WannaCry may be the latest outbreak or ransomware to hit the news, but it is not the 1st or the last. In 2016 alone, it is estimated that $1 billion dollars in cyber ransoms were paid out to cyber criminals. If this widespread attack proved anything it's that the threat is real.
What is ransomware?
Let’s start with the basics. The simple definition is “a consideration paid or demanded for the release of someone or something from captivity.” More commonly we see it popping up around the globe as a way for bad actors to encrypt information and hold it ransom in exchange for money, typically untraceable bitcoin.
Why is it so popular? It works. In the latest attack, the ransom was set at an average of $300. Breaches are bad for business, particularly if they are made public. Therefore, most companies wouldn’t think twice about paying a measly $300 to get their information back and keep the situation out of the news. That is what the criminals are banking on. Other reasons that ransomware has grown so popular are:
- Production and cost of sales can be low - it's easy to hack, especially with devices like the pineapple or by stealing default passwords or breaking into IoT devices. Cost of sales is low because you know that particular buyer and that he is motivated to get his information back. Bitcoins are usually used as payment because they are an effective and efficient medium of exchange.
- Price can be high or low depending on what you think the owner will pay
- Margins are high
- Addressable market is enormous and includes anyone with privileged data
- Profits are amazing
- Every aspect is maturing from code quality to back up systems and evasion techniques
To understand how to stop it, you have to know how it works
Many ransomware attacks start as phishing attacks which pivot into persistent infections. Widespread ransomware attacks do not happen instantly but they do spread quickly as evidenced by the rapid worm that the WannaCry attack used. They are started by attacking one employee, website or some other vector then it must gain persistent access to the network. As the virus moves around the network they install the ransomware which encrypts your critical data with a key that only the bad actors hold. Everything you have is still there but you lack the ability to access it unless you pay the ransom and get the key.
Fighting back against ransomware is a complicated process, especially once they are inside your network. Think about the attack paths in your network and how an intruder could pivot from one system to another to reach your sensitive data. However, people are also vulnerable due to their accounts on different systems to profiles or roles or the entitlements granted to certain security groups. That's billions of relationships in a mid-sized company and bad actors only need to exploit one.
The truth is that in this complicated and many faceted world of cyber security, the bad actors do get in. The real question is, could you have deterred this attack? If not, how fast can you move to prevent loss once it happens? How can you do this? With Evidenced Prioritization.
In the lifecycle of an attack, you can use prioritization to deter, detect, remediate and validate threats.
Penetration testing can help you identify the most critical vulnerabilities in your network. The WannaCry attack exploited a Microsoft vulnerability that had an available patch yet, many had not updated their systems. Identity and Access Management (IAM) will help you to understand who has access to what critical systems and if machines are synchronizing passwords with other accounts. Using IAM will help you to understand how and who can access your critical information.
Speaking of your critical information, it’s time to segregate your backups. I mentioned earlier that the methods in ransomware are maturing and this is one way. People think that they don’t need to pay the ransom because they can use their backup. However, the ransomware has found its way to the backup too. Make sure that all backups are on different networks and cannot be affected in an attack. Other actions to take here would be to start user training to avoid things like phishing attacks and institute multi-factor authentication for password resets to help keep your users information safe.
Here is where your network threat-detection analysis comes into play in order to see where or what devices have been affected. Did this machine have an IoC? What access did that expose? By using this information, you can also see when the infection happened, how it happened and who is affected.
Your company needs to have an incident response plan in place for the remediation of accounts, vulnerabilities and compromised devices to quickly address security risks as soon as they become visible. With prioritization, you can see which of these incidents have a larger impact on your organization and can stop data loss by tackling the top priorities first.
Validation isn't a onetime process. You need to continuously validate your security posture to test and strengthen your processes. Access reviews, penetration testing, network security assessments and other security consulting services ensure that you are continuously validating and, in turn, continuously improving.
So, is the hype and the press around this newest WannaCry attack valid? Of course. It was the largest only for systems infected ransomware attack to date and hit over 150 countries. Raising awareness about ransomware helps keep things like phishing attacks top of mind and keep your employees from falling for them. However, if this attack does anything for the future it proves that this threat is real and the time to act is now.