Ransomware is a popular weapon for the modern attacker with >50% of the 330,000+ attacks in 3Q15 targeted against US companies. No industry is immune to these attacks, which if successful are a blot on financial statements of the targeted companies. Despite their success, ransomware attacks are not sophisticated, exploit traditional infection vectors and are not stealthy. The success of such attacks reveal poor endpoint protection planning and strategy, which are observed at companies of every size and every vertical. This leads to most organizations reacting to such infections rather than planning against them, which is expensive in staff hours and of course hurtful to reputation.
A misunderstanding of ransomware, how it works and how the infection can be prevented are common. Here are three common misconceptions:
Myth #1: Ransomware is a zero-day attack
In fact, exploiting a zero-day vulnerability is an expensive proposition for a malicious actor. In reality, most malware target vulnerabilities, which while well-documented and easily remediated, remain unpatched. Therefore, a systematic schedule of patching and endpoint system updates within 30 days of becoming available is the most effective available way to minimize the threat of ransomware, and indeed most “targeted” attacks.
Myth #2: Anti-virus & perimeter solutions are sufficient protection
Signature-based protection has been widely used for 20+ years and is a necessary and effective protection mechanism. However, this approach is well known and easily evaded by attackers. In addition to signature-based anti-virus solutions, it is necessary to consider endpoint detection and response solutions supported by monitoring and analytics. Many ransomware attacks are successful because attackers breach perimeter security solutions and web-facing applications. Most networks are flat, making them easy to traverse. Segmenting assets into trust zones and enforcing traffic flow rules is the way to go.
Myth #3: IT Admins always follow best practices
When administrator accounts are not monitored at all, it exposes such super powers to hacker opportunism. Admin workstations with drive mappings and often used (and sadly common) administrator passwords to critical servers are a high priority target. Best practice prescribes monitoring administrator accounts for unauthorized use, access and behaviors.
Recognize that ransomware itself isn’t much different than the malware of the past. Ransomware enters the organization the same way as other malware, propagates the same way and leverages known vulnerabilities in the same way. Thus the good news is that ransomware can also be defended in the same way as malware.