middle East, Turkey and Africa at FireEye.