The ransomware crossroads — where do we stand, where should we turn?

#1

For cybercriminals, 2018 was a great year. This was particularly true for criminals using ransomware; in 2018 the number of attacks that specifically attacked businesses went up, and the last part of 2018 saw ransomware figures hit an all-time high, along with the size of the ransoms demanded.

The use of ransomware is evolving, with increasingly malicious threats being spread through a growing range of vectors. Small and medium-sized businesses (SMBs) are particularly vulnerable: during the final quarter of 2018, 71% of ransomware attacks were on SMBs. Some commentators suggest that by the end of 2019, a business will be hit with ransomware every 14 seconds.

Not all ransomware attacks are successful, but those that are can be catastrophic for victims and can easily cripple a business. Ransomware locks and/or deletes data, which is now the lifeblood of most organisations. Victims are left unable to function and even those who pay the ransom may never see their data again — some ransomware is coded in such a way that recovery of the data is impossible.

Financial losses through downtime, ransom payments and data loss are not the only penalties: some ransomware is accompanied by trojans to hack banking and login credentials, while reputational damage can deter potential customers and clients for years after the attack.

So, with the criminals deploying ransomware now playing a high-stakes game of cat and mouse with their targets, where do businesses go from here?

Facing the problem

Businesses cannot solve problems they do not recognise, so the first step in tackling ransomware is greater awareness. Ransomware is a moving target, with threats and points of entry changing regularly, so it’s important to develop an understanding of the subject and keep up to date.

This applies not only to management but to all staff: e-mail attachments, links, insecure websites, downloads and malicious ads are all vectors through which ransomware enters systems, so everybody in the organisation must know how to handle them.

Operating systems and all software must be kept regularly patched and updated, and all data regularly backed up. The 321 rule is helpful: have at least three copies of data, stored in at least two locations, of which at least one should be offline.

It is also a good idea to keep an eye on account privileges: malware tends to operate at the level of the user who launched it, so limiting account privileges cuts the risk of ransomware spreading.

What about RDP?

Remote desktop protocol (RDP) is a helpful way of deploying software to remotely function on work computers, and generally safe — if it is secured properly. Left unsecured, RDP can easily become the cybercriminal’s point of entry.

It is sensible for businesses to consider whether they need RDP, and if not, to disable it (RDP comes pre-installed on Windows and is available for other operating systems). If RDP is essential, it should be used as safely as possible. That means enabling network level authentication, mandating strong passwords, securing the network from internal and external attacks and limiting use of RDP to those users who really need it.

However, while RDP is a popular entry point for ransomware, it is not the only one. Most malware attacks, via RDP or any other means, are brute force attacks, so the usual precautions (safe passwords, use of multi-factor authentication, restricting the use of untrusted devices, minimising user levels, particularly for accounts connecting to the internet, etc.) are more important than ever, for RDP users and non-users alike.

Look to the skies?

Many people (mistakenly) associate ransomware with local machines. With much data migrating to the cloud, and increased use of software as a service, it is easy to think of the cloud as a safe haven for data. This is true up to a point: the cloud is a great repository for part of any data backup (according to the 321 rule, described above). But malware attacks the cloud, too. Syncing local files (especially shared files) from an afflicted machine to the cloud may allow the ransomware to spread. At that point you may be able to restore an earlier version of your files, but probably little else.

Furthermore, cybercriminals are attacking cloud services directly: in 2016, Cerber ransomware attacked the Microsoft Office 365 cloud service, and in 2017 Microsoft acknowledged a huge increase in attacks on its cloud-based provision. That’s why it is as important to scan and secure cloud-based systems and services as it is to secure local networks and machines.

Organisations can install security provision on cloud servers and cloud storage but often, particularly at SMB level, they may have outsourced these services. In which case, the organisation must make sure it is working with a partner that provides a suitable level of protection, asking them to provide details of the systems used, detection rate, the speed at which the tools deployed detect ransomware and their file loss rate. If the provider cannot answer these questions satisfactorily, it may be time to look elsewhere.

To sum up: ransomware is an evolving threat that can harm organisations of all sizes, but particularly SMBs, which are currently being targeted. Ransomware causes catastrophic damage. To avoid this, SMBs must ensure the security of all devices and cloud services, make sure they are employing the 321 rule for regular data back-ups and continue to enforce the traditional rules of security: use strong passwords, restrict untrusted devices, only use administrator accounts to access the network where this can’t be avoided, and use multi-factor authentication. Finally, where SMBs use a third party to provide networking services, they must talk to this provider about the levels of security (including cloud security) available and assure themselves that these meet their needs.

Thorsten Kurpjuhn, European Security Market Development Manager at Zyxel