Ransomware: Here Today, Here Tomorrow

With all our energy of the past several weeks focused on adapting to the global crisis, security may have taken a back seat. But cybercriminals haven’t forgotten. Networks have been turned inside out, and they have been very actively targeting remote workers that used to be protected by the network perimeter with fake COVID-related material and other social networking attacks. And they have been probing these new network environments for vulnerabilities in the hopes that may have been pulled together too quickly to have implemented adequate security protections and controls.

FortiGuard Labs has been actively monitoring the threat landscape during this time, and we have seen a significant increase in threats targeting individuals through phishing and infected websites. Email attachments contain infected and malicious content, which explains why we recorded a 131% increase in viruses during March of this year. It also explains why we have seen a reduction in traditional attacks as cybercriminals shift focus. Incidents of ransomware are likely to rise as cybercriminals look to use compromised end user devices as a conduit back into a core network that may not be being watched as carefully as it once was.

We take a close look at the level of threat that ransomware poses and what organisations should do about it now, while their networks are still in a state of flux.

The Ransomware Landscape Today

Among the types of attacks that keep security professionals up at night – it is ransomware for sure, and the threat shows no signs of slowing down. And when it comes to defending against ransomware, security tools are only as good as the team that manages them. Everything from configuration errors to solution sprawl can weaken the power of enterprise cybersecurity defenses to detect and prevent cyberattacks. However, especially when it comes to ransomware, the biggest problem is the human factor.

Why Cyber Hygiene and the ‘Human Factor’ Continue to be Primary Concerns for Ransomware

When it comes to cyber hygine, awarness is not the problem – it is rooted in human behaviour. But awareness and action are two very different things. In addition to broad brush attacks that target everyone, emails are being cleverly written to target specific types of individuals at an organization, either directly, or through a new technique where they insert phishing emails into an active email thread to increase the likelihood of it being clicked on. This type of attack is known as spearfishing, and if the target is a member of the C-suite, it is called “whale phishing.” But regardless of who is being targeted, everyone is susceptible to a carefully crafted email arriving when they are just distracted enough to not be paying attention.

How Ransomware will progress during 2020

What has been on the rise, and what I predict will get worse in 2020, are the more targeted ransomware attacks that cost businesses more from an operational and regulatory perspective. Malware and ransomware attacks in general are a completely different game now because these attacks are being targeted and specifically crafted to certain internal systems. Another factor contributing to the growing attacks on businesses and enterprise organisations is the ready availability of Ransomware-as-a-Service (RaaS) offerings, which is something I predicted years ago would happen as an evolution of ransomware. And in 2020 we are already seeing another shift, with ransomware jumping to leverage the timely cybercriminal opportunity around COVID-19, which demonstrates that ransomware evolution is not just about targeted attacks. And this sort of multi-pronged attack front is much harder to defend against.

What Can Organisations Do?

We are at an especially vulnerable moment in our transition to a digital economy. Organisations need to take steps now to protect their networks and networked resources from the growing problem of sophisticated ransomware. While each network environment is different, here are a few things any organisation can begin to implement today to reduce their risk from ransomware and other advanced threats.

• Wherever possible, patch and update operating systems, devices, and software. Make this a priority for remote workers – especially those using personal devices to connect to the corporate network. For devices that can’t be patched, ensure that appropriate proximity controls and alerts are in place. It is also important to make sure that all endpoint devices have advanced security installed, such as anti-exploit and EDR solutions.
• Businesses need to make sure that access controls, such as multifactor authentication and even Network Access Control solutions are in place. Using NAC to inspect and block bring-your-own-devices that do not meet security policy is recommended. We also recommend segmenting the network into security zones to prevent the spread of infection and tie access controls to dynamic segmentation.
• Use inventory tools and IOC lists to prioritise which of your assets are at the most risk. Make sure that ransomware recovery is part of the BCDR, Identify a recovery team, run drills, and pre-assign responsibilities so systems can be restored quickly in the event of a successful breach.
• Update email and web security gateways to check and filter out email attachments, websites, and files for malware. Make sure that CDR (content disarm and recovery) solutions are in place to deactivate malicious attachments. Use a sandbox to discover, execute, and analyse new or unrecognised files, documents, or programs in a safe environment.
• Block advertisements and social media sites that have no business relevance. Use zero-trust network access that includes virus assessments so users can’t infect business-critical applications, data, or services. Use application whitelisting to prevent unauthorised applications from being downloaded or run.
• Prevent unauthorised SaaS applications with a CASB solution. Use forensic analysis tools to identify where an infection came from, how long it has been in the environment, ensure they are removed all of it from every device, and ensure it doesn’t come back.
• Plan around the weakest link in your security system – the people who use your devices and applications. Training is essential but limited. Proper tools, such as secure email gateways, for example, can eliminate most if not all phishing emails and malicious attachments. Leverage people, technology, and processes to quickly gather threat intelligence about active attacks on your networks and act on it, using automation where possible. This is crucial to stopping an advanced attack in its tracks.

Now Is Not the Time to Take Your Eye Off the Ball

Even though we are all running as fast as we can to keep our businesses up and running, we are also more exposed than ever to criminals who want to take advantage of this crisis. Ransomware and other advanced threats have not slowed down just because we are busy. In fact, based on our ongoing analysis of the threat landscape, the opposite is true.

Most organisations should have their remote worker strategy in place. Now is a perfect time to review the steps outlined above, conduct a thorough review of your security policies, and make necessary adjustments. Prioritise your challenges and work through them one at a time. Every step you take now to tighten down your policies and practices is a threat averted. And we could all use one less thing to worry about right now.