Welcome!

Machine Learning Authors: Liz McMillan, Ed Featherston, Elizabeth White, Flint Brenton, Pat Romanski

Related Topics: @CloudExpo, Machine Learning , Cloud Security

@CloudExpo: Blog Post

What Is Ransomware and How Cloud Security Mitigates It | @CloudExpo #Cloud #Security #MachineLearning

There was a 300 percent increase in ransomware attacks last year, according to the FBI

What Is Ransomware and How Cloud Security Mitigates It

Ransomware attacks escalated dramatically in 2016. In fact, there was a 300 percent increase in ransomware attacks last year, according to the FBI, to an average of 4,000 attacks a day, up from 1,000 ransomware attacks a day in 2015. What's more, organizations are targeted more frequently than individuals because they generate a much bigger potential payoff. Ransomware has become a profitable criminal enterprise that continues to change and grow.

Managed Service Providers often assist clients with data restoration to avoid the downtime that can be caused by a ransomware attack. They also work with clients to improve their security posture overall so they can avoid ransomware damage. Here's what your organization needs to know about ransomware and how cloud computing can help protect your organization.

What is ransomware?
There may be more than a hundred families of ransomware. Basically, three traits are common among the many variants of ransomware viruses:

  1. They infect your computer, such as through a spear-phishing email (targeted at a specific employee) or a visit to a legitimate website infected with malicious code.
  2. They encrypt your files and demand payment (usually in bitcoin) to receive a decryption key.
  3. The decryption key is usually successful; however, it can depend on the honesty and follow-through of the cybercriminal.

Not all ransomware is created equally. There are two main types: lock screen and encryption ransomware. Encryption got all the press in 2016. While you may be able to find a workaround to lock screen ransomware, that's not the case with file-encrypting crypto ransomware. By the time you realize your files are encrypted and unreadable, or you find or receive a ransom note, the damage has been done - and it is irreversible without the private decryption key held by the attacker.

How files get infected with ransomware
Attackers are changing their tactics. While spam emails used to be a popular way to spread malware such as ransomware, spam filters have taken the wind out of that approach. Now it is often spear-phishing, which targets an individual directly. In fact, 93% of all phishing emails contain some sort of ransomware encryption, according to a report by PhishMe, an anti-phishing vendor. And the FBI says recent iterations target enterprise end users.

That's not all. Other sources of ransomware include social media, malicious advertising (even on trusted websites) and bold cold calls via phone where an attacker poses as a software vendor or IT provider and directly requests remote access to the user's computer to resolve a purported problem - but instead installs ransomware.

How you know if you have been hit by ransomware
You likely won't know you've been hit right away, but within seconds the ransomware virus will silently start encrypting your files - and files accessible via your network. The files are generally encrypted with a public encryption key in such a way that you cannot decrypt the files without the second key of the pair. You probably won't get a ransom note until hours or days later when the encryption is complete.

In the meantime, you may discover files that appear to be corrupted. Encrypted files cannot be read by any application, and the first sign of damage may be error messages on your computer when opening files - asking which application should be used.

When Internet of Things devices are hit by ransomware
Even smartphone apps and Internet of Things (IoT) devices can be infected with ransomware. How would you know if your smart thermostat was infected? Two hackers demonstrated a proof-of-concept of thermostat lock-screen ransomware at the Def Con conference in Las Vegas last year. Imagine cybercriminals cranking up the building's heat in the summer or turning it off when it's freezing outside - and then locking the device until the ransom is paid with a bitcoin. Like a small computer, their off-the-shelf smart thermostat ran a version of Linux and had a user input screen and an SD card. The device was especially vulnerable because the firmware was readable and the code ran from the root.

The introduction of Mirai - a malware and botnet combination - has introduced even more complexity into the ransomware arena. This virus can compromise a wide range of Internet of Things (IoT) devices, including DVRs, security cameras, and network gateways. As with much of the more recent distributed denial of service (DDoS) botnet malware, once a device is infected with Mirai, an attacker gains full control of the device and can use it for denial of service attacks - or potentially hold it for ransom.

What data is most likely to be held hostage?
Almost half of respondents to a survey of 500 businesses worldwide said their organization had suffered a ransomware attack in the last 12 months. They were an experienced bunch; those who suffered at least one ransomware attack had to defend against six attacks on average. Of those who had faced an attack, 42% said the type of data targeted was employee information, 41% said it was financial data, and 40% described it as customer information. How did the ransomware attacker get access in the first place? Phishing via email or social media was extremely common (81%). Clicking on a compromised website ensnared 50% and infection via a computer that was part of a botnet got 40%.

