Ransomware attacks are not new. In fact, ISACA has been sounding the alarm on the increasing spate of ransomware for quite a while. Unfortunately, it takes a massive-scale cyber attack like the recent WannaCry incident for such cyber crimes to gain national and international notoriety. In fact, another recent ransomware attack that caught the public’s attention in the U.S. came when San Francisco’s transportation department was hit last November, impacting the city’s light rail transit system.
There is a reason why ransomware attacks are becoming popular: For the bad guys, it simplifies the crime and the process of monetization.
Think about it. Earlier, even a simple computer crime involved two steps to get to monetization. First, the criminals have to break in and steal personal information like credit card details, and then secondly, sell it on the dark web, often to organized crime groups, in order to get paid. The buyers in turn use the credit card or other information to commit fraudulent transactions.
With ransomware, crime has become an easy, one-step monetization process. Attackers break in to a computer system, install ransomware and get the payment directly from the person or organization impacted. It’s a one-to-one interaction, and payment is easily received. While accepting ransomware payment in bitcoins may seem a bit more challenging than accepting a credit card payment, anonymity is crucial to cybercriminals, making it well worth the modest additional effort.
But even with increased awareness on cyber attacks and the heightened need for cyber security, the question remains: why are organizations still so vulnerable? And what can they do about it?
• Whitelisting: Sometimes a ransomware attack can start off with a phishing episode where someone within an organization downloads and runs a malicious executable. Once that happens, the company’s end-point security products (typically an antivirus software solution) is often not enough to detect the attack. That’s why organizations like ISACA, US-CERT and the National Association of Corporate Directors (NACD) also recommend implementing whitelisting or application control – a process by which an organization runs only “known good applications.”
In the past, whitelisting has been hard to manage and maintain. For example, when a company implements the whitelisting approach, every person and device in the company will run only known good code. But the problems arose in keeping the lists up to date, such as when an executive had to run an application like WebEx or GotoMeeting. When the application ran and automatically installed a new version of the solution, the executive would be prevented from launching it, until it was entered into the whitelist. The lack of productivity with old versions of whitelisting solutions spelled doom for that approach.
However, in the last year or so, the next generation of whitelisting solutions have hit the market, and they are far superior to the old ones. Newer solutions can trust entire families of software and pull the latest whitelists, making the process of managing “known good software” more intuitive and convenient for IT departments. So, it’s critical for organizations that earlier discarded the whitelisting approach to revisit that consideration again, especially in the face of increasing ransomware attacks.
• Patching: Keeping systems patched and up to date is important, but it is not a panacea since spear phishing attacks can still trick victims into installing ransomware.
• Backups: Maintaining a good backup helps organizations navigate the waters of a ransomware attack far more deftly. For example, when San Francisco’s transportation system was hit last fall, the city refused to pay hackers the $70,000 ransom that was being demanded. Instead, it took a few days to painstakingly restore backups and during that time, the city let the residents ride in the transit system for free.
Interestingly, we are also seeing the emergence of quirky trends among ransomware criminals. These hackers are increasingly adopting best practices to close ransom transactions quickly, as the ransom demands are often not too high compared to the time and effort it would take to restore the backup.
So, to motivate the victim to pay the ransom, ransomware attackers are:
- Offering discounts if the ransom is paid within a set number of days
- Adopting a “try before you buy” approach, where the affected party can ask for a specific file to verify the veracity of the hacker’s claims
- Offering technical “chat” support after the ransom has been paid to assist the victim in recovering files
But despite these best practice claims by cybercriminals, organizations that have become victim to ransomware attacks need to make sure a thorough cleanup process is executed as part of the incident response – perhaps even scrubbing and restoring the entire system and network – to make sure the attackers are no longer there.
Rob Clyde, CISM, Board Director, ISACA, Executive Chair of the Board of Directors at White Cloud Security
[ISACA Now Blog]