Ransomware is one of the most prevalent and feared forms of security attack these days. Organisations worry about ransomware because it is extremely difficult to detect in advance, hard to stop spreading once it strikes, and potentially disastrous in terms of data destruction. Add to this the ignominy of having to pay the ransom to criminals and a possible fine from data protection regulators, and ransomware becomes a critical threat to organisations of all types and sizes.
Ransomware is often introduced into an organisation through phishing emails, but it may also be introduced via exploits, USB drives and other media containing malware. It functions quickly. For example, one organisation we know experienced 30,000 files being corrupted within four minutes. It spreads from machine to machine via the corporate network, affecting endpoint devices (PCs, laptops) and servers, and can also spread to storage media on the network. Once files are encrypted it is (for all intents and purposes) impossible to unlock them. Good practice suggests that for an organisation to be well prepared for this kind of attack, it will require good backups from which it can restore data. But data is rarely backed up in real time, so some degree of data loss is usually inevitable.
The consequences of ransomware will increase with the introduction of GDPR in 2018. A personal data breach includes the "unlawful destruction" of data, which could lead to a fine of up to 2 percent of global annual revenue. This clearly represents a significant increase in risk to enterprises, both from a financial perspective, but also in terms of brand reputation.
What can organisations do to protect themselves against ransomware? We think there are five areas where organisations should seek to minimise the risk of the threat.
The first approach is to minimise the likelihood that a phishing campaign will be successful, by educating users of the importance of knowing the provenance of an email or website. Building awareness of the attributes of a fake email or website is useful, as is encouraging behaviour such as referring suspicious or unknown content to an administrator or other experienced individual. While these approaches will not eliminate people clicking on bad URLs, good education is a sound place to start.
The second level of protection is to implement technology on email and web gateways that scans for known or suspicious URLs. Such solutions are useful in sorting legitimate content from malware or unknown but suspicious sites.
The third layer of defence is to have technology installed on the endpoint. This typically monitors the behaviour of processes and detects activity that indicates ransomware behaviour. For example, a process that is sequentially encrypting files is likely to be ransomware. However, it is possible that this is also a legitimate process used for data protection purposes. In these cases, the process can be whitelisted. Other approaches involve application control, where applications themselves are whitelisted, but whereby unlisted or blacklisted applications cannot launch.
The fourth level is the use of network security solutions that can detect ransomware before it executes and can quarantine the suspicious process or detonate it in a sandbox. Or it may be able to detect the likelihood of the ransomware process from its download source or other attributes.
Finally, suspicious file activity on the server should be detected using similar technologies that are on endpoints. In addition, servers are typically backed up on a daily or more frequent basis according to good data governance procedures. As long as this backup plan involves storage that is inaccessible to ransomware, this is an essential step in ransomware protection.
None of these approaches are particularly new or innovative, but it is rare to see all of them deployed in any single organisation. Therefore, this collection of technologies maps well on our cyber maturity analysis discussed in recent blogs. More mature organisations are more likely to have implemented this layered approach to a variety of attacks, and will therefore be better protected against ransomware.
Complete the IDC Cyber Risk Assessment for help making informed decisions around cyber risk strategy and to understand the benefits associated with increasing your readiness in the face of evolving threats.
Duncan Brown is Research Director, European Security Practice, at IDC and leads the firm’s security research program in Europe.