A closer look at ransomware: what is it, why is it so devastating, and why aren’t we doing a better job at preventing it? This blog also describes an innovative new cybersecurity solution and shows how it can detect and prevent ransomware, malware, and other intrusions—before they can do damage.
Most people have heard of ransomware and its devastating effects. It can be quite vicious, paralyzing not only organizations but whole towns, utilities, and healthcare centers, which saw a spike of 350% in ransomware attacks 2019). In fact, an article in CRN cites the fact that multinational manufacturers and U.S. city and county governments spent more $176 million responding to the biggest ransomware attacks of 2019, spending on everything from rebuilding networks and restoring backups to paying the hackers ransom.
A February 2020 article in the New York Times explained that in recent attacks, the hackers often spent months quietly scouting out the inner workings of potential victims’ computer networks to ensure that their attack successfully encrypted every important file. Then, once a ransomware attack is successful, the ransom fees can range from a few hundred dollars to tens of thousands (possibly even more), payable to cybercriminals in Bitcoin.
In this blog, we’ll discuss what makes ransomware so hard to find and stop, as well as what steps can be taken to prevent attacks in the future.
Just what is ransomware?
As a refresher, ransomware is a form of malware that cybercriminals use to force victims to pay ransom to get decryption keys in order to regain access to critical files and data. There are two types of ransomware:
- Crypto-ransomware that encrypts valuable files on a computer so the victim can’t access them. Cybercriminals then demand that the victims pay a ransom to get their files back.
- Locker ransomware locks users out of their device and prevents them from using it. Once they are locked out, the attackers demand payment to unlock the device.
High-profile ransomware examples
Here are some examples of some of the most high-profile ransomware attacks:
- Hammersmith Medicines Research: This London-based company was beginning to focus on early vaccines for the coronavirus. Unfortunately, hackers used encryption to lock down thousands of patient records and threatened to publish them publicly if Hammersmith didn’t pay a ransom.
- The city of Atlanta: In March 2018, Atlanta officials determined that a ransomware attack had taken down several customer-facing systems, including bill payment applications. Later reports determined that it might cost as much as $17 million for Atlanta to make a full recovery.
- Norsk Hydro: The Norwegian aluminum and energy giant suffered a “LockerGoga” ransomware attack that started in its U.S. facilities but quickly spread to its headquarters in Norway and eventually affected more than 35,000 employees in 40 different countries.
- The Coast Guard: In 2019, the Coast Guard determined the “Ryuk” ransomware accessed its networks by an email phishing campaign. The virus also took over the Coast Guard’s industrial control systems and encrypted files critical to process operations.
What is it about ransomware that makes it an attractive tactic for hackers? ?
The goal with a ransomware attack is “land and expand.” What’s tough is that the path inside often appears to be innocuous.
One of the most common ways is through an email phishing campaign or use of a trojan. In either case, the recipient is tricked into downloading or opening an attached file. Once opened, the ransomware can take over the victim’s computer or begin to spread over the network.
Another form exploits security holes to infect computers without the need to trick users, such as the case of NotPetya, and other examples like WannaCry worm, were able to jump from computer to computer, without user interaction.
Why can’t we stop ransomware?
You can’t stop what you can’t see. Once inside the network the virus moves freely, unseen, seeking out, exfiltrating data and ultimately locking out organizations from their own infrastructure.
This happens because the majority of security tools, such as network perimeter monitoring provide protection for approximately 20% of the total traffic. Most companies don’t have real-time visibility into east-west network traffic (the other 80%), and a result, are ill-equipped to detect malware, ransomware, and other intrusions before they have a chance to do real damage.
For example, traditional security tools tend to be siloed, with no simple way to aggregate or prioritize the results leading to many false alerts. Research reports that many companies receive more than 5,000 alerts a day. This falls on highly trained (expensive) SOC employees who must be available 24x7 to analyze results and attempt to take the right action to remediate potential threats. It’s clear that even highly staffed SOC teams can’t investigate all of these alerts effectively.
The five keys to complete cybersecurity protection
When evaluating cybersecurity solutions, organizations should rate them against five critical criteria. These steps will not only give them the upper hand against ransomware, but also all other forms of cyber threats.
- Complete network visibility: Insight into every corner of your network, where other solutions are limited or completely blind, especially east-west traffic, which is where land and expand happens.
- Enterprise-wide analytics: To find threats quickly and accurately, leverage untapped analytics generated from alerts, logs, threat intelligence.
- Smart threat modeling: Take the burden off analysts by utilizing artificial intelligence (AI) to feed it through machine learning (ML) based predefined threat models that understand how each threat behaves.
- Automated and surgical threat containment: Not only should AI capabilities be incredibly accurate, but they should allow for the automatic containment of these threats before they can spread to other devices. Another important note is that production communications should carry on, only the affected devices should be brought offline.
- Auditable enforcement: Finally, for certain industries meeting industry compliance is no laughing matter. solutions should be able to provide the reports needed to assure regulatory compliance and enforcing connectivity policies – preventing future violations.
Stopping ransomware got a whole lot easier
ARIA Cybersecurity Solutions has taken a different path when developing our threat detection and response solutions. Unlike other providers, we start inside the network to generate complete enterprise-wide traffic visibility and analytics. This helps our solutions assist in two important ways: improve the performance of your existing security stack or deploy full AI-driven SOC capabilities within a single platform.
Don’t let ransomware knock your business out of commission. Learn how an automated solution can help you detect and automatically stop threats and attacks, all without the need for human employees.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate data breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.