We asked Nicolai Solling, CTO at Help AG, what enterprises can we do about the expected increase in ransomware and cyber-extortion tools. Here is his response:
Cyber-extortion involves attackers demanding payments rather than just stealing money via the cyber realm. This therefore requires them to have some leverage which could be sensitive data or disruption of services. The most common types of cyber-extortion attacks are therefore ransomware and Distributed Denial of Services (DDoS) as well as taking payment for not disclosing data obtained through hacking.
We have had our share of ransomware and DDOS extortion schemes here in the region, though the disclosure of these is less frequent or under the radar of the general press. I’ll focus on ransomware, a threat that by all accounts is set to growth in scale through 2018.
What organisations need to understand is that with the type of encryption that modern ransomware now uses it may be very difficult to recover data without the encryption key. It is actually this key you pay for when you pay the ransom. You should also know that there is no guarantee that once you’ve made the payment (usually a Bitcoin transaction) the attacker will actually provide you with the encryption key, they may not even have it!
In fact, less than 51% of the organisations paying the ransom actually get their data back. Organisations were much more successful in recovering data from a back-up, so I advise clients that protection begins with good data management practices. I think a basic precaution against ransomware and a good practice in general is to maintain a back-up of sensitive data.
This back-up could be within the data centre, disaster recovery site or even to a cloud platform if you cannot provide the correct infrastructure yourself. There are plenty of solutions that manage and automate this and a good back-up and recovery solution should be a part of any large businesses’ IT strategy.
Then there is the categorisation and management of data which helps ensure sensitive information does not get into the wrong hands. Even without ransomware, data that is exfiltrated from the organisation can be used for cyber-extortion. At Help AG, our Cyber Security Consultancy division assists the organisations in establishing frameworks that govern information throughout its creation, storage, use, sharing, archiving and destruction, and ensure protection of the confidentiality, integrity and availability of those data assets through their lifecycle.
Again encryption keys come into place, but this time it is around how you manage them, and not the attackers. Hand on heart, I believe that too many organisations do not have a proper strategy regarding how they encrypt data at rest or in motion and how they obtain the correct lifecycle around encryption key management.
Employee awareness and vigilance is also key to combating cyber extortion. Your workforce needs to be mindful of the kinds of emails and attachments they open, and downloads from questionable sources. With ransomware having successfully added mobile devices to the list of targets, users should also be mindful of the apps they download and take precautions such as avoiding third party app stores.
I still believe that the old saying around ‘it all starts with an e-mail’ – and a lot of malware does start there. So please try to ensure that your technical controls are efficient and that your users are alert and educated.
Of course, cybersecurity is still an IT function and a large responsibility lies with the IT team. Ransomware is being propagated in new and often highly innovative ways. Both Petya and WannaCry leveraged exploits which were already fixable but patches were not applied, which caused the malware to spread. So in addition to best practices such as regularly issuing and applying patches, and limiting user privileges, IT teams need to track and implement the technical advisories put out by vendors once vulnerabilities and new attacks have been discovered.
Finally, when all else fails, services such as Managed Security Services which delivers 24×7 security monitoring, enable organisations to identify an attack at its earliest stages and prevent it from spreading. It is important to understand that your applications, networks and firewalls are talking to you in the form of logs and events, but if you are not listening or looking the business impact may be big, and if looking at these events are not your core business maybe you should allow someone where it is to do it for you?