How much does ransom cost?
Some organizations are being targeted for high ransom amounts. Network World cites Federal Trade Commission Chair Edith Ramirez as providing the example of Hollywood Presbyterian Medical Center, which paid bitcoin valued at around $17,000 to the perpetrators of a ransomware attack. CSO Online reports that the original ransom demand was $3.6 million.

The FBI estimates that criminals reaped more than $1 billion from ransomware in 2016. Many victims don't report their losses, so the amount could be much higher. Ransomware-as-a-service (RaaS) is a new monetization model that gained steam in 2016. The authors of the ransomware are said to get a percentage of each paid ransom, thus creating incentive to provide frequent software updates, service and new features.

Unfortunately, the FBI reports that even if payment is made, the decryption key provided by the perpetrator to unlock the files may not work due to system configuration issues. Or the perpetrators may not provide the key after receiving the money and instead follow up with a second ransom demand.

Backups may not be enough
The FBI offers tips for dealing with a ransomware threat. A key point to ensuring business continuity in a world of ransomware is to back up data regularly and test the backups. Any backups, including cloud backups, need to be secured in a way that they are inaccessible to spreading ransomware virus. Many ransomware infections will encrypt any accessible data including external storage, USB drives and mapped and unmapped network drives.

Having a secure and validated data backup program is the easiest way to avoid having to pay ransom. Even then, it typically takes 33 employee hours to replace the stored data, according to survey respondents. Preparing in advance with a business continuity plan, disaster recovery plan, and the help of a company with cloud security and disaster recovery expertise can help you avoid the headache of ransomware and other security breaches - and help you to ensure faster mitigation and recovery if your organization is attacked.

Machine learning: taking a bigger step to stop ransomware
Seven in ten organizations hit by ransomware agreed that they needed a new solution to protect their organization from ransomware. Sixty-five percent agreed that traditional cybersecurity techniques cannot protect from the next generation of malware such as ransomware attacks. Advanced malware and ransomware is now getting past signature-based anti-virus software. Although Security Information and Event Management (SIEM) solutions stop many attacks, attackers know how SEIM solutions operate, so they can work around them.

Machine learning techniques available today in cloud computing solutions such as Microsoft Azure can provide protection against both known and potentially never-before-seen ransomware and other breaches that may make it past anti-virus and SEIM systems. Machine learning allows organizations to track the normal behavior of internal and external users and typical traffic patterns - and take action when behavior differs even subtly from what is expected. For example, if a user doesn't usually encrypt, copy or delete large numbers of files, it's a red flag if they attempt to do so. You can bring much more power to your ransomware deflection efforts when you have adaptive systems in the cloud.

Limiting the reach of a ransomware infection
It's best to assume your infrastructure will be breached by malware such as ransomware, and plan accordingly. If ransomware gets to your network, there are ways to limit its reach. For example, it is best to assume credentials will be compromised and assign roles based on the least privilege required to complete a task and no more. Multi-factor authentication can also prevent damage from a phished username/password pair, and machine learning can be applied to anticipate if a user access attempt is legitimate.

With security protocols and technologies smartly designed and implemented, even when a threat actor gets in it's possible to prevent or minimize damage. With proper segmentation, security zones isolate elements and prevent the lateral movement of attackers. In a best practices zero-profile implementation, cloud firewall policies will be architected to prevent all inbound and outbound connectivity on all ports by default. The security profile will then be modified to provide services with the minimum required connectivity.

Backups, replication and disaster recovery plans
Having a secure and validated data back-up program is the easiest way to avoid having to risk paying to decrypt files rendered unusable by crypto-ransomware. It's important that your backup and replication plan meets the unique needs of your organization to ensure business continuity. A disaster recovery failover plan can dramatically improve the effectiveness and speed of restoring your systems to full operation.

Whether your systems go down due to power loss, user error, natural disaster or ransomware, the result can be devastating. The best disaster recovery plans use both backup and replication. A backup is a copy of your data at a point in time. Backups provide good long-term storage but are limited to the snapshot of data stored at the time of the backup. Replication can meet much lower recovery time (RTO) and recovery point objectives (RPO). Replication runs a mirror image of your data operations and can take over at the moment of failure. Failover to a replicated site can keep a business running with little to no downtime. Regular failover testing is essential to ensure your systems will return to production levels in the timeframe and with the data quality desired after a ransomware attack.

Disaster Recovery as a Service (DRaaS) goes beyond traditional disaster recovery. DRaaS manages a variety of backup and replication systems - in the cloud, co-located and in your own data center - unifying all under common interface to reduce complexity and improve resilience when you need to restore or failover.

It's time to take action
Most tech executives agree that they lack the necessary skills internally to keep their systems and data secure. Organizations that put off mitigating a security risk such as ransomware to a later date often never deal with it at all. Consider whether your organization has the expertise and the current bandwidth to ensure you don't become a ransomware statistic.

