Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, Yeshim Deniz, Pat Romanski, William Schmarzo

Related Topics: @CloudExpo, Machine Learning , Cloud Security

@CloudExpo: Blog Post

What Is Ransomware and How Cloud Security Mitigates It | @CloudExpo #Cloud #Security #MachineLearning

There was a 300 percent increase in ransomware attacks last year, according to the FBI

What Is Ransomware and How Cloud Security Mitigates It

Ransomware attacks escalated dramatically in 2016. In fact, there was a 300 percent increase in ransomware attacks last year, according to the FBI, to an average of 4,000 attacks a day, up from 1,000 ransomware attacks a day in 2015. What's more, organizations are targeted more frequently than individuals because they generate a much bigger potential payoff. Ransomware has become a profitable criminal enterprise that continues to change and grow.

Managed Service Providers often assist clients with data restoration to avoid the downtime that can be caused by a ransomware attack. They also work with clients to improve their security posture overall so they can avoid ransomware damage. Here's what your organization needs to know about ransomware and how cloud computing can help protect your organization.

What is ransomware?
There may be more than a hundred families of ransomware. Basically, three traits are common among the many variants of ransomware viruses:

  1. They infect your computer, such as through a spear-phishing email (targeted at a specific employee) or a visit to a legitimate website infected with malicious code.
  2. They encrypt your files and demand payment (usually in bitcoin) to receive a decryption key.
  3. The decryption key is usually successful; however, it can depend on the honesty and follow-through of the cybercriminal.

Not all ransomware is created equally. There are two main types: lock screen and encryption ransomware. Encryption got all the press in 2016. While you may be able to find a workaround to lock screen ransomware, that's not the case with file-encrypting crypto ransomware. By the time you realize your files are encrypted and unreadable, or you find or receive a ransom note, the damage has been done - and it is irreversible without the private decryption key held by the attacker.

How files get infected with ransomware
Attackers are changing their tactics. While spam emails used to be a popular way to spread malware such as ransomware, spam filters have taken the wind out of that approach. Now it is often spear-phishing, which targets an individual directly. In fact, 93% of all phishing emails contain some sort of ransomware encryption, according to a report by PhishMe, an anti-phishing vendor. And the FBI says recent iterations target enterprise end users.

That's not all. Other sources of ransomware include social media, malicious advertising (even on trusted websites) and bold cold calls via phone where an attacker poses as a software vendor or IT provider and directly requests remote access to the user's computer to resolve a purported problem - but instead installs ransomware.

How you know if you have been hit by ransomware
You likely won't know you've been hit right away, but within seconds the ransomware virus will silently start encrypting your files - and files accessible via your network. The files are generally encrypted with a public encryption key in such a way that you cannot decrypt the files without the second key of the pair. You probably won't get a ransom note until hours or days later when the encryption is complete.

In the meantime, you may discover files that appear to be corrupted. Encrypted files cannot be read by any application, and the first sign of damage may be error messages on your computer when opening files - asking which application should be used.

When Internet of Things devices are hit by ransomware
Even smartphone apps and Internet of Things (IoT) devices can be infected with ransomware. How would you know if your smart thermostat was infected? Two hackers demonstrated a proof-of-concept of thermostat lock-screen ransomware at the Def Con conference in Las Vegas last year. Imagine cybercriminals cranking up the building's heat in the summer or turning it off when it's freezing outside - and then locking the device until the ransom is paid with a bitcoin. Like a small computer, their off-the-shelf smart thermostat ran a version of Linux and had a user input screen and an SD card. The device was especially vulnerable because the firmware was readable and the code ran from the root.

The introduction of Mirai - a malware and botnet combination - has introduced even more complexity into the ransomware arena. This virus can compromise a wide range of Internet of Things (IoT) devices, including DVRs, security cameras, and network gateways. As with much of the more recent distributed denial of service (DDoS) botnet malware, once a device is infected with Mirai, an attacker gains full control of the device and can use it for denial of service attacks - or potentially hold it for ransom.

What data is most likely to be held hostage?
Almost half of respondents to a survey of 500 businesses worldwide said their organization had suffered a ransomware attack in the last 12 months. They were an experienced bunch; those who suffered at least one ransomware attack had to defend against six attacks on average. Of those who had faced an attack, 42% said the type of data targeted was employee information, 41% said it was financial data, and 40% described it as customer information. How did the ransomware attacker get access in the first place? Phishing via email or social media was extremely common (81%). Clicking on a compromised website ensnared 50% and infection via a computer that was part of a botnet got 40%.

