November 4, 2016 By Chris Collard 4 min read

Protecting your brand in the digital age is fraught with challenges. Ransomware and other targeted attacks have been increasing in both frequency and complexity. Researchers discover new vulnerabilities daily while cybercriminals continuously exploit older, known vulnerabilities in new ways.

Addressing the polymorphic nature of these threats requires a coordinated approach. It requires a strategy aimed at prevention, detection and response. You must leverage skills and tools within your organization and pull resources from the widest degree of available security intelligence to act, at scale, in response to the severity of a given threat.

The U.S. Computer Emergency Readiness Team (US-CERT) estimated that on average, more than 4,000 ransomware attacks have occurred per day since Jan. 1, 2016. This represents a 300 percent increase over the previous year.

How Ransomware Attacks Work

The Locky variant of ransomware, for example, follows a pattern of operation similar to many other ransomware variants. Its chain of operation proceeds as follows:

  1. Delivery and distribution: Locky is spammed out as an innocuous-looking invoice requesting the recipient’s immediate attention.
  2. Payload detonation: Embedded in the email is a Windows executable file that, once opened, infects the machine and begins execution. Sometimes this happens immediately and sometimes it’s triggered by an end user or system operation, depending upon the variant.
  3. External command-and-control (C&C): Locky establishes connection with an external C&C server and receives the unique encryption key.
  4. Identification and encryption: Locky identifies and targets file stores and can spread laterally to networked and removable drives. Locky targets over 100 known file types.
  5. Demand and collect ransom: After encrypting these files, Locky takes over the victim’s wallpaper and provides details on how to decrypt the files. The instructions lead to a page requesting payment in bitcoin in exchange for a key.

Threat Response

Many users, feeling that they are without recourse, are compelled to pay the ransom. In other cases, victims may choose to forego their locked files and write them off as corrupted or otherwise lost.

You should report and respond to malware as soon as it is discovered. Ransomware can spread laterally, lie dormant and persist in the environment even after the initial attack. Simply doing nothing or giving up is not an option. It is important to completely root out the breach and take the appropriate escalation and reporting steps. But protection and detection are still not enough — you must also have a well-formulated response.

With a security operations and response program in place, organizations are able to integrate the various sources of security intelligence and make pertinent decisions, understand the trade-offs and respond with precision. This enables the chief information security officer (CISO) to programmatically take the actionable data and form responses that are in line with industry best practices and the company’s stated policies. Armed with intelligence and analytics, the CISO can execute the most appropriate and effective response.

Protecting Your Brand With Security Intelligence

Effectively protecting and defending against ransomware requires an orchestrated effort. Typical to most complex problems, there are no simple guarantees. There are, however, a number of important measures and best practices that organizations can put in place to defend the organization against ransomware. These include:

  1. Robust user training: Users need to be trained — and retrained. There are few shortcuts here. Users must understand their role in data loss prevention, how they can avoid phishing and ransomware attacks, and how to identify and prevent social engineering attempts.
  2. A disciplined backup and restore regime: It is important to back up files regularly. That means verifying the integrity of the backups and testing restoration procedures to ensure they are working. The best practice is to avoid connecting them permanently to the computers and networks they are backing up.
  3. Prevention and detection at the endpoints, perimeter and cloud: Locky exhibits malicious behavior that can be identified and blocked at the endpoint. Additionally, because Locky relies on external C&C servers to encrypt files, these known malicious domains, ranges and suspect IPs can be identified and blocked on the network, effectively stopping the lock before the key exchange happens.
  4. Vulnerability management, including patching and fixing: It is critical to identify known application and software flaws within the environment. The best vulnerability management programs include network and application scanning to discover potential vulnerabilities. They also include the ability to prioritize risks and expedite remediation by fixing vulnerabilities, applying patches across all endpoints and further securing the environment against future compromise.
  5. Security intelligence and analytics: With an enterprise security information and event management (SIEM) platform, organizations are able to apply security intelligence across their enterprise. SIEM enables IT professionals to conduct context, behavior and time-based analytics to evaluate the widest degree of data and focus their efforts on the threats and responses that matter most. Once identified, incidents can be forwarded, with the contextual data, to your incident response team for further analysis and remediation.
  6. An incident response platform: Predefined response plans, established run books and guided instant responses are critical to expediting the reduction and removal of threats. An incident response platform provides a single hub for organizing and orchestrating response activities. Action plans and an expert knowledge base can lead your team though the most effective response while allowing for customization to your standard operating procedures.

Unlocking the Power of Your Defenses

You can combat ransomware. Protecting your environment requires a coordinated and organized effort. Armed with the right tools, processes and skills, you can protect and defend your brand – even in this era of escalating attacks.

Download the complete Ransomware Response Guide

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today