A cloud engineering team can work closely with your organization to identify your key challenges and objectives and to map out a cost-effective plan that provides your company with a secure, compliant, robust and flexible IT architecture that grows with you and blocks ransomware and other attacks. Managed security services including machine-learning analytics can help keep your organization protected from ransomware and other cybersecurity threats.

Resources

Disaster Recovery as a Service Solutions Brief [http://www.tierpoint.com/wp-content/uploads/2016/11/SOLUTIONS-BRIEF-DRaaS1.pdf]

SentinelOne Ransomware Research Data Summary [https://go.sentinelone.com/rs/327-MNM-087/images/Data%20Summary%20-%20English.pdf]

FBI Ransomware Prevention and Response for CISOs [https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

More Stories By Paul Mazzucco

Paul Mazzucco is Chief Security Officer at TierPoint where he is responsible for all company standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards.

Paul completed his undergraduate work at Lehigh University, studying Human Behavior and Cyber Security. He is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), and Certified Ethical Hacker (CEH) answering to the FBI, the United States Secret Service, Pennsylvania Electronic Crimes Task Force (PAECT) and the United States Computer Emergency Readiness Team (U.S. CERT).

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
Mobile device usage has increased exponentially during the past several years, as consumers rely on handhelds for everything from news and weather to banking and purchases. What can we expect in the next few years? The way in which we interact with our devices will fundamentally change, as businesses leverage Artificial Intelligence. We already see this taking shape as businesses leverage AI for cost savings and customer responsiveness. This trend will continue, as AI is used for more sophistica...
Many companies start their journey to the cloud in the DevOps environment, where software engineers want self-service access to the custom tools and frameworks they need. Machine learning technology can help IT departments keep up with these demands. In his session at 21st Cloud Expo, Ajay Gulati, Co-Founder, CTO and Board Member at ZeroStack, will discuss the use of machine learning for automating provisioning of DevOps resources, taking the burden off IT teams.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness.
SYS-CON Events announced today that Enroute Lab will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enroute Lab is an industrial design, research and development company of unmanned robotic vehicle system. For more information, please visit http://elab.co.jp/.
SYS-CON Events announced today that Mobile Create USA will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Mobile Create USA Inc. is an MVNO-based business model that uses portable communication devices and cellular-based infrastructure in the development, sales, operation and mobile communications systems incorporating GPS capabi...
SYS-CON Events announced today that Suzuki Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Suzuki Inc. is a semiconductor-related business, including sales of consuming parts, parts repair, and maintenance for semiconductor manufacturing machines, etc. It is also a health care business providing experimental research for...
IBM helps FinTechs and financial services companies build and monetize cognitive-enabled financial services apps quickly and at scale. Hosted on IBM Bluemix, IBM’s platform builds in customer insights, regulatory compliance analytics and security to help reduce development time and testing. In his session at 21st Cloud Expo, Lennart Frantzell, a Developer Advocate with IBM, will discuss how these tools simplify the time-consuming tasks of selection, mapping and data integration, allowing devel...
Cloud-based disaster recovery is critical to any production environment and is a high priority for many enterprise organizations today. Nearly 40% of organizations have had to execute their BCDR plan due to a service disruption in the past two years. Zerto on IBM Cloud offer VMware and Microsoft customers simple, automated recovery of on-premise VMware and Microsoft workloads to IBM Cloud data centers.
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Nihon Micron will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nihon Micron Co., Ltd. strives for technological innovation to establish high-density, high-precision processing technology for providing printed circuit board and metal mount RFID tags used for communication devices. For more inf...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
In his session at @ThingsExpo, Greg Gorman is the Director, IoT Developer Ecosystem, Watson IoT, will provide a short tutorial on Node-RED, a Node.js-based programming tool for wiring together hardware devices, APIs and online services in new and interesting ways. It provides a browser-based editor that makes it easy to wire together flows using a wide range of nodes in the palette that can be deployed to its runtime in a single-click. There is a large library of contributed nodes that help so...
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
SYS-CON Events announced today that SIGMA Corporation will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. uLaser flow inspection device from the Japanese top share to Global Standard! Then, make the best use of data to flip to next page. For more information, visit http://www.sigma-k.co.jp/en/.
SYS-CON Events announced today that Daiya Industry will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Daiya Industry specializes in orthotic support systems and assistive devices with pneumatic artificial muscles in order to contribute to an extended healthy life expectancy. For more information, please visit https://www.daiyak...
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that B2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. B2Cloud specializes in IoT devices for preventive and predictive maintenance in any kind of equipment retrieving data like Energy consumption, working time, temperature, humidity, pressure, etc.
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, paneli...