The past few months and weeks have seen a worrying increase in high profile ransomware attacks. Almost every week a new victim comes to the surface. Oil pipelines, national health authorities, the world’s largest meat producer, the list goes on and on.
In May, Colonial Pipeline, the company providing almost half of the fuel for the East Coast of the United States, was hacked by a criminal gang who encrypted the company’s data, but even after the $4m ransom was paid, the decryption tool was full of bugs, and it took a while to restore the pipeline.
Later in May, the national healthcare system of Ireland – HSE Ireland – was disabled by a ransomware attack. A truly despicable act especially as the criminal gang knew the victim as a national health service and would have a devasting effect on the sick, the old and children.
At the start of June, the world’s largest meat processing and packaging company JBS paid $11M to hackers when it fell victim to a ransomware attack.
But of course, it’s not just large organisations being targeted, earlier this year a healthcare practice in Missouri, USA was forced to close after it lost all its electronic health records in a ransomware attack.
Last October, cyber criminals targeted a psychiatric hospital in Finland. The gang first stole the medical records of around 40,000 patients. Then they encrypted the hospital’s databases and records. They not only sought a ransom from the hospital, but also emailed the patients threatening to publish their personal records.
There is one thing you must understand about ransomware. Ransomware is NOT A VIRUS. If you take away one thing, it should be this… Ransomware is not a virus.
77% of ransomware victims had up to date End Point Protection (Anti-Virus, Anti-Malware etc)
That’s right, according to Sophos, more than 77 percent of those impacted by ransomware were running up to date endpoint protection, which just goes to confirm traditional endpoint security is no longer enough to protect against today’s ransomware attacks.
Which means that your anti-virus, anti-malware will not prevent you becoming a victim of ransomware.
A virus is activated either when it is first loaded or when it’s programmed to execute, it is autonomous, it will self-replicate and spread automatically. Whereas ransomware works by installing an initial program which gives the criminals access to the computer and network. It doesn’t automatically execute. Which is a good thing, because this gives the victim time to act… if the victim knows about it!
The criminals then move around laterally within the victim’s network to find what they need to blackmail the victim into paying the ransom.
Ironically, the cyber criminals themselves have given us a massive clue about how we can protect organisations. When they attacked the Irish Health Service (HSE) shutting its system down for days, the actual chat between the HSE IT Team and the attackers was published by several news agencies. The attackers boasted “…we infiltrated your network and stayed in it for more than 2 weeks…” and went on “…[we] downloaded…more than 700Gb of personal data…”
Unlike viruses, ransomware doesn’t instantly cause issues, attackers will gain access to the network using a payload delivered from a phishing email or maybe by clicking a link on a phishing email to a website. However, they won’t instantly push the button to execute the ransomware. They will snoop around the network, looking for valuable sensitive data, data they can hold to ransom. They will then download that data so they can maximise their returns. If the victim doesn’t pay the ransom, the criminals will publish the data on the internet causing untold damage to the company, it’s reputation and to the data subjects.
They will move from server to server making asset lists, which will of course take time. Anti-Virus, anti-malware and even SIEM solutions won’t see them. Only network monitoring will shine a light on them – and usually very quickly! Especially when they start downloading vast amounts of data.
Because the attackers are literally wandering around the network for maybe weeks in advance of the actual attack, snooping in every corner for the organisation’s crown jewels, real-time network monitoring can help to spot them.
When the initial ransomware payload is executed it’s first job is to call home to alert the criminals that it’s successfully inside the target network. Again, this unusual traffic can be spotted by real-time traffic monitoring. This can help you prevent a ransomware attack even before it starts.
Unlike autonomous computer viruses, ransomware attacks are managed and carried out by humans. Like all humans, criminals have behaviour patterns, SOC analysts are trained to recognise patterns of behaviour; it takes a human eye and human brain to ask those “Why is that happening? That looks weird!” type questions; correlations and behaviour recognition is still a job for human SOC analysts.
It is estimated that more than 90% of cyberattacks start with a phishing email. Even more worrying is that it’s estimated that around 4% of employees regularly click links on phishing emails. Imagine how many times a day you’re being put at risk!
As most businesses use Microsoft 365 it makes sense to use a managed monitoring service to protect your business from ransomware attacks and help prevent them even starting in the first place.
Here are just a few of the thousands of behaviours the Bluedog Microsoft 365 Managed Monitoring service is designed to alert.
Any one of the above can be a flag that someone has infiltrated or is trying to infiltrate your Microsoft tenancy. Once again, when backed up by human SOC analysts this can be a powerful defence to prevent ransomware and other cyber-attacks.
Cybercriminals and ransomware attackers quite often exploit vulnerabilities in software. Everyday hundreds of new vulnerabilities are found in popular software. The traditional method of testing your systems once per year means that you will miss literally tens of thousands of vulnerabilities, some of which will be critical. You should therefore use a VAPT system which runs monthly and is updated with the latest vulnerabilities. This way you can be as sure as you can be that your systems are secure.