Ransomware is malicious code that blocks or encrypts the contents of a device and demands a ransom to restore access to the data. Devices refer not only to mobile phones and computers but also to servers and the Internet of Things (IoT). Therefore, in case of a successful ransomware infection (and nonexistent or nonfunctional backup), the company loses access to (for example) invoices, customers, and its own intellectual property. The infection may also bring the work at the company to a standstill or cause a halt in production. Depending on the company or organization’s specialization, its clients may also suffer, which can ultimately lead to them switching to a competitor.
In discussion with ESET, companies and organizations identified ransomware as their biggest security problem. According to Michal Jankech, Principal Product Manager at ESET, the reason for this does not necessarily lie in the high prevalence of this type of malware. “Companies named ransomware their number one concern due to highly publicized attacks, such as WannaCry and NotPetya, that caused multi-billion dollar damages and their brands appearing in articles in the world’s top media. Thus, even a person who had never experienced any ransomware infection perceived it as a grave threat,” explained Jankech, who also added that during customer interviews, companies confirmed they see the scope for further assistance from ESET regarding this security threat.
Email remains the most common vector for ransomware infection
In response to customer needs and concerns, ESET integrated Ransomware Shield (a specific behavioral module that evaluates the behavior of a malicious code in order to detect if it really is ransomware) into its security solutions. ESET has long been providing its customers with very good behavior-based malware detection and also with Host-based Intrusion Prevention System (HIPS) that allows users to set custom rules for the protection against ransomware. However, should something slip past the 11 other security layers, Ransomware Shield will be automatically activated.
While ransomware infection often starts with clicking a suspicious link or a fictitious invoice, ESET found that email remains the most common distribution method in a two-step process, where first a downloader is delivered, followed by the ransomware as a secondary-infection.
To combat these scenarios, enter ESET Dynamic Threat Defense (EDTD). EDTD provides another layer of security for ESET products like Mail Security and Endpoint products. It utilizes a cloud-based sandboxing technology and multiple machine learning models to detect new, never before seen type of threats. In result, attachments that were classified as malicious are stripped off the email and the recipient gets information about the detection.
The need to raise security awareness among employees
The debate on the causes of successful ransomware infections, whether it is the attackers’ skill or the negligent security habits of employees, does not have a clear winner. While some types of ransomware are extremely sophisticated, others are not. The risk of ransomware infection is just one of several reasons why companies should concentrate on training their employees on what not to click and what to do if they have already done something incorrect in terms of security.
What should not be forgotten is the role of IT personnel responsible for the overall state of the system. “What caused the spread of WannaCry? The exploitation of a known vulnerability in Microsoft Windows. In fact, the only action companies needed to take in terms of prevention was to “get vaccinated” against the infection, i.e. install the available security patches. However, companies that failed to do so suffered the consequences.
It is no small matter then that both companies and consumers protected by ESET's multi-layered technologies were not impacted by Wanna Cry since ESET had taken appropriate steps to add network detection of the (EternalBlue) exploit on April 25th, two weeks before the largest ransomware attack in history struck,” notes Jankech.
Improperly allocated investment in security
Companies should examine whether senior management has implemented the correct measures that positively contribute to overall security. “We see a trend of some companies spending hundreds of thousands or even millions of USD on various advanced solutions, but not a few thousand more on well-trained personnel to take responsibility for deploying and managing security measures on a network. The same applies to the example above - monitoring and applying critical software patches, which requires dedicated well-trained staff. Instead, companies often choose to accept the risk of certain weaknesses because they do not expect a ransomware attack to happen to them,” comments Jankech, pointing out the consequences of these types of rationalizations.
With the risks of inadequate implementation so high, prioritizing the deployment of a multi-layered security suite like the ESET Endpoint Protection should be paramount.
By no means are steps like patch management or other approaches being diminished. However, wholistic coverage should be the 1st goal of any comprehensive cybersecurity strategy. That starts with reliable multi-layered endpoint protection, followed by sustained maintenance and best security practices.
For further information on how to protect your company against ransomware and similar attacks, please see these useful resources:
1. RANSOMWARE: an enterprise perspective
2. Best Practices to protect against Filecoder (ransomware) malware
3. ESET vs. Crypto-ransomware
4. What is Ransomware?