How enterprises can defend against rapidly evolving ransomware

Ransomware threats can change daily, making consumers and businesses more vulnerable than ever. Names like Angler malvertising, Locky ransomware and Angler Exploit Kit frequently crop up in the news, despite law enforcement’s best efforts to contain them.

Simply put, malware is popular because it’s successful.  Cyber criminals make an estimated 1,425% ROI for exploit kit and ransomware schemes, according to the 2015 Trustwave Global Security Report. Those returns are enough to keep enterprising cyber criminals working nearly nonstop to improve their strategies.

“Cybercriminals are constantly modifying their tactics to match our rapidly evolving technology innovation and inherent need to click on content,” said Ryan Kalember, senior vice president of cybersecurity strategy at Proofpoint.

Malware authors employ the same techniques used by legitimate software engineers to increase their coding efficiency and keep their malware effective, according John Wilson, field CTO at Agari.

“Chief among these are components, web services and outsourcing,” said Wilson.

For example, the Angler exploit kit contains all the code necessary to implement a drive-by infection, so that the criminal’s code can be triggered whenever a victim visits a certain webpage. There are obfuscation services that will rearrange your malware code until it isn’t detected by any of the major antivirus solutions and there are pay-per-install services available, so the malware author doesn’t need to think about distribution, according to Wilson.

“These services even offer targeting, in case you only want to infect computers in Canada or China or are only interested in infecting workplace computers in certain industries,” Wilson said.

Can malware be stopped?

Finding those responsible for creating crimeware kits, operating botnets or providing pay-per-install services is the most effective tool for reducing cybercrime. Unfortunately, the Internet can extend beyond the reach of the law, where bribery and corruption are commonly used to avoid prosecution, said Wilson.

Just like crime in the physical world, there is no 100% solution to preventing cyber crime. Absolute prevention of malware infections is no more realistic than absolute prevention of all petty theft.

The best defense, therefore, is a good offense.

“You need to do everything you can to minimize your exposure,” said Steve McGregory, director of the Application and Threat Intelligence Program atIxia.

Though today’s threats can be very advanced, their efficiency hinges on two factors: Tricking people into clicking on malicious content (URLs, malicious documents, malvertising, etc.) and banking on organizations not having advanced threat protection deployed, said Kalember.

To help defend their systems, enterprises can keep operating systems, firmware and software packages and applications patched and up-to-date.

“This limits the number of vulnerabilities available for criminals to exploit,” said Karl Sigler, Threat Intelligence Manager at Trustwave.

“It’s important to use a best-of-breed advanced threat solution that can detect ransomware delivered via email or social media, and when it attempts to run on targeted endpoints including mobile devices,” said Kalember. “Avoid free decryption tools. Most have no easy solution to many forms of ransomware. These tools will not save you in the event systems are encrypted by an attacker.”

But any protections won’t work if the they are not properly secured.

“People are the weakest link when it comes to malware propagation — including some of the recent ransomware infections impacting U.S. hospitals,” said Thomas Phelps, vice president of Corporate Strategy and CIO of Laserfiche.  “IT organizations can install the latest antivirus solutions and other controls, but these can be easily circumvented by an unsuspecting user opening emails with seemingly innocent or useful attachments or by clicking on malicious links.”

The best, last defense

Even with the most diligent processes, education and defenses, malware and ransomware can still infect an enterprise.

“Expect to be hit, and make sure you have practiced recovery processes,” said Phelps. “Storing vital records and critical business information in an ECM system—along with a robust backup (or) recovery strategy—will help organizations respond to and manage malware security incidents.”

As a last defense, regularly backing up a system can allow companies to make a full recovery in case of an incident.

“Endpoint backup, with real time recovery capability, captures and protects all files created and stored on devices,” said Rick Orloff, vice president and chief security officers at Code42. “This is the best solution ensuring that your company is not left paying a ransom in order to get its data back.”

“If you can recover data being held ‘hostage’ by ransomware, it short circuits the malware completely,” said Sigler.

And of course, just in case, companies should not overlook cyber insurance, Wilson said.