One of the most sinister threats impacting data security and protection today is ransomware, which works by infiltrating an organization's systems and encrypting sensitive files and data. The data is then held for ransom by hackers who demand payment — typically in Bitcoin or some other digital currency — before they turn over the key required for its decryption.
Over the past year or so, we've seen numerous publicized incidents of hospitals and other healthcare organizations (e.g., Hollywood Presbyterian Hospital, Chino Valley Medical Center, and Desert Valley Hospital) that have suffered such attacks. Law enforcement agencies have also been hit, including the Dickinson County, Tennessee, Sheriff's Office. Some organizations found themselves almost powerless to restore their systems. Eventually, they surrendered, and paid the hacker's ransom to get their data unlocked.
The scary trend in these ransomware incidents is that the perpetrators conducting them have moved beyond focusing on healthcare companies and are now targeting organizations in general, including financial and insurance companies — basically, any firm they think they can get to pay up to get their data unlocked.
Defending Against Ransomware
Ransomware is a particularly nasty attack to defend against because it can take place in several ways. One situation occurs when hackers break into a firm's systems and plant malware which, at a predetermined date “goes off” and targets select data for encrypting. Another involves enticing employees to click on and download malware — often packaged as clever email in the form of legitimate-looking business correspondence — which is then spread to other networks, systems, applications, and databases before finally launching its data encryption routines.
The ransomware called “Locky” has been blamed for numerous infections. It works by encrypting files, documents, and images, and renames them with the extension “.locky.” Locky typically infiltrates an organization by way of a spam email containing an attached document that looks like gibberish and which advises recipients to “enable macros if the data coding appears incorrect.”
Once Locky launches and encrypts the data, it displays a message instructing how the organization should pay to have its files decrypted. Sometimes it also displays a countdown showing exactly how long the organization has to pay up before its files and data are permanently locked.
Such an attack can be quite nerve-wracking because it makes alleviating the problem a race against time or the organization risks possibly losing its data. Security experts repeatedly stress that organizations should never pay a ransom. That said, it's not hard to understand why some do — especially hospitals where loss of data and disrupted systems could lead to serious complications for patients or even loss of life.
Defending against ransomware requires a combination of security monitoring, threat intelligence solutions, and employee training for identifying and dealing with potential malware. Regarding threat intelligence, new products are entering the market that employ machine learning (ML) and behavior analytics to identify and interdict ransomware before it can spread throughout the corporate network.
For example, Exabeam applies ML, file analysis, and behavior analysis to learn the normal file and document behaviors of an organization’s employees. These behavior profiles, combined with log analysis, serve to detect ransomware as it first enters the corporate network and begins to spread.
Exabeam can detect known ransomware via indicators of compromise. Known ransomware processes use certain file extensions and have known patterns or other indicators (i.e., signatures) listed in threat intelligence feeds. The Exabeam Threat Research Team verifies these indicators, which are then used to update the product. In addition, Exabeam's ML and analytics can also detect new, unknown ransomware — even in the absence of existing signatures and static correlation rules.
As shown in Figure 1, Exabeam creates a risk timeline and scores an incident in its degree of severity to assist IT security. In the figure, we see that a file ending in .locky has been detected and is suspected of being associated with ransomware, and that a suspicious command has been executed along with several directory processes.
[Click here for enlarged graphic.]
Figure 1 — Exabeam Ransomware screen.
By analyzing machine logs, Exabeam can detect ransomware operating on endpoints, in the data center, or even in cloud-based storage services. For example, an employee might access corporate files on the cloud-sharing service Box from home, using a personal device, and in the process allow ransomware to begin encrypting the Box files. Other employees accessing the same corporate files then enable the malware to infect their computers and begin moving throughout the corporate network. Exabeam claims its new offering can detect such activity end-to-end, and early enough to prevent disruption.
Be Proactive
Even using automated threat detection and monitoring solutions, you can never really consider any system (or data) entirely secure. Consequently, it is essential to have an incidence response plan prepared before actually suffering a ransomware, data breach, or other attack. Having a plan in place means the response team will not be starting from scratch in the event of an attack. This can help lessen the likelihood of a mistake being made during the crucial, initial phase of the response — especially important in the case of ransomware, because the clock is ticking.
The obvious first step involves securing any compromised systems as quickly as possible. With ransomware attacks, this involves isolating infected systems and shutting down and disconnecting systems not infected. Data backups play a key part of any remediation plan. Due to the increasing ransomware threat, having data backups ready is vital. That said, care should be taken in how such backups are managed in relation to the organization's operational IT infrastructure. This is because some organizations, having suffered ransomware attacks, have turned to their backup data only to discover that it, too, has been encrypted by malware, rendering it useless.
A prepared plan also offers the organization a much better chance of getting out ahead of the incident for PR reasons, making it much less likely to appear to customers, shareholders, and the press that it is stumbling when it comes to mitigating the incident and heading off any possible repercussions.
The bottom line is that organizations must carefully prepare for how they are going to handle an attack where some or all of their sensitive data is encrypted and held hostage by hackers demanding payment.
Finally, I urge you to take our survey, which seeks to gauge the various trends impacting organizations’ data security protection efforts, and the extent to which organization are using data-centric practices and technologies.
I thank you in advance for taking our survey. Your input is much appreciated, and I look forward to providing you with important trends and findings in upcoming Advisors and other Cutter research.