Blog / Ransomware is Not Going Away… It is Simply Changing Targets.
Back at the beginning of 2019 I remember reading articles that were predicting that Ransomware would be on the decline this year. The logic was simple enough and made sense because:
I) It’s easy to detect Ransomware activity (monitor for file encryption.)
II) Everyone was saying “Don’t pay” (so there wouldn’t be money in it.)
Well, it seems that they were wrong. Ransomware has simply changed targets. In the past, it looked like companies and organizations were the major target for this form of Malware. Now it seems the primary target has become the Government realm:
– October saw a massive coordinated Ransomware Attack on 23 separate municipalities in Texas.
– In August, New York reported that 40 separate municipalities had been hit with Ransomware so far this year.
– In Ontario, Stratford, Wasaga Beach and Toronto were hit with Ransomware this summer (yes, this happens in Canada too!)
Why are governments being hit with Ransomware now?
Probably because of money and size. Government networks tend to be large, sprawling and poorly-documented. Unless there is a massive push for Security from the very top, there are very few resources for the IT department to do anything about it.
Without support from the top, IT cannot implement any real (useful) Security measures. Installing Antivirus software isn’t where Security stops (those municipalities in New York and Texas certainly had AV software installed.)
This translates into an easy target with lots of money. This means there’s a better chance for a payout.
What sort of things can be done to help protect against Ransomware?
There are plenty of ways to increase your Security and all of them will help against Ransomware to a certain degree. I’ll list some of them:
1) Make use of Software that detects files getting encrypted.
Some Anti-Malware software has this capability built-in. The idea here is to generate an alert when files start suddenly getting encrypted, so your IT team can isolate the machine and shut it down before the damage gets too bad.
Even if your Anti-Malware software can detect this, consider using a separate piece of monitoring software as well. If an attacker gains access to your equipment, the Anti-Malware software is very high on their list of things to disable.
2) Periodically test that your Anti-Malware software is functioning.
Just because you see the icon, doesn’t mean it’s working. A skilled attacker will work to disable any and all Security software as quickly as possible, in order to avoid being detected. Now then, it doesn’t make sense to try and infect your machine with a live virus as a test (what if it isn’t detected?) The industry realized this a long time ago and created a test file called EICAR.
The official EICAR website has various samples of the test file that can be downloaded in various formats. Your IT team should run periodic tests of random machines, to make sure this file gets properly detected.
3) Make sure that all remote access requires logging-in to a VPN first.
It could be an SSLVPN or an IPSec VPN, but there should be no way of gaining access to an internal resource without logging-in to a kind of VPN first. RDP is a common method of setting-up outside access to a device, but due to the volume and nature of the exploits that have been disclosed, it is not safe to have that open to the Internet.
4) Use Multi-factor Authentication, wherever possible.
Making use of this for any external access methods is a requirement for Compliance with some regulations. If you’re going to use it externally, then why not internally as well?
Consider the impact it would have on an attacker’s ability to move around within your network. Requiring Multi-factor Authentication internally would massively restrict an attacker’s ability to do so.
5) Segregate your network as much as possible/reasonable.
The logic behind this is simple: If you limit the methods that can be used to communicate between devices inside your network, you also limit the methods an attacker can use to move around.
Evaluate your devices in groups, from a least privileged perspective. By default, there should be no communication allowed between them, unless there is a need for it.
6) Educate your staff.
Don’t assume basic computer skills, like understanding email mechanics. Having policies saying things like “Never click a link in emails” is useful, but if people don’t understand its underlying reasons, it’s not important. Email is a standard vector used by attackers to gain network access, because it’s effective. This means that having email for your organization is a risk; not simply a business tool.
The list of things you can do is much longer, but I wanted to focus on the items I considered to be the simplest AND most effective. First acknowledge and understand the risks that Ransomware poses to your organization; then take all the steps deemed appropriate.
If you have any questions about Ransomware Protection, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-man.