What can we do about the expected increase in ransomware and cyber-extortion tools?
By Nicolai Solling, CTO at Help AG.
Cyber-extortion involves attackers demanding payments rather than just stealing money via the cyber realm. This therefore requires them to have some leverage which could be sensitive data or disruption of services. The most common types of cyber-extortion attacks are therefore ransomware and Distributed Denial of Services (DDoS), as well as taking payment for not disclosing data obtained through hacking.
We have had our share of ransomware and DDOS extortion schemes here in the region, though the disclosure of these is less frequent or under the radar of the general press. That said, there are some notable companies which have engaged in paying attackers for not disclosing data.
The most discussed in the news is Uber, which paid US$100,000 under its bug bounty program to a group which managed to exfiltrate driver data. As part of the payment, an agreement was made not to disclose any data from the leak.
Ransomware is a threat that by all accounts is set to growth in scale through 2018.
What organisations need to understand is that with the type of encryption that modern ransomware now uses may be very difficult to recover data without the encryption key. It is this key you pay for when you pay the ransom. You should also know that there is no guarantee that once you’ve made the payment (usually a Bitcoin transaction) the attacker will actually provide you the encryption key, they may not even have it. In fact, less than 51% of the organisations paying the ransom actually get their data back.
Organisations were much more successful in recovering data from a backup, so I advise clients that protection begins with good data management practices. I think a basic precaution against ransomware and a good practice in general is to maintain a backup of sensitive data. This backup could be within the data centre, disaster recovery site or even to a cloud platform if you cannot provide the correct infrastructure yourself. There are plenty of solutions that manage and automate this and a good backup and recovery solution should be a part of any large businesses’ IT strategy.
Then there is the categorisation and management of data which helps ensure sensitive information does not get into the wrong hands. Even without ransomware, data that is exfiltrated from the organisation can be used for cyber-extortion. At Help AG, our Cyber Security Consultancy division assists the organisations in establishing frameworks that govern information throughout its creation, storage, use, sharing, archival and destruction and ensure protection of the confidentiality, integrity and availability of those data assets through their life cycle. Again encryption keys come into place, but this time it is around how you manage them and not the attackers.
I believe that too many organisations do not have a proper strategy regarding how they encrypt data at rest or in motion and how they obtain the correct life cycle around encryption key management.
Employee awareness and vigilance is also key to combating cyber extortion. Your workforce needs to be mindful of the kinds of emails and attachments they open and downloads from questionable sources. With ransomware having successfully added mobile devices to the list of targets, users should also be mindful of the apps they download and take precautions such as avoiding third party app stores.
I still believe that the old saying around “it all starts with an e-mail” – and a lot of malware does start there. So please try to ensure that your technical controls are efficient and that your users are alert and educated.
Of course, cyber security is still an IT function and a large responsibility lies with the IT team. Ransomware is being propagated in new and often highly innovative ways. Both Petya and WannaCry leveraged exploits which were already fixable but patches were not applied, which caused the malware to spread. So in addition to best practices such as regularly issuing and applying patches, and limiting user privileges, IT teams need to track and implement the technical advisories put out by vendors once vulnerabilities and new attacks have been discovered.
Finally, when all else fails, services such as Managed Security Services which delivers 24×7 Security monitoring, enable organisations to identify an attack at its earliest stages and prevent it from spread.
It is important to understand that your applications, networks and firewalls are talking to you in the form of logs and events, but if you are not listening or looking the business impact may be big, and if looking at these events are not your core business maybe you should allow someone where it is do it for you?
Click below to share this article