Ransomware is a vicious type of malware that cybercriminals use to block organizations and individuals from accessing their critical files, databases, or entire computer systems, until the victim pays a ransom. It is a form of cyber extortion.
Cybersecurity Ventures predicts that an organization will fall victim to a ransomware attack every 11 seconds, and the estimated cost to businesses globally will be around $20 billion by 2021. The direct costs can be attributed to the ransom demands — if the victim chooses to the pay the ransom — while the indirect costs are associated with the downtime, data recovery, lost revenue, improvements to cyber defenses, and reputational damage to the organization.
“It is an unfortunate fact of life that ransomware is here to stay and that traditional software-based endpoint protection is not able to protect well against this type of malware,” said Stu Sjouwerman, founder and CEO at KnowBe4, a organization that specializes in training employees on how to detect and respond to ransomware attacks.
Ransomware on the Rise
While the frequency of ransomware attacks has fluctuated over the years, 2019 saw a 41% increase over the previous year. Ransomware campaigns have evolved from high-volume “spray-and-pray” attacks that target small businesses and home users to low-volume “big game hunting (BGH)” attacks that target medium to large businesses that have the funds or insurance coverage to pay large ransoms.
According to CrowdStrike®, an endpoint security vendor, established criminal organizations have started offering Ransomware-as-a-Service (RaaS) to weaponize ransomware kits and make it easier for less sophisticated cyber criminals to launch such attacks and make fast money.
Anatomy of a Ransomware Attack
This section describes the typical Cyber Kill Chain® , which walks through each of the seven stages of a targeted ransomware attack. It provides visibility into the intruders’ tactics, techniques, and procedures (TTPs).
Step 1: Reconnaissance – intruder harvests email addresses of all the employees in a organization and prepares to launch a phishing campaign.
Step 2: Weaponization – intruder uses a ransomware kit purchased off the dark web tailored to deliver that malware through an email attachment.
Step 3: Delivery – intruder delivers the ransomware through a fake email as the payload or through a remote desktop protocol (RDP) service.
Step 4: Exploitation – When an employee unknowingly opens the fake email attachment, the malware exploits a known vulnerability and infects their laptop.
Step 5: Installation – The ransomware installs as a binary, which opens an access point (backdoor) to communicate with a command and control site.
Step 6: Command and Control (CnC) – Ransomware sends target host IP address and gets encryption key needed for encrypting all files and databases.
Step 7: Action – Ransomware exfiltrates sensitive documents to the CnC server and then encrypts those files and databases. It then displays a ransom note to the end user.
Blocking Ransomware with Robust Data Access Policies
n spite of all the investments organizations make in traditional perimeter and endpoint security technologies, data breaches and ransomware attacks continue to make headlines.
To effectively block any unknown malware (ransomware binaries) from taking your data hostage, security organizations need a robust data security solution that can provide the following capabilities:
- Application Whitelisting that identifies “trusted applications” – binaries which are approved to perform encryption/decryption of critical files. It also needs to provide a way to check the integrity of these applications with signatures to prevent polymorphic malware from getting into approved binaries.
- Apply Fine-grained Access Controls to your critical data, which defines who (user/group) has access to specific protected files/ folders and what operations (encrypt/decrypt/read/write/directory list/execute) they can perform. Some malware depends on escalating privileges to gain system access. Appropriate access control solutions can bar privileged users from examining and even accessing resources.
- Data-at-rest Encryption protects data wherever it resides in on-premises data centers or in public/private clouds. This makes the data worthless to intruders when they steal sensitive data and threaten to publish it, if the ransom is not paid. In addition, some ransomware selectively encrypts files so that it doesn’t take systems entirely offline. Others look for sensitive data and only encrypt those files. In this case, encrypted files aren’t scanned by the malware and hence not attacked.
How Does CipherTrust Transparent Encryption Prevent Ransomware Attacks
CipherTrust Transparent Encryption is one of the widely deployed data protection products within the CipherTrust Data Security Platform. It provides data-at-rest encryption, fine-grained access control and application whitelisting capabilities, enabling organizations to prevent ransomware attacks. It protects both structured and unstructured data with policy-based access controls to files, volumes, databases, containers, big-data wherever it resides on-premises and in hybrid cloud environments.
Access policies can be defined to create a whitelist of “trusted” applications to prevent any untrusted binaries (e.g. ransomware) from accessing data stores protected by CipherTrust Transparent Encryption and to prevent privileged users from accessing user data in files and databases. These access policies can enable you to block any rogue binaries from encrypting files/databases, even if the intruder has execute permissions for that binary and read/write permission to the target file that contains critical data.
The CipherTrust Data Security Platform can reduce TCO for organizations of all sizes by simplifying data security, accelerating time to compliance, and delivering multi-cloud security and control. Built on an extensible infrastructure, the platform enables your IT and security organizations to discover, classify, and protect data-at-rest across your organization in a uniform and repeatable way.
Using a legacy approach can often require expensive, dedicated point products which may require further integration and additional staff time to manage, negating any potential cost savings. The many products available on the CipherTrust Data Security Platform can be deployed individually or in combination, and they prepare your organization for the next security challenge or compliance requirement at the lowest TCO. By integrating data discovery, classification, risk analysis, data protection, and reporting into a single platform, the CipherTrust solution frees IT staff and budget for more strategic tasks and empowers the openness and freedom of collaboration the modern organization needs–without sacrificing security. CipherTrust Data Security Platform is available for sale to the U.S. Federal Government exclusively through Thales Trusted Cyber Technologies.