Sumit Dhar, Senior Director & CISO – EdgeVerve, a wholly-owned subsidiary of Infosys.Bangalore: In less than two months, two major ransomware attacks WannaCry and Petya crippled and ripped through the IT security of many large enterprises and organisations globally including India.
The actual impact and damage, including financial losses caused by these malicious software remains unknown and requires an extensive investigation. But certainly these malware had some success in disrupting operations of some large organisations.
AP Moller-Maersk, which manages and runs container terminals at Mumbai’s Jawaharlal Nehru Port (JNPT), Beiersdorf – makers of Nivea skin care products, Reckitt Benckiser, Mondelez International Inc – the maker of Cadbury chocolates in Australia and WPP Plc –a global advertising company are some of the large organisations hit by recent ransomware attacks.
Ransomware is having a serious economic impact on companies. This will result in security becoming a critical Board concern and there will be a renewed focus of senior leaders on organization’s security posture.
Rise in Ransomware attacks
And going ahead, the frequency of such attacks, according to security analysts is expected to increase further with a bigger magnitude and scale. Interestingly, ransomware has been around for almost three decades, but now it has become a very attractive to hackers, cyber attackers and criminals given the monetary aspect.
Security vendors as part of their annual security prediction research last year had forecasted ransomware attacks to increase in 2017. For instant, McAfee’s security report for 2017 released in November 2016 predicted ransomware to peak in the middle of next year (2017) and then begin to recede. Check Point has observed ransomware to become frequent as DDoS attacks in 2017.
“In the past, most of hacking or malicious attacks were targeted at personal information like credit card details, social security numbers and others credentials. And then, the attackers would need to look for intermediaries who could buy that stolen data and use it in the gray market,” says Sumit Dhar, Senior Director & CISO – EdgeVerve, a wholly-owned subsidiary of Infosys.
“And since these intermediaries don’t trust each other, it’s not easy for hackers to find people who could buy and pay immediately for the stolen data. So, it’s a time consuming, cumbersome process involving multiple parties,” adds Dhar.
But ransomware changes entirely this old scenario as it removes all those layers and intermediaries. With ransomware, the attacker would be dealing directly with the victim, which can be an individual, group or organisation. Hence, the victim will be forced to pay ransom directly to the attacker and get back the data or else end up losing it
Most ransomware, according to Kaspersky’s security experts, thrives on the benefit of an unlikely trust relationship between the victim and their attacker.
“This criminal ecosystem relies on the tenet that the attacker will abide by a tacit contract with the victim that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise and this has allowed the ecosystem to thrive,” Kaspersky’s security experts write in a blog post.
Hence, the victim will be forced to pay ransom directly to the attacker and get back the data or else end up losing it. In some case, even after paying the ransom, there’s no guarantee that the attacker will release the stolen data.
Further, “As the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise,” says the blog post.
This makes ransomware more lucrative and attractive for hackers and cyber attackers as they will not have to deal with intermediaries. “So going ahead into this year, we can expect more ransomware attacks till there’s some solution to it, but attacks would be more complex, intricate and advance nature,” predicts Dhar.
However, Dhar rules out any growth in terms of local hacker groups involving in ransomware attacks within the country. In his view, most attackers like to have a wider impact and not keep it confined to any particular geography or country because it gives them a bigger opportunity to earn more.
Ramsomware amount and Standard of living
But, Dhar adds that the ransom amount may vary from one country to another, depending on the living standards and an individual’s willingness to pay the amount. “For a country with a low living standard, the ransom amount could be low as $50 compared to a country with high living standards, where it could $300 or more,” Dhar explains.
He reckons that the ransom amount would be based on a country’s living standard and attackers may follow this sort of localization for ransom amounts. However, the amount of money demanded in ransom could also be in form of crypto or digital currencies like bitcoin, zcash, potcoin and more.
For CIOs and CISOs, today confronting ransomware and defending info security of their respective organisations remains a major challenge and it also tests their info security skills and expertise in data protection.
Dealing with Ramsomware
Since the nature of such attacks is highly unpredictable and uncertain, these CIOs, CISOs and security experts would be required to stay alert in dealing with such malware assaults at any point in time. Given the ransoware attacks’ uncertainty, enterprises and organisations need to be well prepared with their IT security strategy on two aspects – before and after attack scenarios.
First step – Awareness
“The first step that CIOs, CISOs and CTOs need to focus significantly on awareness around security within the organisation. People should be educated and made aware not to click any email attachment from an unknown source, which is a very simple example in terms of prevention step,” informs Dhar.
In many cases, people from non IT or not from the security background in organisation end up clicking malicious links and that could become the initial vector for the spread of ransomware within an organisation. And no amount of technology – antivirus, perimeter security can stop users from doing something like this, unless there’s a widespread awareness around info security, according to Dhar.
Second step – Software patching
Historically, Dhar says that looking at all the ransomware cases, none of them have not exploited, what are called the zero-day exploits, which are those vulnerabilities for which software patch is not released.
“If you look at WannaCry, Petya or other attacks, all of them have used much older vulnerabilities for which patches were available. So companies need to make sure that they have a right kind of patching process, which identifies the right patches and should be well defined, well implemented and periodically assessed,” says Dhar. The patch management process should be periodically audited and assessed.
While these are two preventive measures to safeguard info security, but in situation where organisations have already been impacted than what should they do explains Dhar.
Third step – Data backup
Unless the ransomware author has made any mistake or left some gaps, there aren’t many chances of decrypting the data or getting it. So organisations need to have a solid data backup plan in place which is will periodically backup all sorts of data and also it is tested and restored as well.
“The moment an organisation is hit by such attacks, it can resort back the data from the backup and minimize the impact of ransomware,” explains Dhar.
Dhar recommends that CIOs and CISOs need to follow three key steps as part of best security practices to deal with ransomware attacks. “Awareness, patch management and backup – should be followed in the organisations,” he emphasizes.