Ransomware Has Evolved!
Cyber criminals remain a major threat to enterprises around the world. Osiris, Wannacry, Leakerlocker, and NotPetya have become infamous household names for IT. The city of Atlanta, Boeing, and the UK National Health Service, to name just a few are well known victims of recent attacks.
While ransomware and hackers have been around for years the primary way that they get a foothold in your computing infrastructure has evolved. It used to be that the main access route was through phishing attacks – sending emails to untrained employees that entice them to click on a dangerous link.
For a variety of reasons internet criminals have enhanced their tactics. It may be because companies have done a better job training employees of what to look for, computer users in general have become savvier to phishing attacks, spam and email filters have become more efficient, and/or the amount of ransomware news has made us all aware of the threat. Whatever the reason(s) cyber criminals have upped their game.
Today an important entry point for hackers and ransomware is through unpatched software.
Let’s look at the details of two cyber attacks and examine the means of entry. By sheer size the Equifax infection was doozy. It is estimated that 147 million US and 15M UK names, birth dates, and social security numbers were exposed to the hackers. Fewer, but still numbering in the millions of addresses, phone numbers, email addresses, driver’s license numbers, tax identification numbers, and credit card data were also exposed. There are about 350M Americans so this breach touched almost half of us all.
The criminals were able to gain entry into Equifax through an unpatched server. Hackers routinely scan the web searching for servers and PCs that have unpatched, and therefore vulnerable software points of entry. The criminals gained entry into Equifax via a server that hosted Equifax’s dispute resolution software. While not content to get only the names and identity information for people filing formal resolution documents with Equifax, the criminals were able to locate additional server login credentials that gave them access to many other databases inside the company. The attackers were able to remain hidden within the infrastructure for over 76 days, and in that time extracted data from 51 databases in small increments to avoid detection.
More recently one of the largest soft drink suppliers in the U.S., Arizona Beverages was infected. Hundreds of Windows-based computers and servers were wiped clean, effectively shutting down sales operations for days until professional (and very expensive) incident response personnel from Cisco were called in. “The ransomware infected the company’s Windows-powered Exchange server, knocking out email across the entire company. Although its UNIX/Linux systems were unaffected, the ransomware outbreak left the company without any computers able to process customer orders for almost a week. Staff began processing orders manually several days into the outage.” They were losing millions of dollars in business a day.
Ransomware’s entry point into Arizona Beverages was similar to that of Equifax. Many of Arizona’s back-end servers were running old and outdated Windows operating systems that are no longer supported. Most hadn’t received security patches in years. They were ripe for an attack.
It used to be that having a firewall and virus scanner at the edge of your network was enough. Those days are long gone. The cyber security threat now requires you to have additional types of security devices active in your infrastructure.
- Automated Patch Management – managing the patching of operating systems and business applications is far too large a job to be done manually. Best-in-class patch management solutions will conduct an inventory of all endpoints (workstations and servers) to collect the software version number and patch status of installed OS’s and apps. This will give you an initial sizing of your challenge. The patch management applications should have a library of the leading business applications with their version and patch requirements to check known vulnerabilities. From there you can schedule a regular and automated process to install patches during periods of low business impact.
The Best-in-Class patch management solution used by thousands of organizations is Kaseya VSA.
- Backup appliance with automated ransomware detection – Leading backup and recovery solutions will automatically check every backup for evidence of ransomware activity. Machine learning capabilities in the backup software will understand the normal change rates of your data and identify any backups that fall outside of normalcy. Suspected ransomware infected backups will be flagged to prevent their use and alerts about which files and apps are suspected of being infected will be sent to administrators via the portal and their email.
The data backup and recovery solution with the best automated ransomware detection is Unitrends Recovery Series hardware or Unitrends Backup software appliances
- Protect your SaaS applications – It is as important to protect your data in SaaS applications as it is data in applications running on premises. Applications such as Office 365, Google G Suite, and Salesforce contain critical corporate data not replicated by your data backup and disaster recovery appliances. Microsoft and Google will protect against server and network failures, but protecting against user errors and malicious employees in your responsibility.
Unitrends Spanning Backup suite offers superior protection for SaaS apps at reasonable prices.
- Automated intrusion monitoring – Such as happened to Equifax, hackers that get past your firewalls can spend months (or years!) undetected on the inside stealing your data. Intrusion monitoring tools will be able to detect hackers (and malicious employees who pose an even larger threat) and alert you when they take actions such as giving themselves administrator rights or logging into servers at suspicious times. Best-in-class intrusion monitoring solutions include the ability to set the time for automatic scans to look for suspicious activity and have findings sent via email to any address you specify, including your own IT ticketing system.
The solution that is best able to discover the activity of unwanted intruders and malicious employees is Unitrends Security Manager.
Unfortunately cybercrimes are a fact of life in our connected world. What is fortunate is there are new classes of tools that can close entry ports, detect suspicious activity, and recover infected files with a minimum amount of repetitive work on your part.
This blog is part of a broader report titled Add These 2 Layers to Enhance Your Cyber Security. In the report other suggestions and advice are offered to protect your data and business applications against malware and I invite you to read it.