Ransomware on the Rise: Sound the Alarm!

As discussed in my previous blog post, Ransomware is a nasty bugger and can cause irreparable harm to individual systems and entire networks. The evolution of this attack has gained more momentum and veracity in recent months with its focus now on corporate targets.

With the initial implementations date from 2005 to 2012 with just a couple different variants, the objective was to encrypt files on local computers and convince the user to pay the ransom to get their files back. However, the pace has quickened in recent years due to automated tools, anonymous payment systems, dark web RaaS sites, and increasing financial gains. Thus, exponential growth of Ransomware variants can be seen in the last 4 years:

• 2013 – 5 new variants
• 2014 – 9 new variants
• 2015 – 27 new variants
• 2016 (Q1) – 15 new variants already and counting

Newer variants are evolving to a model of compromise that can be potentially devastating to a business operation. Where in the past they only infected a single system and encrypted files accessible by that user/system, they now can move laterally and infect other systems, including servers. Instead of just encrypting user documents, they now look for key files including databases and backup files.

The potential for damage with this can be debilitating to a business. The perps know that good backup files are your best defense against Ransomware, so if they can encrypt that as well, your business is now out-of-business and paying the ransom may be your only choice!

There was another recent healthcare breach that caused the hospital to shut down key systems and revert to paper systems due to a Ransomware attack. This slowed service and caused many surgeries to be postponed. The impact to the business was dramatic and the impact to the care of patients could have been life threatening.

That said, we work with many organizations on security and compliance related areas and find that most have a flat network. A flat network meaning if I can get access to one device on that network, I have free reign to compromise any other devices by exploiting vulnerabilities or using compromised admin credentials. There are no physical or logical controls for access between systems. Some organizations have implemented virtual LANs (Vlans) to breakup their network; however, upon closer scrutiny, there are no Access Controls in place between the Vlans which is tantamount to a flat network.

Imagine that your critical database systems are on the same network as a receptionist’s workstation. Between calls and receiving visitors, the receptionist is doing some online shopping and lands on a site with Malvertising that allows Ransomware to be dropped on their workstation. Once on that workstation, the Ransomware starts searching for other systems to infect and gains access to the database systems which in turn get encrypted causing a major systems outage for the company. Also imagine that your online backup system is also compromised and all your backups get encrypted. The cost to the business may be devastating and potentially put it out of business.

If you have online backup files that are accessible to the network and they get encrypted, your last line of defense is going to tape assuming that you have current data on those tapes. We all know that restoring systems from tape can take hours, days, or even weeks. It is critical that your backup systems be isolated physically and logically from your network to the extent that only required ports/protocols are allowed to communicate to perform the backup process.

With the recent developments of Ransomware being able to traverse the network, a flat network will provide the best attack surface for the attacker and worst case scenario for the business. Proper network segmentation would prevent a workstation assigned to a receptionist from reaching the critical systems infrastructure, thus mitigating the impact of laterally moving Ransomware. Segmentation is one approach, which if implemented properly, will only allow systems that need to communicate with one another and those that don’t won’t.

If you have any questions regarding the Ransomware or any other data security issues, please contact us at security@compliancepoint.com.