Machine Learning Authors: Pat Romanski, William Schmarzo, Yeshim Deniz, Stackify Blog, Jason Bloomberg

Related Topics: @CloudExpo, Machine Learning , Cloud Security

@CloudExpo: Blog Post

What Is Ransomware and How Cloud Security Mitigates It | @CloudExpo #Cloud #Security #MachineLearning

There was a 300 percent increase in ransomware attacks last year, according to the FBI

What Is Ransomware and How Cloud Security Mitigates It

Ransomware attacks escalated dramatically in 2016. In fact, there was a 300 percent increase in ransomware attacks last year, according to the FBI, to an average of 4,000 attacks a day, up from 1,000 ransomware attacks a day in 2015. What's more, organizations are targeted more frequently than individuals because they generate a much bigger potential payoff. Ransomware has become a profitable criminal enterprise that continues to change and grow.

Managed Service Providers often assist clients with data restoration to avoid the downtime that can be caused by a ransomware attack. They also work with clients to improve their security posture overall so they can avoid ransomware damage. Here's what your organization needs to know about ransomware and how cloud computing can help protect your organization.

What is ransomware?
There may be more than a hundred families of ransomware. Basically, three traits are common among the many variants of ransomware viruses:

  1. They infect your computer, such as through a spear-phishing email (targeted at a specific employee) or a visit to a legitimate website infected with malicious code.
  2. They encrypt your files and demand payment (usually in bitcoin) to receive a decryption key.
  3. The decryption key is usually successful; however, it can depend on the honesty and follow-through of the cybercriminal.

Not all ransomware is created equally. There are two main types: lock screen and encryption ransomware. Encryption got all the press in 2016. While you may be able to find a workaround to lock screen ransomware, that's not the case with file-encrypting crypto ransomware. By the time you realize your files are encrypted and unreadable, or you find or receive a ransom note, the damage has been done - and it is irreversible without the private decryption key held by the attacker.

How files get infected with ransomware
Attackers are changing their tactics. While spam emails used to be a popular way to spread malware such as ransomware, spam filters have taken the wind out of that approach. Now it is often spear-phishing, which targets an individual directly. In fact, 93% of all phishing emails contain some sort of ransomware encryption, according to a report by PhishMe, an anti-phishing vendor. And the FBI says recent iterations target enterprise end users.

That's not all. Other sources of ransomware include social media, malicious advertising (even on trusted websites) and bold cold calls via phone where an attacker poses as a software vendor or IT provider and directly requests remote access to the user's computer to resolve a purported problem - but instead installs ransomware.

How you know if you have been hit by ransomware
You likely won't know you've been hit right away, but within seconds the ransomware virus will silently start encrypting your files - and files accessible via your network. The files are generally encrypted with a public encryption key in such a way that you cannot decrypt the files without the second key of the pair. You probably won't get a ransom note until hours or days later when the encryption is complete.

In the meantime, you may discover files that appear to be corrupted. Encrypted files cannot be read by any application, and the first sign of damage may be error messages on your computer when opening files - asking which application should be used.

When Internet of Things devices are hit by ransomware
Even smartphone apps and Internet of Things (IoT) devices can be infected with ransomware. How would you know if your smart thermostat was infected? Two hackers demonstrated a proof-of-concept of thermostat lock-screen ransomware at the Def Con conference in Las Vegas last year. Imagine cybercriminals cranking up the building's heat in the summer or turning it off when it's freezing outside - and then locking the device until the ransom is paid with a bitcoin. Like a small computer, their off-the-shelf smart thermostat ran a version of Linux and had a user input screen and an SD card. The device was especially vulnerable because the firmware was readable and the code ran from the root.

The introduction of Mirai - a malware and botnet combination - has introduced even more complexity into the ransomware arena. This virus can compromise a wide range of Internet of Things (IoT) devices, including DVRs, security cameras, and network gateways. As with much of the more recent distributed denial of service (DDoS) botnet malware, once a device is infected with Mirai, an attacker gains full control of the device and can use it for denial of service attacks - or potentially hold it for ransom.

