Preparing for the next wave of ransomware attacks

How to defend your business

By Kevin Cunningham

There’s no doubt about it, ransomware is both destructive and costly to businesses. However, in terms of an attack methodology, it’s nothing new. What has elevated ransomware is the sheer magnitude and the evolving nature of the attacks. Case in point: WannaCry, an unprecedented attack served to organisations on a global scale with estimated economic losses in the billions of dollars.

WannaCry has been a wake-up call for businesses, highlighting the havoc ransomware can wreak and increasing motivation for solid cyber security defences. Ransomware outbreaks have dominated the malware economy since 2016, with a 36 per cent rise in attacks and the potential for tens of thousands of attacks per incident. As the use of ransomware expands, this form of malicious software is rapidly evolving — modifying its delivery, concealing its actions, and attempting to avoid security countermeasures.

Detecting and defending against ransomware

When looking to identify if an organisation is under a ransomware attack, it must know what to look for. In short, ransomware is a vicious malware variant that makes critical systems and data inaccessible to an organisation until a ransom is paid. Typically, a ransom is demanded within a 6 – 72 hour window, via bitcoin, or the stolen collateral will be deleted. Obviously, the impact of losing your data can be devastating, with a temporary loss of systems and information access, operational downtime, significant financial loss and, perhaps worst of all, irreparable reputation damage.

Recently, WannaCry spread across the UK and Spain within four hours, halting the operations of factories, hospitals and communications companies. The attack continued and has since infected over 230,000 computers in over 150 countries. For those affected, the starting ransom was US$300 per device, with any delay in payment causing this number to increase rapidly to US$600.

For Australian businesses, safeguarding against ransomware involves understanding individual points of vulnerability whilst simultaneously developing proactive approaches to cyber security. It is no longer enough for organisations to operate with reactive measures; they must evolve their cyber security strategies to be proactive both in regard to technical capabilities and business attitude.

Your identity-enabled security strategy

When it comes to defending your organisation from ransomware, you first need to understand the exposure points that leave you vulnerable to an attack. Unstructured data (documents and files) is often the weakest link in an organisation as it is largely unprotected. Too often sensitive information has been taken out of safe-guarded applications and databases and disseminated and shared in these unstructured formats. When paired with the immense risk that employees pose either intentionally or unintentionally through poor training and lack of understanding surrounding cyber security policy and practice, it can create the perfect storm for an attacker to strike.

Businesses in Australia are undergoing a digital transformation, and managing unstructured data is coming to the forefront of the challenges they must meet. According to recent global research, 66 per cent of organisations in Australia admit that they aren’t sure how to manage and protect unstructured data from potential theft, which is notably higher than the 51 per cent of global respondents. With unstructured data continuing to grow at a fast and furious pace, enterprises not only need to get their arms around identity governance but understand how it plays a key role in protecting the sensitive data that resides in unstructured files and systems.

Ultimately, ransomware is best defended with a security strategy that provides in-depth defence for the organisation. This includes such components as network security to prevent infiltration and email security to reduce phishing, along with consistent data backups to prevent data loss. As part of this strategy, a consistent configuration management program that ensures that all appropriate security patches are applied and resident systems are up-to-date will help prevent ransomware from spreading between machines within an organisation.

However, the rapid evolution of ransomware drives home the need to also have a solution in place that can detect ransomware in ways that are not specific to any particular malware variant. A strong defence against ransomware requires the ability to detect the malware as it threatens a business. Through the identification and monitoring of unstructured data access and usage across network and cloud-based file shares, an identity-enabled security strategy can tightly defend your business. In order to effectively guard against ransomware, businesses must consider the following:

• applying the principles of “least privilege” to minimise access rights and decrease the potential impact of any single infection

• monitoring activities on file shares and using behavioural pattern matching to identify malicious behaviour such as the systematic modification of file suffixes as ransomware encrypts existing data

• initiating actions to terminate any behaviour deemed malicious, stopping ransomware in its tracks and limiting damage to sensitive systems.

Organisations also need to address the risks that are born from their people. It’s no secret that user identities are a major vulnerability in the enterprise, and organisations in Australia need to take action to address this. Nearly 70 per cent see employees as an exposure point in their organisations, making safe-guarding their identities a clear priority in 2017. The response to this can only be an increased focus on security training and awareness, cultural adjustments and heightened vigilance alongside an effective identity-enabled security strategy.

In the wake of realising that security needs to become “behavioural”, CIOs and CISOs must move the organisation towards a more adaptive and agile security model. The basic principles of identity and access management, lifecycle controls and good identity governance, have become a requirement for every organisation – large and small – and it is important that they become a cultural fixture. In addition, it is critical to remember the importance of acting quickly and decisively in the face of an attack – which is the best tactic for protecting sensitive data from ransomware. Utilising data access governance and an identity-enabled security strategy will help prevent data loss and better prevent organisations from becoming the next victim of an attack.

WannaCry is only the latest wave in the rising tide of ransomware and other forms of cyber attack, and its efficient attack means that others will seek to emulate its success. While the management of unstructured data and leading cultural and behavioural changes in your organisation only form part of the cybersecurity picture, it is important to have multiple safeguards in place. Preparing for the next wave of attack means businesses must be not just technically, but behaviourally prepared, for what’s to come.

Kevin Cunningham is President and Co-founder at SailPoint, a leader in identity management and governance, providing an integrated set of cloud-based services, including compliance controls, provisioning, password management, single sign-on and data access governance.