Antonio Challita is the director of product management at CyberSight. The company provides users with protection against ransomware. In an age where ransomware attacks can be deployed by almost anyone, businesses must be prepared to potentially be targeted by cybercriminals. With three years of experience at CyberSight, Challita was able to shed light on the present and future of ransomware.
What are the driving forces that are enabling ransomware to flourish?
Over the past decade, nearly 75 percent of cybersecurity breaches were financially motivated. From a cybercriminal’s standpoint, ransomware provides an ideal business model for raking in revenue. It’s a low-effort, high-reward attack that transfers currency directly from the hands of victims into the hands of hackers (or their crypto wallets, to be more precise). Ransomware is a more lucrative option than having to deal with intermediary third-party buyers on the black market for stolen credit cards, social security numbers or birth dates.
One of the driving forces behind ransomware is the rapid rise in the value of Bitcoin, Dash, Monero, and other cryptocurrencies, coupled with the ease of payments, decentralization, and pseudo-anonymity that cryptocurrencies provide.
What added fuel to the fire was a zero-day exploit in the Windows SMB protocol that was leaked online and used in the high profile WannaCry and NotPetya ransomware variants. Both of these variants added self-propagating worm functionality that increased the spread of ransomware exponentially.
What kinds of attacks are you seeing at CyberSight? Is there a type of attack that is most popular?
Ransomware attacks infiltrating machines over RDP (Remote Desktop Protocol) caused the most damage in 2018. In attacks over RDP, attackers start by scanning for PCs or servers that are advertising open RDP ports. They then brute-force their way into those machines and gain access. Keep in mind that many of those machines have weak passwords that can be cracked in minutes, if not seconds.
Once the attackers are inside the machine, they’ll attempt to disable your endpoint security solution to evade detection and will delete your volume shadow copies (backups) prior to downloading the malicious ransomware executable and encrypting files.
Are any devices bigger targets for ransomware attacks than others?
The two biggest targets for ransomware attacks today are PCs and servers. Servers are becoming more targeted by attackers due to the sensitive nature of data that they store on them, and their criticality to business operations.
Ransom payment demands on servers which are used by businesses are significantly higher than those on PCs which are used by consumers. This is because hackers are well aware that businesses have much deeper pockets than consumers and are motivated to quickly restore their business service continuity.
Hackers will often use a PC as the device to gain a foothold on the business network, using phishing emails or drive-by-downloads. Once on the inside, hackers are subjected to fewer security controls. They will scan the network to find higher value server devices, and move laterally to encrypt their files.
What is the best way to prevent a modern cyberattack, without needing to put a recovery plan into effect?
There is no silver bullet to prevent modern attacks. Attackers’ methods are constantly advancing and they’re using more complex tools and techniques. The best approach to stay protected is to use multiple layers of defense, including:
- Train your employees to be wary of phishing emails, compromised websites, or social engineering attacks. Humans remain the weakest link in cybersecurity.
- Keep your software patched and up to date, particularly software corresponding to services facing the public internet. Attackers commonly exploit known vulnerabilities in unpatched software to attack. This was how WannaCry shook the world!
- Maintain regular backups of your data, ideally offline, in a location disconnected from your local area network. Ransomware is known to delete or encrypt your backups.
- Limit your open ports, connections, and exposure to the public internet. Do you really need Remote Desktop open to the internet? You probably don’t, but if you really do, make sure you add a policy to lockout accounts after 3-5 failed login attempts.
- Use a behavioral-based ransomware protection solution to complement your antivirus. According to a study by SANS, less than 50% of attacks are detected by antivirus. Machine Learning algorithms and run-time behavioral analysis can help protect you against the new breed of ransomware attacks.
Do you have any thoughts on how ransomware will develop in the future?
Ransomware will develop in the future to target newer device types beyond PCs, servers and mobile devices. With governments, businesses and consumers relying on technology more than ever before, attackers will go after devices that we intimately depend on – such as industrial control systems, connected cars, smart home devices, and connected medical devices.
Can you image a hacker taking control of cars on our highways or medical devices implanted in our bodies? Can you imagine only having 24 hours to pay to restore order and avoid fatal disruptions?
We’ve seen these disruptions occur on small scales, and they could very well happen at large scales. If we are prudent, collaborative and proactive in building security-by-design, and in deploying adequate security controls in connected technology, we can maintain the edge in the future of ransomware.