How much does ransom cost?
Some organizations are being targeted for high ransom amounts. Network World cites Federal Trade Commission Chair Edith Ramirez as providing the example of Hollywood Presbyterian Medical Center, which paid bitcoin valued at around $17,000 to the perpetrators of a ransomware attack. CSO Online reports that the original ransom demand was $3.6 million.

The FBI estimates that criminals reaped more than $1 billion from ransomware in 2016. Many victims don't report their losses, so the amount could be much higher. Ransomware-as-a-service (RaaS) is a new monetization model that gained steam in 2016. The authors of the ransomware are said to get a percentage of each paid ransom, thus creating incentive to provide frequent software updates, service and new features.

Unfortunately, the FBI reports that even if payment is made, the decryption key provided by the perpetrator to unlock the files may not work due to system configuration issues. Or the perpetrators may not provide the key after receiving the money and instead follow up with a second ransom demand.

Backups may not be enough
The FBI offers tips for dealing with a ransomware threat. A key point to ensuring business continuity in a world of ransomware is to back up data regularly and test the backups. Any backups, including cloud backups, need to be secured in a way that they are inaccessible to spreading ransomware virus. Many ransomware infections will encrypt any accessible data including external storage, USB drives and mapped and unmapped network drives.

Having a secure and validated data backup program is the easiest way to avoid having to pay ransom. Even then, it typically takes 33 employee hours to replace the stored data, according to survey respondents. Preparing in advance with a business continuity plan, disaster recovery plan, and the help of a company with cloud security and disaster recovery expertise can help you avoid the headache of ransomware and other security breaches - and help you to ensure faster mitigation and recovery if your organization is attacked.

Machine learning: taking a bigger step to stop ransomware
Seven in ten organizations hit by ransomware agreed that they needed a new solution to protect their organization from ransomware. Sixty-five percent agreed that traditional cybersecurity techniques cannot protect from the next generation of malware such as ransomware attacks. Advanced malware and ransomware is now getting past signature-based anti-virus software. Although Security Information and Event Management (SIEM) solutions stop many attacks, attackers know how SEIM solutions operate, so they can work around them.

Machine learning techniques available today in cloud computing solutions such as Microsoft Azure can provide protection against both known and potentially never-before-seen ransomware and other breaches that may make it past anti-virus and SEIM systems. Machine learning allows organizations to track the normal behavior of internal and external users and typical traffic patterns - and take action when behavior differs even subtly from what is expected. For example, if a user doesn't usually encrypt, copy or delete large numbers of files, it's a red flag if they attempt to do so. You can bring much more power to your ransomware deflection efforts when you have adaptive systems in the cloud.

Limiting the reach of a ransomware infection
It's best to assume your infrastructure will be breached by malware such as ransomware, and plan accordingly. If ransomware gets to your network, there are ways to limit its reach. For example, it is best to assume credentials will be compromised and assign roles based on the least privilege required to complete a task and no more. Multi-factor authentication can also prevent damage from a phished username/password pair, and machine learning can be applied to anticipate if a user access attempt is legitimate.

With security protocols and technologies smartly designed and implemented, even when a threat actor gets in it's possible to prevent or minimize damage. With proper segmentation, security zones isolate elements and prevent the lateral movement of attackers. In a best practices zero-profile implementation, cloud firewall policies will be architected to prevent all inbound and outbound connectivity on all ports by default. The security profile will then be modified to provide services with the minimum required connectivity.

Backups, replication and disaster recovery plans
Having a secure and validated data back-up program is the easiest way to avoid having to risk paying to decrypt files rendered unusable by crypto-ransomware. It's important that your backup and replication plan meets the unique needs of your organization to ensure business continuity. A disaster recovery failover plan can dramatically improve the effectiveness and speed of restoring your systems to full operation.

Whether your systems go down due to power loss, user error, natural disaster or ransomware, the result can be devastating. The best disaster recovery plans use both backup and replication. A backup is a copy of your data at a point in time. Backups provide good long-term storage but are limited to the snapshot of data stored at the time of the backup. Replication can meet much lower recovery time (RTO) and recovery point objectives (RPO). Replication runs a mirror image of your data operations and can take over at the moment of failure. Failover to a replicated site can keep a business running with little to no downtime. Regular failover testing is essential to ensure your systems will return to production levels in the timeframe and with the data quality desired after a ransomware attack.

Disaster Recovery as a Service (DRaaS) goes beyond traditional disaster recovery. DRaaS manages a variety of backup and replication systems - in the cloud, co-located and in your own data center - unifying all under common interface to reduce complexity and improve resilience when you need to restore or failover.

