Ransomware helped cyber criminals pad their Bitcoin wallets with $1B in 2016, according to the FBI. The threat has continued unabated in 2017, with major attacks dominating the headlines and driving profits in excess of $5B. Compared to 2015 when “only” $325M was generated, ransomware has quickly metastasized into one of the world’s major cybersecurity threats, forcing security teams to prepare for and manage the problem.
But finding long-lasting, enterprise-grade solutions can be difficult. Recent security reports indicate that some of the most devastating and profitable ransomware attacks have been perpetrated by organized crime syndicates and nation-state actors—adding another layer of complexity and danger.
First off, ransomware is older than you think. In 1989, a Harvard biologist mailed 20,000 infected diskettes to attendees of the World Health Organization’s AIDS conference. Carrying a payload later called the “AIDS Trojan” or “PS Cyborg”, these diskettes encrypted the host computer’s file names. To regain access, victims were instructed to physically mail $189 to a post office box in Panama. Sounds familiar, right?
Second, compared to gaining network access and finding valuable information, ransomware is much faster, easier and less risky. As opposed to traditional cybercrime, ransomware doesn’t require monitoring or the exfiltration of data; the process is much more automated and streamlined. Plus, ransomware criminals don’t have to communicate or do business with other criminals, as was necessary for the sale of credit card data, for example..
Third, ransomware is incredibly scalable; millions of phishing emails can be sent with a single click and web traffic can be easily redirected to malicious URLs. Combined with modern encryption—which is incredibly effective—and a relatively cheap payment demand, it’s no wonder that even the authorities have recommended simply paying the ransom. However, the “just pay” attitude has served to incentivize criminals further.
The emergence of Bitcoin helped fuel the expansion of ransomware attacks worldwide. Cybercriminals demand payments in Bitcoin, a cyber currency that is largely untraceable. When referring to the relationship between Bitcoin and ransomware David Emm, Principal security researcher at Kaspersky Lab says “Bitcoin’s helping…The existence of effectively anonymized payment mechanisms definitely plays into the hands of cybercriminals.”;
Gone are the days when cybercriminals relied on PayPal or Western Union, which now have considerable antifraud measures. With Bitcoin, money can be collected automatically and better yet, it is not tied to a bank account. Furthermore, Bitcoin mixing services can split the destination of payments by routing the transaction through multiple wallets, thus mixing a payment with other Bitcoin, and making it almost impossible for law enforcement to track.
In 2015 John Bonavolonta, the Assistant Special Agent in Charge of the FBI’s Cyber and Counterintelligence Program said ,“To be honest, the ransomware is that good, we often just advise people to just pay the ransom.”
“If your system is wiped and you didn’t pay, then there’s no way to recover it and you basically shut down your entire business, so the FBI will say it’s easier to pay than to try to fight to get it back,” says Hemanshu Nigam, a former online prosecutor of online crime and former chief security officer for News Corp.”
In most instances, the value of the data being held is worth much more than what is being demanded by the cybercriminals. That’s why, today, some businesses view ransomware infection as a serious enterprise risk, and have prepared their Bitcoin reserves. Unfortunately, these kinds of policies will do more to encourage ransomware, rather than discourage it.
Some security experts argue that criminals are not the only ones to blame, since they are merely exploiting existing (and often well documented) vulnerabilities. One of the reasons why ransomware has gained so much popularity is the lack of patch management programs at organizations. For example, the WannaCry outbreak in May 2017 could have been prevented if Windows users had installed a security patch released by Microsoft two months earlier.
Patch management is just one of the ways in which companies can prevent ransomware infection. Security experts recommend companies should not only back up data to local and offsite storage but also establish security awareness campaigns to train employees not to click on unknown links and attachments. Some experts also recommend restricting administrative privileges and segmenting the company’s network to minimize the risk of the infection spreading through the network.
Following the recommendations above can reduce the risk of a ransomware attack but in today’s reality, organizations must also have an established plan or playbook of what to do when ransomware strikes.
D3 Security has worked closely with Enterprise Security Operations Center (SOC) leaders to develop incident response solutions tailored for the ransomware threat. These are:
D3’s playbook library includes pre-configured ransomware playbooks. These detailed playbooks provide ransomware-specific response and recovery steps and can be enriched with threat intelligence and custom rules.
Dynamic decision tree sections and automation scripts help organizations speed their response to ransomware by enriching incidents with threat intelligence and IP/file/URL reputation. Fast response can shut down users’ access to malicious files and URLs before ransomware infection hits the organization. Even when infection has occurred, automation scripts help the security and IT team quickly contain and recover from the damage.
When ransomware hits, it is imperative for network security, InfoSec and forensic groups to collaborate. In the past, each function would have their own tool —forcing analysts to manually correlate and share data. D3’s built-in case management and forensics tracking features provides a centralized “nerve center” with integrated analysis, data processing, evidence tracking and task management toolsets — all within a single robust platform. When analysts can rely on real-time collaboration and a centralized incident management workflow, triage, validation and response is greatly streamlined. Plus, metrics and benchmarks can be used to feedback into the incident preparation and SIEM tuning programs, continually enhancing the anti-malware and anti-ransomware programs.
To learn more about how D3 Security can speed incident response time and mitigate a ransomware infection click on the button below to schedule a personalized demo.