Light Dark
March 30, 2016 By Robert Lelewski 4 min read
Advanced Threats
Incident Response
Malware
X-Force

Getting infected with ransomware may actually be a good thing for your enterprise. Ponder that statement for a moment. Yes, someone has written that ransomware, which has cost U.S. businesses and consumers approximately $18 million in the past year, may be a good thing for your environment.

In case you have been blissfully unaware of the aggressive ransomware campaigns launched by attackers in the past year, ransomware is malware designed to seek out specific file extensions, encrypt them and then request the end user to pay a fee to have the files decrypted. This fee is typically paid in bitcoin or another digital currency.

Ransomware has caused many headaches throughout the industry. According a recent IBM CISO assessment, 8 out of 10 security leaders surveyed reported they were concerned about ransomware.

Can Ransomware Be a Good Thing?

Let’s consider the capabilities of ransomware. Most variants will seek out file extensions on any mounted drives or network shares the user has access to (including the host and network drives), encrypt the files and ask for payment. It does not currently exfiltrate data from your network, cripple network resources, replicate on its own, allow attackers to traverse your network or contain most of the characteristics of well-known attacks.

To the benefit of corporations, ransomware isn’t environmentally aware and can’t tell the difference between the large corporation trying to recover key files worth significant money and a mom attempting to recover baby photos. The ransom is typically the same nominal amount, averaging $700, regardless of who is infected. In short, it’s bad but not that bad.

With this primer on ransomware, how can I say ransomware could be beneficial to your environment? The answer is simple: If you have become infected with ransomware, your organization has more than likely had a fundamental breakdown of basic and foundational security practices that has enabled the threat to propagate in its environment.

A ransomware infection inadvertently allows an organization the opportunity to identify neglected enterprise shortcomings before something really scary comes along, putting it on the front page of newspapers. If you need a silver lining, think of a ransomware event as a low-cost security assessment pointing out weaknesses in your environment.

Foundational Issues Lead to Security Threats

IBM X-Force Incident Response and Intelligence Services (IRIS) has had an influx of calls pertaining to ransomware as more organizations become infected with this nuisance. Almost every call has demonstrated that one or more of the following foundational issues have been sorely neglected within the customer’s enterprise.

1. User Awareness

Many security professionals believe that end users are the weakest link in the organization. If end users are not aware of safe computing practices, they may inadvertently bypass significant investments in information security just by clicking on harmful links or visiting insecure websites.

X-Force Incident Response Services has observed a lack of user awareness as a key shortcoming during several recent ransomware engagements. The end user typically enables the ransomware to enter the environment by clicking on a link or an attachment that they should have known not to click on in the first place. Ultimately, a well-trained workforce becomes a very cheap force multiplier for the organization’s security posture.

2. Not Backing Up Data

One of the first questions an incident responder asks our customers when they have a ransomware issue is, “Do you have backups of the encrypted files?” More often than not, the response is a slightly embarrassed “no.”

Not backing up data is akin to telling the world that the data isn’t worth saving. If the organization is panicking because certain files may be lost, it’s time to re-evaluate your backup methodology.

3. Poor Patching Procedures

During a recent engagement, an incident responder was asked to determine how ransomware entered the organization’s environment. It was discovered that, despite a high-severity software patch being issued by the developer with a recommendation that the patch be applied within 72 hours, the organization took eight months to apply the patch. A well-known infection vector of ransomware is to exploit poor patching practices and leverage known security vulnerabilities.

4. Enabling Broad User Permissions

Leveraging and enforcing the principle of least privilege (PoLP) within an organization is wise for a variety of reasons. Because ransomware also encrypts mounted network locations in addition to the host system, there is the potential for an event to cause damage far beyond patient zero. Enforcing the PoLP within the organization helps mitigate the damage caused by a ransomware event by containing the encryption process to a minimal set of files.

It’s not uncommon for X-Force Incident Response Services to receive a call where one user who became infected with ransomware ends up having multiple file shares encrypted that the user had no business need to access. Limiting user access via PoLP helps mitigate the damage caused by ransomware.

5. Lack of Defense-in-Depth

The defense-in-depth strategy encourages businesses to use a variety of security practices and technology to deter any one threat. Technologies or processes may be circumvented by attackers, and when they are circumvented, a lack of multiple layers enables ransomware to propagate should one defense layer fail.

Often, we will have clients that place too much faith in antivirus software but ignore patching. Securing your environment is a multifront campaign, and over-reliance on one strategy may lead to trouble.

6. Lessons-Learned Process

An essential part of the incident response life cycle is the lessons-learned process. A ransomware infection isn’t uncommon; many organizations have experienced one — or more. However, if the organization doesn’t take the time to evaluate how it was infected and take steps to shore up identified weaknesses, a new ransomware infection is likely not far around the corner.

Sadly, IBM X-Force Incident Response Services will occasionally receive calls from the same client because it did not take the time to examine and address shortcomings, which led to ransomware being in the environment during the first infection.

7. Not Testing Backups

Occasionally, when asked about the state of backups, the infected organization responds with, “We thought we had the data backed up, but it turns out it wasn’t backing up what we thought it was backing up.” Periodic testing to verify your processes are working as intended is key to leveraging those processes when the time comes.

No organization wants to be hit by ransomware; it causes nothing but headaches and represents a security failure. However, the occurrence of ransomware almost certainly represents a shortcoming. An organization can then address that so a major threat — such as an attacker attempting to steal your secret sauce or regulated data — is stymied by removing foundational security weaknesses.

Download the complete Ransomware Response Guide from IBM Security

 |  |  | 
Robert Lelewski
Engagement Lead, IBM Security

More from Advanced Threats
May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature