Welcome!

Cloud Security Authors: Elizabeth White, Liz McMillan, Pat Romanski, Lisa Calkins, Mamoon Yunus

Related Topics: @CloudExpo, Machine Learning , Cloud Security

@CloudExpo: Blog Post

What Is Ransomware and How Cloud Security Mitigates It | @CloudExpo #Cloud #Security #MachineLearning

There was a 300 percent increase in ransomware attacks last year, according to the FBI

What Is Ransomware and How Cloud Security Mitigates It

Ransomware attacks escalated dramatically in 2016. In fact, there was a 300 percent increase in ransomware attacks last year, according to the FBI, to an average of 4,000 attacks a day, up from 1,000 ransomware attacks a day in 2015. What's more, organizations are targeted more frequently than individuals because they generate a much bigger potential payoff. Ransomware has become a profitable criminal enterprise that continues to change and grow.

Managed Service Providers often assist clients with data restoration to avoid the downtime that can be caused by a ransomware attack. They also work with clients to improve their security posture overall so they can avoid ransomware damage. Here's what your organization needs to know about ransomware and how cloud computing can help protect your organization.

What is ransomware?
There may be more than a hundred families of ransomware. Basically, three traits are common among the many variants of ransomware viruses:

  1. They infect your computer, such as through a spear-phishing email (targeted at a specific employee) or a visit to a legitimate website infected with malicious code.
  2. They encrypt your files and demand payment (usually in bitcoin) to receive a decryption key.
  3. The decryption key is usually successful; however, it can depend on the honesty and follow-through of the cybercriminal.

Not all ransomware is created equally. There are two main types: lock screen and encryption ransomware. Encryption got all the press in 2016. While you may be able to find a workaround to lock screen ransomware, that's not the case with file-encrypting crypto ransomware. By the time you realize your files are encrypted and unreadable, or you find or receive a ransom note, the damage has been done - and it is irreversible without the private decryption key held by the attacker.

How files get infected with ransomware
Attackers are changing their tactics. While spam emails used to be a popular way to spread malware such as ransomware, spam filters have taken the wind out of that approach. Now it is often spear-phishing, which targets an individual directly. In fact, 93% of all phishing emails contain some sort of ransomware encryption, according to a report by PhishMe, an anti-phishing vendor. And the FBI says recent iterations target enterprise end users.

That's not all. Other sources of ransomware include social media, malicious advertising (even on trusted websites) and bold cold calls via phone where an attacker poses as a software vendor or IT provider and directly requests remote access to the user's computer to resolve a purported problem - but instead installs ransomware.

How you know if you have been hit by ransomware
You likely won't know you've been hit right away, but within seconds the ransomware virus will silently start encrypting your files - and files accessible via your network. The files are generally encrypted with a public encryption key in such a way that you cannot decrypt the files without the second key of the pair. You probably won't get a ransom note until hours or days later when the encryption is complete.

In the meantime, you may discover files that appear to be corrupted. Encrypted files cannot be read by any application, and the first sign of damage may be error messages on your computer when opening files - asking which application should be used.

When Internet of Things devices are hit by ransomware
Even smartphone apps and Internet of Things (IoT) devices can be infected with ransomware. How would you know if your smart thermostat was infected? Two hackers demonstrated a proof-of-concept of thermostat lock-screen ransomware at the Def Con conference in Las Vegas last year. Imagine cybercriminals cranking up the building's heat in the summer or turning it off when it's freezing outside - and then locking the device until the ransom is paid with a bitcoin. Like a small computer, their off-the-shelf smart thermostat ran a version of Linux and had a user input screen and an SD card. The device was especially vulnerable because the firmware was readable and the code ran from the root.

The introduction of Mirai - a malware and botnet combination - has introduced even more complexity into the ransomware arena. This virus can compromise a wide range of Internet of Things (IoT) devices, including DVRs, security cameras, and network gateways. As with much of the more recent distributed denial of service (DDoS) botnet malware, once a device is infected with Mirai, an attacker gains full control of the device and can use it for denial of service attacks - or potentially hold it for ransom.

