Blog / Why is Ransomware so Effective? Because They keep Changing it…
Ransomware… one of these days maybe I’ll be able to stop making it a recurring topic of this newsletter. Sadly, that seems unlikely. It’s far too effective a weapon for cyber criminals to abandon it.
To make matters worse, they keep changing and making it even more effective. So, let’s break it down a little, and look at the various facets of a Ransomware Attack, and how it’s changing:
I) Encrypted Data – The part everyone should be familiar with by now. Via one of any number of methods, the computers can be infected with malicious software that encrypts the files, rending them inaccessible. Once this happens, some form of message is displayed on the computer, demanding a Ransom, to regain access to them.
The danger here is 2-fold: Paying the Ransom does not provide any sort of protection from future infections. Paying the Ransom does not guarantee the files can be decrypted.
Defense for this has been stated again & again. You need to back-up your important data. Attackers know this, so they go after your backups, look for and disable backup software, corrupt backup files, etc. Thus, it’s crucial to keep an eye on and monitor your backups.
Installing software that can detect the activity of files being suddenly deleted, is also good. This way you can potentially spot and stop an infection, before the damage requires a backup to restore. The bad guys are aware of this too, so they keep an eye out for software like this and look for ways to either disable it or encrypt the files in such a way, that it won’t trigger detection.
II) Ransomed Data – Next came data ex-filtration. Attackers don’t just infect your computers with Ransomware. They also steal your data. Now a Ransomware Attack turns into a Data Breach as well, if you don’t pay the Ransom. As a form of proof, or to increase the threat, they publish portions of your data online.
So, even if you restore your information from backups, you still have the Data Breach to deal with.
Attackers don’t make their traffic easy to find; it’s not like there’s any sort of “standard.” Whatever it takes to get the job done, will happen.
Defense against this is harder and requires more of a Heuristic approach. You need to set-up monitoring for multiple different things throughout your network. You need to look at things like:
User login activity (on all your devices, not just Windows PCs) / Database Activity / Inbound & Outbound traffic through your firewall / Etc.
In addition to proper monitoring, you need to be restrictive in the sort of network activities that you allow. The more prohibitive you can be, the better your chances of detecting and preventing someone from getting information out of your network… doing this properly isn’t simply a matter of having the right skills, but the right equipment. A simple firewall isn’t going to be good enough; you need something that is designed to be a business class firewall.
III) Auctioned Data – Nothing I’ve mentioned so far is new, until now. To put it simply, the cyber criminals have increased their chance of a payday. After all, that’s what really matters.
The problem with simply holding the data for Ransom is: What do you do if they still refuse to pay? You went through a lot of effort for nothing. So, how do you increase your chances of being paid? Easy! You increase the number of people you try and sell too. If the owner of the data isn’t willing to buy it, then maybe someone else will be.
The implied threat here is that if someone else is willing to purchase your data, they’re also willing to make active use of it. Historically, Ransomware criminals haven’t held any real interest in the data itself; they want to be paid.
This is a change in how the Ransomware guys are treating your data; not in how they obtain it. Hence, there’s no additional defense you could use (other than monitor the dark web & purchase the data yourself.) What’s happened is that the potential cost of a Ransomware outbreak in your network has gone up. This adds even more stress on the data detection being ex-filtrated from your network.
In order to defend against Ransomware, it is no longer good enough to perform backups, monitor them, and install some software to detect their encryption. Your plan must include some level of monitoring for your network, as well as your traffic, to try and ensure that a breach does not occur. Failure to include this as part of your plan, is the same as playing a lottery that you really don’t want to win.
If you have any questions about Ransomware, please reach out to your TRINUS Account Manager, for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.