Defending against the ransomware threat

Ransomware is one of the major cyber threats to organisations and individuals. In this article, Bloor analyst Fran Howarth explains what it takes to stay secure.

By Fran Howarth

Sun 25 Jun 2017 @ 19:01

Ransomware is emerging as one of the fastest growing cyber threats. The US Justice Department estimates that we saw an average of 4,000 ransomware attacks per day in 2016 – up 300 per cent over 2015.

The threat is moving from targeting individuals to hitting organisations. Globally, 40 per cent of organisations were the victim of ransomware in 2016, according to Malwarebytes.

This year has already seen a wave of attacks hitting organisations worldwide. Another rising trend is ransomware attacks against mobile devices, which Kaspersky estimates rose 250 per cent in the first few months of 2017. A survey from Druva estimates that the global cost for organisations will reach $5bn by the end of 2017, up 400 per cent over 2016. The top targeted industries are business and professional services, government, healthcare and retail and 50 per cent of organisations report multiple attacks.

While the average ransom demanded is just $2,500 and often much lower, the consequences of a ransomware attack can be severe. Among the repercussions are downtime, lost revenue, loss of critical data or business failure. Only four per cent of organisations surveyed by Malwarebytes stated that they were very confident in their ability to stop ransomware.

The importance of planning

Having a ransomware response plan is becoming increasingly important in order to reduce the time taken to recover and thus limit downtime. Preventative planning is essential. Restoring from back-ups is the best protection against ransomware, so making regular, comprehensive back-ups is a must, ensuring also that they are separate from the main computing environment.

However, given that ransomware looks to spread to multiple devices, a defence-in-depth strategy is required. Security information and event management (SIEM) solutions are a popular investment and are showing continued growth in sales.

SIEM solutions collect event data from systems throughout a network, collecting and analysing information in one central location. They can be used to house ransomware threat lists that identify known variants and indicators of a compromise can be fed into the system when new variants are discovered. When unusual activity is uncovered, the activity can be terminated automatically if it is determined to be abnormal.

However, a basic SIEM solution by itself is not sufficient, especially since these systems can be cumbersome to manage, requiring that correlation rules be written for each new ransomware variant that is discovered in order to ensure that the system has the required intelligence and context.

Using automation to defeat threats

Vendors of SIEM solutions have been responding to these challenges by building out capabilities on top that allow better automated analysis of events taking place on the network. Such capabilities include user and entity behaviour analytics (UEBA), which look to monitor and model behaviour and to tie events back to particular users, determining whether or not behaviour fits into expected patterns as it occurs so that remediation action can be taken. Such systems deploy machine learning and artificial intelligence capabilities that model and learn what sort of behaviour is expected and considered to be normal.

As well as users, the activity of all endpoints connected to the network should also be monitored to detect threats and possible intrusions caused by ransomware. Endpoints are responsible for as much as 60 per cent of ransomware infections, so real time monitoring of their activity is a must. In addition, patching servers is becoming ever more critical since Druva found that 33 per cent of attacks were against servers. A full 70 per cent of attacks impacted multiple devices.

Organisations need a defence-in-depth strategy to defend against ransomware based on automated threat monitoring and detection systems. Just sitting back and giving into extortion is not sufficient, especially since there is a growing trend towards criminals refusing to decrypt files even after the ransom has been paid or even demanding further money.

The impact of ransomware is considerably more far reaching than a demand for what is a relatively small sum of money in most cases and it is becoming the tool of choice for many criminals. Everyone needs to be vigilant and ensure that they have the right protection in place.

Learn more about staying secure with threat lifecycle management by downloading the white paper 'Evolving uses of the kill chain framework' from Bloor.