What data is most likely to be held hostage?
Almost half of respondents to a survey of 500 businesses worldwide said their organization had suffered a ransomware attack in the last 12 months. They were an experienced bunch; those who suffered at least one ransomware attack had to defend against six attacks on average. Of those who had faced an attack, 42% said the type of data targeted was employee information, 41% said it was financial data, and 40% described it as customer information. How did the ransomware attacker get access in the first place? Phishing via email or social media was extremely common (81%). Clicking on a compromised website ensnared 50% and infection via a computer that was part of a botnet got 40%.

How much does ransom cost?
Some organizations are being targeted for high ransom amounts. Network World cites Federal Trade Commission Chair Edith Ramirez as providing the example of Hollywood Presbyterian Medical Center, which paid bitcoin valued at around $17,000 to the perpetrators of a ransomware attack. CSO Online reports that the original ransom demand was $3.6 million.

The FBI estimates that criminals reaped more than $1 billion from ransomware in 2016. Many victims don't report their losses, so the amount could be much higher. Ransomware-as-a-service (RaaS) is a new monetization model that gained steam in 2016. The authors of the ransomware are said to get a percentage of each paid ransom, thus creating incentive to provide frequent software updates, service and new features.

Unfortunately, the FBI reports that even if payment is made, the decryption key provided by the perpetrator to unlock the files may not work due to system configuration issues. Or the perpetrators may not provide the key after receiving the money and instead follow up with a second ransom demand.

Backups may not be enough
The FBI offers tips for dealing with a ransomware threat. A key point to ensuring business continuity in a world of ransomware is to back up data regularly and test the backups. Any backups, including cloud backups, need to be secured in a way that they are inaccessible to spreading ransomware virus. Many ransomware infections will encrypt any accessible data including external storage, USB drives and mapped and unmapped network drives.

Having a secure and validated data backup program is the easiest way to avoid having to pay ransom. Even then, it typically takes 33 employee hours to replace the stored data, according to survey respondents. Preparing in advance with a business continuity plan, disaster recovery plan, and the help of a company with cloud security and disaster recovery expertise can help you avoid the headache of ransomware and other security breaches - and help you to ensure faster mitigation and recovery if your organization is attacked.

Machine learning: taking a bigger step to stop ransomware
Seven in ten organizations hit by ransomware agreed that they needed a new solution to protect their organization from ransomware. Sixty-five percent agreed that traditional cybersecurity techniques cannot protect from the next generation of malware such as ransomware attacks. Advanced malware and ransomware is now getting past signature-based anti-virus software. Although Security Information and Event Management (SIEM) solutions stop many attacks, attackers know how SEIM solutions operate, so they can work around them.

Machine learning techniques available today in cloud computing solutions such as Microsoft Azure can provide protection against both known and potentially never-before-seen ransomware and other breaches that may make it past anti-virus and SEIM systems. Machine learning allows organizations to track the normal behavior of internal and external users and typical traffic patterns - and take action when behavior differs even subtly from what is expected. For example, if a user doesn't usually encrypt, copy or delete large numbers of files, it's a red flag if they attempt to do so. You can bring much more power to your ransomware deflection efforts when you have adaptive systems in the cloud.

Limiting the reach of a ransomware infection
It's best to assume your infrastructure will be breached by malware such as ransomware, and plan accordingly. If ransomware gets to your network, there are ways to limit its reach. For example, it is best to assume credentials will be compromised and assign roles based on the least privilege required to complete a task and no more. Multi-factor authentication can also prevent damage from a phished username/password pair, and machine learning can be applied to anticipate if a user access attempt is legitimate.

With security protocols and technologies smartly designed and implemented, even when a threat actor gets in it's possible to prevent or minimize damage. With proper segmentation, security zones isolate elements and prevent the lateral movement of attackers. In a best practices zero-profile implementation, cloud firewall policies will be architected to prevent all inbound and outbound connectivity on all ports by default. The security profile will then be modified to provide services with the minimum required connectivity.

