Ransomware rampage takes aim at business targets

August 10th, 2016

By Byron Acohido

sh_ransomware_7501_250pxConsumers are no longer the prime target of ransomware campaigns. After years of petty thievery on a global scale – locking up the computer screens of millions of consumers with scams to sell bogus $79 antivirus clean-up services  –  they’ve turned their attention to much bigger fish.

The opening quarter of this year saw a 7 percent  rise  in registration of websites set up exclusively to host ransomware campaigns, according the Infoblox DNS Threat Index.

That surge is a clear indicator of a shift to “industrial-scale, big-money attacks on all sizes and manner of organizations, including major enterprises,” says Rod Rasmussen, Vice President of Cybersecurity at Infoblox.

A new report issued last month by Solutionary shows that the healthcare industry accounted for 88 percent of ransomware detections in Q2 of this year. Education (6 percent) and financial institutions (4 percent) were also targeted.

“Healthcare organizations use an abundance of systems and devices that are crucial pivot-points for an attacker,” notes  Rob Kraus, director of Solutionary’s  Security Engineering Research Team.

Hospitals in the United States and Europe have been locked out of their data and forced to pay tens of thousands of dollars to recover their data. This wave of successful cyber extortion has encouraged malicious hackers to begin targeting other organizations that supply critical services.

Compelling efficacy

Liviu Arsene, Senior E-Threat Analyst at Bitdefender, says it’s clear the bad guys recognize how lucrative ransomware attacks against businesses can be. He expects these cyber extortionists to continue taking full advantage of organizations that make themselves easy targets.

Arsene

Arsene

“Cybercriminals could even try extorting the same victim more than once,” Arsene says. “Probably the most likely targets will be small and medium-sized businesses that work with large organizations, as they’re less likely to invest a great deal in cybersecurity.”

From the criminal perspective, the efficacy of ransomware attacks against businesses is compelling. Instead of stealing data and having to find a buyer for it in the cyber underground, the attacker focuses on locating and encrypting caches of sensitive data, or blocking access to a web server or other key systems. The payday comes by restoring access – for a price. The beauty is that a highly motivated purchaser stands at the ready: the original owner

Indeed, ransomware attacks are so profitable that it is inspiring the best and brightest malicious hackers to new heights of innovation.

For instance, BitDefender recently detected and has begun blocking ransomware crafted to encrypt the NTFS Master File Table, buried deep inside the Microsoft Windows operating system. This severs access to the operating system and consequently to everything stored on the disk, instead of just restricting access to particular files.

“Not being able to access any information might scare people into paying, as they could lose much more than just work documents, but personal information as well,” observes Arsene.

Ransomware distribution techniques include emailing viral attachments and deploying automated attacks designed to seek out and infect weakly defended web servers.

Infecting an individual user can bring a double payday, Arsene says.  The attacker can extort the individual user, and also use his or her infected computer to gain administrative access to the victim’s company network. From there, ransomware can be spread across corporate systems.

Implanting ransomware on a web server also has multiple payoffs, Arsene adds. The attack can activate driveby downloads and malvertisments to spread ransomware to visitors. Or he can directly encrypt anything of value within reach: web pages, documents, images, scripts etc. In such attacks, a message follows announcing the infection and giving instructions on how to purchase a decryption key to restore normal functionality.

Techniques such as automatically rolling command functions from one server to the next, on a rotating basis, help attackers stay one step ahead of search engine and antivirus crawlers on the hunt for malicious traffic, Arsene says.

Seven best practices

Due to its high potential to massively disrupt core business operations, ransomware clearly should be considered a major security concern by information security professionals.

With ransomware attacks against businesses on a rising curve, CIOs, CSOs, and IT department heads need to fully familiarize themselves with the dynamic risks associated with this type of infection, and prepare their organizations accordingly.

Here are seven best practice approaches companies can, and should, take to reduce exposure to a crippling ransomware attack:

Endpoint security software is a must for any organization, regardless of size or activity. Anti-malware suites today are designed to thwart a wide array of attacks; the better ones can also prevent users from browsing on malware-disseminating websites or executing suspicious files. Do your homework and make sure you’re using a robust endpoint security solution that truly fits your organization’s needs.

  •  Educating employees is another top priority. Ransomware infections usually involve a form of social engineering. BitDefender’s Arsene notes that employees working in accounting, on M&A transactions or at reception desks are usually more prone to open malicious attachments as they’re constantly working with remote employees, clients, partners and third-party suppliers.
  • Maintaining a consistent regiment for implementing software patching and updates can be an operational pain. Patches are notorious for breaking other applications. But they are vital, nonetheless. There is a vibrant community of white hat and black hat hackers continually discovering fresh vulnerabilities in the software the enables digital commerce. Cyber criminals pay close attention. So should you. Mission critical systems and applications should be updated with the latest security patches in an orderly, timely manner.
  •  Consider adding email and web browsing security technologies as an extra layer. This is added protection against spearphishing and driveby downloads. A robust email filtering solution can reduce the likelihood of an infected attachment or malicious URL compromising your organization’s network. And web browser security systems can lower the risk of an employee clicking to webpage spring-loaded to infect his or her computer.
  •  Take stock of user privileges and who has access to mapped drives, and set authentication and access policies accordingly. This will make it tougher for an attacker to infect an employee’s PC and then use that as a beachhead to spread malware across the network. The latest ransomware variants, for instance, can encrypt data stored on any mapped drive within the network.
  • Address disaster recovery and put robust backup solutions in place. This could mean the difference between keeping your business alive or shutting it down, in case of a ransomware infection or a major network breach.
  •  Take the time to develop and formally adopt a Cyber Incident Response Plan. A comprehensive CIRP should cover everything, from detecting the threat, containing it, and removing it, to patching the culpable vulnerability. Your plan should also call for fully analyzing the incident so as to prevent it from happening again.