It's time to take action
Most tech executives agree that they lack the necessary skills internally to keep their systems and data secure. Organizations that put off mitigating a security risk such as ransomware to a later date often never deal with it at all. Consider whether your organization has the expertise and the current bandwidth to ensure you don't become a ransomware statistic.

A cloud engineering team can work closely with your organization to identify your key challenges and objectives and to map out a cost-effective plan that provides your company with a secure, compliant, robust and flexible IT architecture that grows with you and blocks ransomware and other attacks. Managed security services including machine-learning analytics can help keep your organization protected from ransomware and other cybersecurity threats.

Resources

Disaster Recovery as a Service Solutions Brief [http://www.tierpoint.com/wp-content/uploads/2016/11/SOLUTIONS-BRIEF-DRaaS1.pdf]

SentinelOne Ransomware Research Data Summary [https://go.sentinelone.com/rs/327-MNM-087/images/Data%20Summary%20-%20English.pdf]

FBI Ransomware Prevention and Response for CISOs [https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

More Stories By Paul Mazzucco

Paul Mazzucco is Chief Security Officer at TierPoint where he is responsible for all company standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards.

Paul completed his undergraduate work at Lehigh University, studying Human Behavior and Cyber Security. He is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), and Certified Ethical Hacker (CEH) answering to the FBI, the United States Secret Service, Pennsylvania Electronic Crimes Task Force (PAECT) and the United States Computer Emergency Readiness Team (U.S. CERT).

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
SYS-CON Events announced today that Outscale, a global pure play Infrastructure as a Service provider and strategic partner of Dassault Systèmes, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2010, Outscale simplifies infrastructure complexities and boosts the business agility of its customers. Outscale delivers a secure, reliable and industrial strength solution for its customers, which in...
SYS-CON Events announced today that A&I Solutions has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 1999, A&I Solutions is a leading information technology (IT) software and services provider focusing on best-in-class enterprise solutions. By partnering with industry leaders in technology, A&I assures customers high performance levels across all IT environments including: mai...
In order to meet the rapidly changing demands of today’s customers, companies are continually forced to redefine their business strategies in order to meet these needs, stay relevant and continue to see profitable growth. IoT deployment and development is integral in this transformation, and today businesses are increasingly seeing the value of investing their resources into IoT deployments. These technologies are able increase ROI through projects such as connecting supply chains or enabling sm...
Every successful software product evolves from an idea to an enterprise system. Notably, the same way is passed by the product owner's company. In his session at 20th Cloud Expo, Oleg Lola, CEO of MobiDev, will provide a generalized overview of the evolution of a software product, the product owner, the needs that arise at various stages of this process, and the value brought by a software development partner to the product owner as a response to these needs.
SYS-CON Events announced today that Tappest will exhibit MooseFS at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. MooseFS is a breakthrough concept in the storage industry. It allows you to secure stored data with either duplication or erasure coding using any server. The newest – 4.0 version of the software enables users to maintain the redundancy level with even 50% less hard drive space required. The software func...
SYS-CON Events announced today that EARP will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "We are a software house, so we perfectly understand challenges that other software houses face in their projects. We can augment a team, that will work with the same standards and processes as our partners' internal teams. Our teams will deliver the same quality within the required time and budget just as our partn...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software in the hope of capturing value in IoT. Although IoT is relatively new in the market, it has already gone through many promotional terms such as IoE, IoX, SDX, Edge/Fog, Mist Compute, etc. Ultimately, irrespective of the name, it is about deriving value from independent software assets participating in an ecosystem as one comprehensive solution.
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
SYS-CON Events announced today that Systena America will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Systena Group has been in business for various software development and verification in Japan, US, ASEAN, and China by utilizing the knowledge we gained from all types of device development for various industries including smartphones (Android/iOS), wireless communication, security technology and IoT serv...
SYS-CON Events announced today that Outscale will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outscale's technology makes an automated and adaptable Cloud available to businesses, supporting them in the most complex IT projects while controlling their operational aspects. You boost your IT infrastructure's reactivity, with request responses that only take a few seconds.
Everywhere we turn in our industry we can find strong opinions about the direction, type and nature of cloud’s impact on computing and business. Another word that is used in every context in our industry is “hybrid.” In his session at 20th Cloud Expo, Alvaro Gonzalez, Director of Technical, Partner and Field Marketing at Peak 10, will use a combination of a few conceptual props and some research recently commissioned by Peak 10 to offer a real-world consideration of how the various categories of...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...