Backups, replication and disaster recovery plans
Having a secure and validated data back-up program is the easiest way to avoid having to risk paying to decrypt files rendered unusable by crypto-ransomware. It's important that your backup and replication plan meets the unique needs of your organization to ensure business continuity. A disaster recovery failover plan can dramatically improve the effectiveness and speed of restoring your systems to full operation.

Whether your systems go down due to power loss, user error, natural disaster or ransomware, the result can be devastating. The best disaster recovery plans use both backup and replication. A backup is a copy of your data at a point in time. Backups provide good long-term storage but are limited to the snapshot of data stored at the time of the backup. Replication can meet much lower recovery time (RTO) and recovery point objectives (RPO). Replication runs a mirror image of your data operations and can take over at the moment of failure. Failover to a replicated site can keep a business running with little to no downtime. Regular failover testing is essential to ensure your systems will return to production levels in the timeframe and with the data quality desired after a ransomware attack.

Disaster Recovery as a Service (DRaaS) goes beyond traditional disaster recovery. DRaaS manages a variety of backup and replication systems - in the cloud, co-located and in your own data center - unifying all under common interface to reduce complexity and improve resilience when you need to restore or failover.

It's time to take action
Most tech executives agree that they lack the necessary skills internally to keep their systems and data secure. Organizations that put off mitigating a security risk such as ransomware to a later date often never deal with it at all. Consider whether your organization has the expertise and the current bandwidth to ensure you don't become a ransomware statistic.

A cloud engineering team can work closely with your organization to identify your key challenges and objectives and to map out a cost-effective plan that provides your company with a secure, compliant, robust and flexible IT architecture that grows with you and blocks ransomware and other attacks. Managed security services including machine-learning analytics can help keep your organization protected from ransomware and other cybersecurity threats.

Resources

Disaster Recovery as a Service Solutions Brief [http://www.tierpoint.com/wp-content/uploads/2016/11/SOLUTIONS-BRIEF-DRaaS1.pdf]

SentinelOne Ransomware Research Data Summary [https://go.sentinelone.com/rs/327-MNM-087/images/Data%20Summary%20-%20English.pdf]

FBI Ransomware Prevention and Response for CISOs [https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

More Stories By Paul Mazzucco

Paul Mazzucco is Chief Security Officer at TierPoint where he is responsible for all company standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards.

Paul completed his undergraduate work at Lehigh University, studying Human Behavior and Cyber Security. He is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), and Certified Ethical Hacker (CEH) answering to the FBI, the United States Secret Service, Pennsylvania Electronic Crimes Task Force (PAECT) and the United States Computer Emergency Readiness Team (U.S. CERT).

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
Internet-of-Things discussions can end up either going down the consumer gadget rabbit hole or focused on the sort of data logging that industrial manufacturers have been doing forever. However, in fact, companies today are already using IoT data both to optimize their operational technology and to improve the experience of customer interactions in novel ways. In his session at @ThingsExpo, Gordon Haff, Red Hat Technology Evangelist, shared examples from a wide range of industries – including en...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, will provide a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to ...
Consumers increasingly expect their electronic "things" to be connected to smart phones, tablets and the Internet. When that thing happens to be a medical device, the risks and benefits of connectivity must be carefully weighed. Once the decision is made that connecting the device is beneficial, medical device manufacturers must design their products to maintain patient safety and prevent compromised personal health information in the face of cybersecurity threats. In his session at @ThingsExpo...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
SYS-CON Events announced today that GrapeUp, the leading provider of rapid product development at the speed of business, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market acr...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
Recently, IoT seems emerging as a solution vehicle for data analytics on real-world scenarios from setting a room temperature setting to predicting a component failure of an aircraft. Compared with developing an application or deploying a cloud service, is an IoT solution unique? If so, how? How does a typical IoT solution architecture consist? And what are the essential components and how are they relevant to each other? How does the security play out? What are the best practices in formulating...
In his session at @ThingsExpo, Arvind Radhakrishnen discussed how IoT offers new business models in banking and financial services organizations with the capability to revolutionize products, payments, channels, business processes and asset management built on strong architectural foundation. The following topics were covered: How IoT stands to impact various business parameters including customer experience, cost and risk management within BFS organizations.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...