By Travis Smith
Ransomware is becoming one of the most profitable areas of cyber crime.
In the past, cyber criminals would steal data, and then re-sell it. With ransomware, they block access to an individual or organization’s data by encrypting it, then selling the data’s owner a decryption key to regain access.
And with the rise of hard-to-trace currency, such as bitcoin, there is less chance of getting caught. Organizations will pay for fear that they’ll lose their data forever, and attackers can make thousands of dollars immediately instead of going through multiple, risky steps. The bad guys can use the same techniques and cyber tools against multiple victims.
What do organizations need to know about ransomware to protect against it?
How it happens
In many cases, a phishing attack sent via email entices a victim to open a malicious document. Now attackers also are targeting sites with remote command injection through vulnerabilities in the hosting code, server, applications, plug-ins or extensions. An attacker will try to gain access to the operating system and run commands on the server to download and execute malicious code.
Once a machine or system is infected, the ransomware will try to encrypt anything it deems important, such as web pages, images and scripts. Once encryption is complete, a message will be displayed stating that the website has been locked by ransomware, along with instructions for the web administrator on how to buy the decryption key and return the site to normal operation.
Finding the security holes
Not all security vulnerabilities can be patched, particularly web applications that have been created in-house. Companies must conduct security tests of public-facing websites, including vulnerability scanning and penetration testing to spot and prioritize weak spots.
For custom applications, a scanner with a nontransparent proxy that allows interaction with the security is ideal. It can interact with the site, manipulate fields, cookies and other session data to look for common vulnerabilities in web applications.
Penetration testing will show the impact of what would happen if vulnerabilities were exploitable and what the potential impact will be. For example, an attacker might be able to access personally identifiable information of customers or employees. Automated scanning can complete a lot of legwork initially, but penetration testing requires security experts for an in-depth test.
Setting up a shield
Ransomware will search the entire file system and, potentially, network locations. The best protection is to have layers of security in place to stop ransomware, and training employees in best security practices. For example, employees should be told not to click on links or open attachments that are unsolicited.
Organizations also should have strict change control, file integrity monitoring, and have timely backups of critical systems.
Stopping ransomware before it’s embedded is the most cost-effective way to eliminate the threat, but companies can’t count on keeping everything out.
If ransomware manages to bypass every security control in place and encrypts critical data, it will need to be wiped and the data restored from a clean backup or built again from scratch. Gathering and rebuilding data can be costly, for a variety of reasons, such as eating up employees’ time and clients’ lost access to work files.
Website administrators should follow the 3-2-1 rule of backups: keep three copies of the data; keep the data in two different formats; and keep one copy of the data off site and off the local network.
By keeping data in different locations, the chances of ransomware encrypting all the locations are significantly reduced.
Travis Smith is senior security research engineer at network security vendor Tripwire. His guest essay originally appeared on ThirdCertainty.com.