Ransomware Is Now an Enterprise Threat: How OPSWAT Can Help

Security Image

What Is Ransomware?

In the unlikely event that you've never heard of the most rapidly growing threat in cyber security today, ransomware is a type of malware that is covertly installed on a system, locks or encrypts the data within, and demands a ransom for releasing or decrypting it.

Ransomware flourished in 2016, in part because of poorly defined security policies (including a lack of regular backups) by consumers and SMEs, and in part because of ingenious social engineering tactics employed by cyber criminals.

As this video from Cisco shows, the image of the hacker in a hoodie is long outdated — the advent of "ransomware as a service" has enabled people with limited, or even zero, programming skills to use neatly packaged ransomware kits for dropping malware payloads and extorting money from unwary businesses. Ransomware kits can be purchased for as little as $100 on the dark web.

Enterprises Need to Be Very Worried About Ransomware

The lucrative nature of the ransomware model makes it alluring for cyber criminals. With the growing profitability of ransomware as a service, ransomware is no longer a concern for just small and medium businesses and consumers.

Unfortunately, the general perception among enterprises is still that ransomware is a consumer or SMB issue and not really a cause for concern. This is a dangerous assumption for several reasons:

  1. The fact is, enterprises are indeed affected by ransomware — in 2016, 40% of enterprises surveyed were hit by it, according to Malwarebytes research (via ZDNet).
  2. Even if your organization's security model is mature and you have well-defined disaster recovery models, you need to factor in the cost of incomplete backups, limited recovery mechanisms for mission-critical data, and the amount of time a complete recovery takes.
  3. Ransomware is evolving rapidly — new variants are using a fileless approach, making it harder for file scans to detect them. Even more disconcerting is the level of rising sophistication in ransomware variants — a recent variant called Locky employs extremely strong RSA and AES encryption, encrypts files not just on the infected system but also unmapped network drives connected to the point of infection, and deletes volume shadow snapshots. In other words, it anticipates remedial actions and is specifically designed to prevent you from restoring your files by deleting shadow copies.

Attack Vectors

2016, according to most cyber security researchers, was the year of extortion. Some of the popular methods employed for dropping the malware payload in 2016 included:

Targeted Phishing Emails with Malicious Attachments or Links (Locky, Torrentlocker, CTB-Locker)

A common attack method in 2016 was as follows: An enterprise employee receives what appears to be a legitimate email with an attachment (such as an invoice). When the attachment is opened, the document encoding appears garbled (full of garbage characters). A message similar to this might be displayed, "If you see incorrect data encoding, please enable macros". As soon as the user enables macros, the ransomware is downloaded and the payload is executed.

Ransomware Prompts User to Enable Macros

Social Engineering Schemes

Cyber criminals realize that in most modern enterprises, the weakest security link is the user. Social engineering schemes typically involve fooling unwitting employees into handing over sensitive information or data such as system passwords.

Using Exploit Kits

Exploit kits are malware toolkits that exploit known or unknown vulnerabilities when a potential target visits a compromised website. These attacks are often carried out through malvertising. One of the most notorious exploit kits that exists today is the Angler exploit kit. According to Cisco's Midyear Security Report, in 2015, Angler accounted for 36% of user penetration in the cyber attacks observed to that point.

How can you avoid falling victim to ransomware?

1. Use a strong anti-malware solution; ideally, use multiple solutions. As OPSWAT's comparative chart demonstrates, the likelihood of catching a malware outbreak increases exponentially with the power of multi-scanning. OPSWAT's MetaDefender Core threat detection and prevention platform leverages 100+ anti-malware, data sanitization, vulnerability, and other security engines for the best protection against known and unknown threats. Multi-scanning helps you not only significantly improve detection rates but also reduce the time of outbreak exposure. Additionally, MetaDefender's APIs allow for easy integration with existing solutions. Read more about MetaDefender Core.

MetaDefender Multi-scanning Chart

Click image to expand

2. Have a well-defined enterprise security policy that is enforced at all levels in the organization.

3. Back up, back up, and back up! Ensure that file backups are done regularly and that your organization has a well-defined backup and disaster recovery plan. Be sure to check in advance with your provider on the costs and time for a full recovery in the event of a critical infrastructure hit.

4. Invest in a good web proxy or secure web gateways that add an additional layer of defense and protect your servers from exposure to infection. MetaDefender ICAP Server exposes an ICAP interface that allows system administrators to easily integrate OPSWAT's multi-scanning and data sanitization technology into an existing web proxy for anti-malware scanning of all HTTP downloads and uploads. Read more about it here.

5. Address vulnerabilities. Reducing or eliminating vulnerabilities results in fewer options for malicious users to gain access to secure information. Unpatched vulnerabilities are a serious problem. Even if your security policy requires regular updates, some employees might get irritated by constant update notifications and turn off automatic updates.

With MetaDefender Core's Vulnerability Engine, you can:

  • Scan systems for known vulnerabilities at rest, without having to power them on
  • Check software for known vulnerabilities before it is installed
  • Quickly scan entire systems and running applications for vulnerabilities

Download a free vulnerability assessment tool to get a quick vulnerability report on your endpoints here.

6. Increase security awareness within the organization. Ensure your employees are cognizant of the most common attack vectors: phishing and social engineering. Invest in powerful email security solutions — a secure email gateway isn't always enough. MetaDefender Email Security adds a stronger layer of protection to your existing secure email gateways.

7. For organizations that have a Bring Your Own Device (BYOD) policy, ensure that users do not install unsigned or third-party apps. Invest in enterprise mobility solutions that enable safer BYOD practices, such as virtual environments, data classification, and device integrity scanning solutions.

What if you're already infected?

  1. Isolate the infected device from the network as quickly as possible. This helps prevent the spread of the ransomware.
  2. Check to see whether you have healthy system restore points that can be used to retrieve files.
  3. If you have invested in a backup and disaster recovery solution, check with your support team to confirm if the data is recoverable.
  4. In some cases, it might be possible to decrypt your files. Here are some freely available ransomware decryption tools provided by anti-malware companies:

A complete list of free ransomware decryptor tools for unlocking files is maintained by the good folks at the Windows Club. Also, check out the No More Ransom project to ascertain if you can recover your encrypted files.

As a final note, OPSWAT does not recommend paying the ransom. There is no guarantee that, after receiving the ransom, the attackers will decrypt the files, and you might open yourself to additional ransom demands.

To learn more about how OPSWAT can protect your organization from ransomware, contact us today.

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.