ransomware, blackmail
Image by Kaptnali from Thinkstock.com

Ransomware is a nasty variation of a denial of service attack. Instead of denying a victim organization of the ability to work, ransomware resorts to blackmail for cash.

And according to Cisco Systems researcher William Largent, like all malware it’s only going to get worse.

“Combined with new methodologies in targeting, we anticipate a trend towards ransomware that can self-propagate and move semi-autonomously throughout a network to devastating effect,” he wrote this week in a detailed blog on how this malware works and what CISOs can do about it.

The future, he says, can be seen in ransomware like SamSam.exe, found in a number of scattered enterprise network breaches mainly targeting hospitals. “SamSam isn’t complex, and it not fully self-sufficient, but it does exhibit some of the behaviors of a successful worm – rapid propagation, payload delivery (ransomware), and crippling recovery efforts,” says Largent. “The age of self-propagating ransomware, or “cryptoworms”, is right around the corner.”

“For too long, critical security controls and best practice for enterprise network security has been publicly praised and privately ignored,” he warns. “Drop-in appliances and security solutions can only do so much to protect the network, and will do little to stop this threat if networks continue to be architected and expanded without defense in depth in mind. If enterprises don’t start making strides towards defensible architecture today, massive ransoms may end up getting paid tomorrow.”

CISOs aren’t without defences, the blog notes: Network segmentation to contain lateral movement; dedicated firewall/gateway segmentation; role-based network share permissions; credential management; patch management; a company-sanctioned file-sharing program for exchanging files between users in the organization and/or company partners that forbids sharing files through email; and awareness training.

“Our attackers are opportunistic and are looking to turn about a profit with as little effort as possible. If initial access cannot be easily established, this increases the likelihood they will seek out easier prey,” Largent says. That’s why he calls backup and recovery procedures the last line of defence.

Meanwhile this week Scott Gainey, senior vice-president and chief marketing officer at SentinelOne wrote a column also advising CISOs that ransomware can be beat. “Although it may seem counter intuitive, most ransomware variants are incredibly similar in the methods they use to interact with the operating system of the target device. Therefore, even though ransomware authors continue to create a steady stream of new variants such as Petya, we have an ace in the hole. By monitoring for and detecting the underlying and shared behaviors of malware we can effectively stop ransomware infections before they can cause damage.”

CISOs have lots of resources to help fight ransomware. There’s no reason not to take advantage of them.