It’s actually impressive, the ingenuity that ransomware hackers are showing in their malware deployments. They’ve come up with algorithms to attack the most vulnerable departments of an organization – such as accounting or HR – with emails that appear to be from their superiors. They’ll give you a get out of jail free card, as long as you can infect two other systems. Looking to get an edge on your competitor? They’ll do ransomware as a service! (I feel legally obligated to say how terrible and extremely illegal that idea is).
All of these tactics (and more) have made ransomware an extremely profitable, billion dollar “industry”. In 2016, Verizon’s Data Breach Investigation Report (DBIR) reported 159 incidents of ransomware. That number increased by over 43%, to 228 incidents, in 2017. In 2014, ransomware ranked 22nd on the list of most common forms of malware. It now holds the number five spot.
Don’t give all the credit to the hackers, though. Ransomware wouldn’t have any of its publicity, awards, or accolades on its own. The majority of its success comes from leaching off of email. This parasitic relationship has allowed ransomware to spread like wildfire. This year, 66% of the malware installations studied in Verizon’s Data Breach Investigation Report came from a malicious email. A study by Malwarebytes also agrees that email is the top medium used to spread ransomware.
“Email is the road most traveled to deliver malware to organizations” – 2017 Verizon DBIR
The best way to defend yourself against ransomware, then, is to defend yourself against these malicious emails.
How Does a Ransomware Disaster Happen?
It’s pretty easy to understand how a single instance of ransomware happens – someone opens an email they shouldn’t have and then opens up a bad attachment or clicks on a sketchy link. Once the ransomware is downloaded, you’re pretty much out of luck. There are a few things that can be done, but hackers are starting to add features such as a countdown that will delete all of your files if it hits zero and you haven’t paid – good luck decrypting your system with an hour’s notice.
Large-scale disasters are a little more complex. How does one employee get hit and subsequently bring down an entire department or organization? First of all, it has to do with patching. A lot of these ransomware incidents we hear about could have been avoided if the system’s software were up to date. The second part of the picture is privilege. If the intern down the hall gets hit, you might be able to get out of it by simply reconfiguring the laptop or paying half a bitcoin. However, If a system admin clicks on a bad email while logged onto a central machine, there are many more paths that the malware can take to infect other systems. The consequences will be much more severe.
This is what made the Petya ransomware attacks so destructive. Once successfully phished, two malware packages were deployed – the Petya ransomware and Loki Bot information stealer, which is a trojan that looks for passwords on your system. On a privileged system or account, the trojan can steal all kinds of passwords and information, which allows Petya to infiltrate deep into the network. Ransomware is never a good thing, but ransomware hitting privileged users is a worst-case scenario that could be catastrophic for your business.
Protect Yourself with Secure Gateway and Least Privilege
A secure network means a low risk network. If you want to mitigate the risk of ransomware, you need to reduce and protect the entrances into your network as well as minimizing how pervasive those entrances are.
DBIR shows that the majority of ransomware attacks start with phishing. That makes blocking malicious emails the most effective preventative measure. At Micro Focus, we offer a product – Secure Gateway – which sits on the perimeter of your email network (compatible with Exchange, Office365, GroupWise, Vibe, Lync, and Lotus Domino) to scan for malware and spam. It also scans outbound mail, which prevents the spread of malware from one inbox in your system to another.
Secure Gateway scans links and attachments, which are the most common vectors for infection. When it finds suspicious emails, they are sent to quarantine where they can be reviewed. The Secure Gateway 7.0 Release added a redesigned web interface, single sign on, and enhanced customization features which makes monitoring attacks and customizing defense very user friendly.
Once you’ve secured your email system, you can add an additional layer of security by ensuring that the principle of least privilege is being followed. This means using low-privileged logins for your users to perform basic functions such as checking email, and restricting privileged account usage to only when it is necessary. Our Privileged Account Manager adds features such as risk-based monitoring and policies, session recording, password check in/check out, and more, that make it difficult for ransomware to spread throughout your entire network.
There are dozens of additional security layers that could be added, but these two will provide you with a solid defense against ransomware. Micro Focus Secure Gateway stands between the hackers and your company’s inboxes, cutting off the ransomware supply chain, while Privilege Account Manager minimizes the risk of ransomware spreading throughout your network.
Questions? Leave a comment below or visit our website to learn more about Micro Focus solutions.