What data is most likely to be held hostage?
Almost half of respondents to a survey of 500 businesses worldwide said their organization had suffered a ransomware attack in the last 12 months. They were an experienced bunch; those who suffered at least one ransomware attack had to defend against six attacks on average. Of those who had faced an attack, 42% said the type of data targeted was employee information, 41% said it was financial data, and 40% described it as customer information. How did the ransomware attacker get access in the first place? Phishing via email or social media was extremely common (81%). Clicking on a compromised website ensnared 50% and infection via a computer that was part of a botnet got 40%.

How much does ransom cost?
Some organizations are being targeted for high ransom amounts. Network World cites Federal Trade Commission Chair Edith Ramirez as providing the example of Hollywood Presbyterian Medical Center, which paid bitcoin valued at around $17,000 to the perpetrators of a ransomware attack. CSO Online reports that the original ransom demand was $3.6 million.

The FBI estimates that criminals reaped more than $1 billion from ransomware in 2016. Many victims don't report their losses, so the amount could be much higher. Ransomware-as-a-service (RaaS) is a new monetization model that gained steam in 2016. The authors of the ransomware are said to get a percentage of each paid ransom, thus creating incentive to provide frequent software updates, service and new features.

Unfortunately, the FBI reports that even if payment is made, the decryption key provided by the perpetrator to unlock the files may not work due to system configuration issues. Or the perpetrators may not provide the key after receiving the money and instead follow up with a second ransom demand.

Backups may not be enough
The FBI offers tips for dealing with a ransomware threat. A key point to ensuring business continuity in a world of ransomware is to back up data regularly and test the backups. Any backups, including cloud backups, need to be secured in a way that they are inaccessible to spreading ransomware virus. Many ransomware infections will encrypt any accessible data including external storage, USB drives and mapped and unmapped network drives.

Having a secure and validated data backup program is the easiest way to avoid having to pay ransom. Even then, it typically takes 33 employee hours to replace the stored data, according to survey respondents. Preparing in advance with a business continuity plan, disaster recovery plan, and the help of a company with cloud security and disaster recovery expertise can help you avoid the headache of ransomware and other security breaches - and help you to ensure faster mitigation and recovery if your organization is attacked.

Machine learning: taking a bigger step to stop ransomware
Seven in ten organizations hit by ransomware agreed that they needed a new solution to protect their organization from ransomware. Sixty-five percent agreed that traditional cybersecurity techniques cannot protect from the next generation of malware such as ransomware attacks. Advanced malware and ransomware is now getting past signature-based anti-virus software. Although Security Information and Event Management (SIEM) solutions stop many attacks, attackers know how SEIM solutions operate, so they can work around them.

Machine learning techniques available today in cloud computing solutions such as Microsoft Azure can provide protection against both known and potentially never-before-seen ransomware and other breaches that may make it past anti-virus and SEIM systems. Machine learning allows organizations to track the normal behavior of internal and external users and typical traffic patterns - and take action when behavior differs even subtly from what is expected. For example, if a user doesn't usually encrypt, copy or delete large numbers of files, it's a red flag if they attempt to do so. You can bring much more power to your ransomware deflection efforts when you have adaptive systems in the cloud.

Limiting the reach of a ransomware infection
It's best to assume your infrastructure will be breached by malware such as ransomware, and plan accordingly. If ransomware gets to your network, there are ways to limit its reach. For example, it is best to assume credentials will be compromised and assign roles based on the least privilege required to complete a task and no more. Multi-factor authentication can also prevent damage from a phished username/password pair, and machine learning can be applied to anticipate if a user access attempt is legitimate.

