Ransomware Attacks Escalating
Symantec’s Kevin Haley explains the effects of ransomware in the public and private sector
Ransomware is growing rapidly because there is a lot of money to be made in it. It’s very simple to get into, so we see an increasing number of gangs get into this line of “business” as a way to enrich themselves, said Kevin Haley, Director of Product Management for Symantec Security Technology and Response, in an interview with ITWatchIT.
You can build a piece of ransomware, buy it or even rent it, if you don’t know how to set up a command-and-control server. The technology used to encrypt files is good, so when the bad actors gain access to a victim’s machine and encrypt their files – there isn’t any option to break an encryption, and so many people chose to pay the ransom to get their data back.
If I was doing some sort of cybercrime and observed others making money from ransomware, I’d probably jump into it as well, because it is probably the most profitable thing out there now.
Security and the Cloud
The cloud is another way of pushing the responsibility to someone else. You’re moving your data from your computer to somebody else’s, and you don’t have control over that, so you have to trust them in terms of what they are doing to secure it. The problem shifts, but it doesn’t really change. There are business benefits to moving things to the cloud and having someone else assume the cost of managing and running that server, so the companies moving there need to ensure that security, insider threats and protection of their data from attacks are included in the contract.
From a security standpoint, that data is still vulnerable because users are going to connect to that cloud and get the data. If the bad guys compromise one of your users, then they can go into that cloud and get the data they want. Securing access to data is very important, and one way to do that is to secure your end users, so they don’t become compromised. Two-factor authentication is also really critical here.
The interesting thing about that attack is that they found one of the attackers and felt very confident that they were in control of the situation, when in reality, there were two attackers in the environment. They were only aware of one of them at the time. That is not an unusual situation because statistics show that if someone is in your environment, then there’s probably more than one.
One of the things that we noted in our ransomware report is that if a large organization has been attacked once, then they usually get attacked about four times a year, on average. You cannot say the job is done when you catch one attacker, since it is usually ongoing.
IoT and Ransomware
Ransomware hasn’t really gained that much ground in the internet of things sector. IoT devices are very susceptible to any type of hacking attack or cybercrime. There is nothing, technically speaking, to stop an attacker from gaining access to a television, a washing machine, thermostat, or any other IoT device.
Ransomware involving IoT devices really hasn’t happened yet, and the reason for that is that there is plenty of money to be made right now in hacking PCs. The average “profit” is $600 in ransom, so before hackers move into IoT, they will have to figure out if they can make more than $600, to make it worth their time.
Typically, if you are a regular business looking to move into a new market, you’d consider how much money you’ll make. The day will come when IoT devices will be held hostage. You can imagine your thermostat being held hostage and the heat tuned off in winter or turned on in summer. Someone will figure it out very soon and decide where to put the ransom note, and how to ensure they get paid. If they can get paid more than $600, then we’ll start seeing that sort of attack in huge numbers.
The main way ransomware gets spread is through spam, infecting a legitimate website, and getting the users to perform certain actions that could compromise their systems. Those behind the ransomware don’t care about the people who go to the websites or get the email, as long as they can get a percentage of them to pay.
Even so, we have seen a certain amount of targeting by these actors in the healthcare sector. That is because there has been high visibility in healthcare organizations getting infected and paying the ransom. Many of the bad actors see this and it motivates them to attack such businesses to make more profit. Their perception is that it is a soft target.
Government Threat Landscape
It’s really not that much different for government than anyone else when it comes to ransomware. They still have users who go to certain sites and read email, so they are susceptible to any type of malware attack, especially ransomware.
The exception is that we see a lot of targeted attacks against government organizations, especially, small government organizations. The percentage of attacks against government organizations with less than 250 employees is actually higher than other industries.
A rat refers to a Remote Access Tool, and there are tons of those out there. This particular one is just the latest. There is something about the latest threat that catches our attention, but we should be more concerned about the hundreds of other types of programs that we ought to be aware of, as well. The main thing is to protect ourselves from all the threats out there, not just one. This one is not more important than other threats.
BYOD Movement and Inherent Threats
When these devices find their way into the workplace, it puts a strain on the defenses built to keep attackers at bay. Government agencies and other organizations need to have certain standards before letting these devices onto their network. For instance, at Symantec, we have a separate network for people and guests who come in and want to connect to the network. They are not connected to our internal network at all, and that is one way in which we deal with those kinds of devices.
If you do decide to let someone’s personal device connect to your real network, you need to make sure that there is integrity on that device, in terms of security.
Shadow IT is a challenge because someone who wants to get a device on the network will probably find a way to achieve that. This is where that alternate network comes into play, because we can avoid that shadow IT trying to come in and solve a problem that ends up causing more problems than it solves.
US, A Prime Target for Ransomware
The US is a prime target because we have more connected computers than any other country, apart from China, so there are more opportunities for hackers. Also, Americans can afford a higher ransom, from the perspective of the hackers, who are purely in it for the profit. You tend to see that First World countries are being attacked, because they are more capable of paying.
Ransomware attacks are mainly through malware that’s delivered via email, or a drive-by download on an infected website. We have products that run at the gateway that look at incoming traffic from web servers, and we have a mail server protection that analyzes email that comes through. We try to block malicious traffic there, before it gets through to the organization’s network.
If it does manage to get into the organization, we will try to catch it and stop it at the desktop. We will use traditional antivirus, behavior blocking, and also look at the reputation of the file. We also use intrusion prevention, which is a web-based protection.
We are very good at looking for exploit kits, which are those things people will rent from other bad actors in order to get onto your machine. We can also block the communication to a command-and-control server. If a machine gets infected, it will go out to a command-and-control server on the internet to get the encryption key to encrypt the files. We look for that traffic to block the communication, so that even if the malware gets on the machine, it can’t actually encrypt files or do anything to it.
Another thing we look for is behavior indicative of ransomware trying to encrypt files. If a program doesn’t have permission, or it’s not a legitimate program, we can block it based on that. It’s not just one thing, what’s really important is that the approach to this, or any type of malware mitigation, is a layered approach, on the desktop and throughout the environment.
Speaker: Kevin Haley, Director of Product Management for Symantec Security Technology and Response
Kevin Haley is Director of Product Management for Symantec Security Technology and Response where he is responsible for ensuring the security content gathered from Symantec’s Global Intelligence Network is actionable for its customers. He is the technical advisor and main spokesperson for Symantec Internet Security Threat Report. He served as a technical advisor for Anthony E. Zuiker’s digital crime thriller, “Cybergeddon” and appeared in the documentary “Most Dangerous Town.” He also frequently appears as a security expert for media including The Today Show, NBC Nightly News, Good Morning America, MSNBC, USA Today, New York Times, Forbes, Dow Jones and many others. During his 16 years at Symantec, Haley has also acted as the Group Product Manager for Symantec Endpoint Protection and our mail security products.
Founded in 1982, Symantec has evolved to become the global leader in cyber security, with more than 11,000 employees in more than 35 countries. Operating one of the world’s largest cyber intelligence networks, Symantec see more threats, and protect more customers from the next generation of attacks. They help companies, governments and individuals secure their most important data wherever it lives.