Throughout 2018 criminals have continued to target large organizations with ransomware. Today we introduce a new white paper that explains why ransomware is still a serious threat to your organization – regardless of size – and what can be done to reduce exposure to, and damage from, ransomware attacks.
The paper focuses on three particularly dangerous ransomware attack vectors: remote access, email, and supply chain. The paper is intended to help CEOs, CIOs, CISOs, and enterprise risk managers understand the current state of the ransomware threat as well several evolving areas of concern. The more technical aspects of ransomware response are discussed in an appendix.
Bigger targets, higher demands
If your organization has not been hit by ransomware lately you might be tempted to assume that this threat has receded into the archives of cybercrime. Headlines in the trade press have described ransomware as “so 2017” and “in decline relative to cryptocurrency mining.” In essence, these headlines reflect the fact that, while cryptomining detections have been rising, some of the more obvious indicators of ransomware activity have been declining; but to be clear, ransomware is still a serious threat to your organization.
Consider what happened to the City of Atlanta in the US. Five city government departments were hit with ransomware: Corrections, Watershed Management, Human Resources, Parks and Recreation, and City Planning. A range of city functions were impacted by the attack, including the ability to accept online payment for water bills and traffic tickets. The Wi-Fi at Hartsfield-Jackson Atlanta International Airport was turned off for a week. While Atlanta rightly rejected the $50,000 ransomware demand, the financial impact has been in the millions of dollars (and may end up being close to $17 million).
As we document in the white paper, costly ransomware attacks have hit numerous other organizations in the SLED sector (that’s State and Local Government and Education). We know about these attacks because SLED entities typically have public reporting requirements. The same is true in the healthcare sector, where government regulations may mandate disclosure, and patient safety is at risk.
But what about organizations that are not required to disclose data security breaches? It is reasonable to assume that a commercial enterprise which gets hit by a targeted ransomware attack will try to avoid headlines if at all possible. And that means we cannot rely on published reports of ransomware attacks to assess the scale of the threat. What we do know, from speaking to support staff at Managed Service Providers and security vendors, is that ransomware continues to be a costly crime with no shortage of victims across all sectors of business.
The RDP factor
Something else we know is that a number of the 2018 ransomware attacks on healthcare and government entities involve a family of ransomware known as SamSam (detected by ESET products as MSIL/Filecoder.Samas). SamSam attacks in 2018 have been penetrating organizations “by brute-forcing the RDP endpoints” (US Department of Health and Human Services).
An RDP endpoint is a device, such as a database server, that is running Remote Desktop Protocol (RDP) software so that the device can be accessed over a network, such as the internet. If server access is only protected with a user name and password then an attacker, having identified the server as a target, will make repeated attempts to guess these, often at a high rate of speed, hence the term: brute force attack. Absent any mechanism to limit multiple bad guesses, such attacks can be very effective and lead to widespread compromise of an organization’s network. Ransomware hit medical testing giant Lab Corp in July of 2018 via RDP and got to 7,000 systems and 350 production servers in less than an hour (CSO).
As of October 28, 2018, the Shodan scanner indicated that over two and half million systems on the internet were explicitly running RDP (registration may be required to view filtered Shodan queries). Over half a million of those systems were in the US. For an attacker, all of these machines are potential targets to be explored. Once compromised, they can be exploited or, as the white paper details, their credentials can be sold on dark markets like xDedic.
Cybersecurity threats are cumulative and this phenomenon of “threat cumulativity” means that a surge in criminal abuse of computing resources to mine cryptocurrency does not create a shortage of criminals to develop and deploy RDP exploitation techniques in order to create a profitable attack vector for ransomware. Likewise, battening down your organization’s use of RDP – which needs to happen for a variety of good reasons – does not mean that anti-phishing training should be neglected.
The white paper makes it clear that – along with effective employee education – organizations need: sound security policies that are comprehensively applied and firmly enforced; the right mix of security products and tools, including tested backup and recovery systems; and a constantly updated incident response plan. Even with all of these, plus constant vigilance, you are not guaranteed immunity from attack; however, you can greatly increase your odds of deflecting attackers and/or recovering from an attack.
Until the world’s governments achieve global détente, the struggle against cybercrime will not only continue, it will also expand, along with the benefits that society reaps from new technologies. Hopefully, by explaining why ransomware is still a serious threat to your organization and what can be done to defend against it, this white paper will help to secure those benefits while minimizing losses caused by bad actors.
Download the white paper: RANSOMWARE: an enterprise perspective.
Table of Contents:
- Goals and Executive Summary
- The ransomware threat
- Yes, ransomware is still a serious threat
- Ransoming schools, hospitals, and the enterprise
- The RDP factor
- Pivoting and living off the land
- Defending against RDP ransomware attacks
- Ransomware via email and other vectors
- Ransomware, supply chain, and drive-by infection
- Clouds and segments
- Patching and backup as ransomware defense
- Responding to a ransomware attack
- Endpoint Detection and Response
- A word about ransomware payment
- The future of ransomware
Acknowledgements: This white paper owes much to the work of my gifted ESET colleagues James Rodewald, Ben Reed, Fer O’Neil, Nick FitzGerald, and David Harley, and my talented “San Diego” team: Aryeh Goretsky, Bruce P. Burrell, Cameron Camp, and Lysa Myers.