With security protocols and technologies smartly designed and implemented, even when a threat actor gets in it's possible to prevent or minimize damage. With proper segmentation, security zones isolate elements and prevent the lateral movement of attackers. In a best practices zero-profile implementation, cloud firewall policies will be architected to prevent all inbound and outbound connectivity on all ports by default. The security profile will then be modified to provide services with the minimum required connectivity.

Backups, replication and disaster recovery plans
Having a secure and validated data back-up program is the easiest way to avoid having to risk paying to decrypt files rendered unusable by crypto-ransomware. It's important that your backup and replication plan meets the unique needs of your organization to ensure business continuity. A disaster recovery failover plan can dramatically improve the effectiveness and speed of restoring your systems to full operation.

Whether your systems go down due to power loss, user error, natural disaster or ransomware, the result can be devastating. The best disaster recovery plans use both backup and replication. A backup is a copy of your data at a point in time. Backups provide good long-term storage but are limited to the snapshot of data stored at the time of the backup. Replication can meet much lower recovery time (RTO) and recovery point objectives (RPO). Replication runs a mirror image of your data operations and can take over at the moment of failure. Failover to a replicated site can keep a business running with little to no downtime. Regular failover testing is essential to ensure your systems will return to production levels in the timeframe and with the data quality desired after a ransomware attack.

Disaster Recovery as a Service (DRaaS) goes beyond traditional disaster recovery. DRaaS manages a variety of backup and replication systems - in the cloud, co-located and in your own data center - unifying all under common interface to reduce complexity and improve resilience when you need to restore or failover.

It's time to take action
Most tech executives agree that they lack the necessary skills internally to keep their systems and data secure. Organizations that put off mitigating a security risk such as ransomware to a later date often never deal with it at all. Consider whether your organization has the expertise and the current bandwidth to ensure you don't become a ransomware statistic.

A cloud engineering team can work closely with your organization to identify your key challenges and objectives and to map out a cost-effective plan that provides your company with a secure, compliant, robust and flexible IT architecture that grows with you and blocks ransomware and other attacks. Managed security services including machine-learning analytics can help keep your organization protected from ransomware and other cybersecurity threats.


Disaster Recovery as a Service Solutions Brief [http://www.tierpoint.com/wp-content/uploads/2016/11/SOLUTIONS-BRIEF-DRaaS1.pdf]

SentinelOne Ransomware Research Data Summary [https://go.sentinelone.com/rs/327-MNM-087/images/Data%20Summary%20-%20English.pdf]

FBI Ransomware Prevention and Response for CISOs [https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

More Stories By Paul Mazzucco

Paul Mazzucco is Chief Security Officer at TierPoint where he is responsible for all company standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards.

Paul completed his undergraduate work at Lehigh University, studying Human Behavior and Cyber Security. He is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), and Certified Ethical Hacker (CEH) answering to the FBI, the United States Secret Service, Pennsylvania Electronic Crimes Task Force (PAECT) and the United States Computer Emergency Readiness Team (U.S. CERT).

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@CloudExpo Stories
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
"NetApp is known as a data management leader but we do a lot more than just data management on-prem with the data centers of our customers. We're also big in the hybrid cloud," explained Wes Talbert, Principal Architect at NetApp, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they responded to were some very unique security capabilities that we have," explained Mark Figley, Director of LinuxONE Offerings at IBM, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
As you move to the cloud, your network should be efficient, secure, and easy to manage. An enterprise adopting a hybrid or public cloud needs systems and tools that provide: Agility: ability to deliver applications and services faster, even in complex hybrid environments Easier manageability: enable reliable connectivity with complete oversight as the data center network evolves Greater efficiency: eliminate wasted effort while reducing errors and optimize asset utilization Security: implemen...
@DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises - and delivering real results.
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
"We started a Master of Science in business analytics - that's the hot topic. We serve the business community around San Francisco so we educate the working professionals and this is where they all want to be," explained Judy Lee, Associate Professor and Department Chair at Golden Gate University, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...