Welcome!

Machine Learning Authors: Yeshim Deniz, Pat Romanski, Elizabeth White, AppNeta Blog, Automic Blog

Related Topics: @CloudExpo, Machine Learning , Cloud Security

@CloudExpo: Blog Post

What Is Ransomware and How Cloud Security Mitigates It | @CloudExpo #Cloud #Security #MachineLearning

There was a 300 percent increase in ransomware attacks last year, according to the FBI

What Is Ransomware and How Cloud Security Mitigates It

Ransomware attacks escalated dramatically in 2016. In fact, there was a 300 percent increase in ransomware attacks last year, according to the FBI, to an average of 4,000 attacks a day, up from 1,000 ransomware attacks a day in 2015. What's more, organizations are targeted more frequently than individuals because they generate a much bigger potential payoff. Ransomware has become a profitable criminal enterprise that continues to change and grow.

Managed Service Providers often assist clients with data restoration to avoid the downtime that can be caused by a ransomware attack. They also work with clients to improve their security posture overall so they can avoid ransomware damage. Here's what your organization needs to know about ransomware and how cloud computing can help protect your organization.

What is ransomware?
There may be more than a hundred families of ransomware. Basically, three traits are common among the many variants of ransomware viruses:

  1. They infect your computer, such as through a spear-phishing email (targeted at a specific employee) or a visit to a legitimate website infected with malicious code.
  2. They encrypt your files and demand payment (usually in bitcoin) to receive a decryption key.
  3. The decryption key is usually successful; however, it can depend on the honesty and follow-through of the cybercriminal.

Not all ransomware is created equally. There are two main types: lock screen and encryption ransomware. Encryption got all the press in 2016. While you may be able to find a workaround to lock screen ransomware, that's not the case with file-encrypting crypto ransomware. By the time you realize your files are encrypted and unreadable, or you find or receive a ransom note, the damage has been done - and it is irreversible without the private decryption key held by the attacker.

How files get infected with ransomware
Attackers are changing their tactics. While spam emails used to be a popular way to spread malware such as ransomware, spam filters have taken the wind out of that approach. Now it is often spear-phishing, which targets an individual directly. In fact, 93% of all phishing emails contain some sort of ransomware encryption, according to a report by PhishMe, an anti-phishing vendor. And the FBI says recent iterations target enterprise end users.

That's not all. Other sources of ransomware include social media, malicious advertising (even on trusted websites) and bold cold calls via phone where an attacker poses as a software vendor or IT provider and directly requests remote access to the user's computer to resolve a purported problem - but instead installs ransomware.

How you know if you have been hit by ransomware
You likely won't know you've been hit right away, but within seconds the ransomware virus will silently start encrypting your files - and files accessible via your network. The files are generally encrypted with a public encryption key in such a way that you cannot decrypt the files without the second key of the pair. You probably won't get a ransom note until hours or days later when the encryption is complete.

In the meantime, you may discover files that appear to be corrupted. Encrypted files cannot be read by any application, and the first sign of damage may be error messages on your computer when opening files - asking which application should be used.

When Internet of Things devices are hit by ransomware
Even smartphone apps and Internet of Things (IoT) devices can be infected with ransomware. How would you know if your smart thermostat was infected? Two hackers demonstrated a proof-of-concept of thermostat lock-screen ransomware at the Def Con conference in Las Vegas last year. Imagine cybercriminals cranking up the building's heat in the summer or turning it off when it's freezing outside - and then locking the device until the ransom is paid with a bitcoin. Like a small computer, their off-the-shelf smart thermostat ran a version of Linux and had a user input screen and an SD card. The device was especially vulnerable because the firmware was readable and the code ran from the root.

The introduction of Mirai - a malware and botnet combination - has introduced even more complexity into the ransomware arena. This virus can compromise a wide range of Internet of Things (IoT) devices, including DVRs, security cameras, and network gateways. As with much of the more recent distributed denial of service (DDoS) botnet malware, once a device is infected with Mirai, an attacker gains full control of the device and can use it for denial of service attacks - or potentially hold it for ransom.

What data is most likely to be held hostage?
Almost half of respondents to a survey of 500 businesses worldwide said their organization had suffered a ransomware attack in the last 12 months. They were an experienced bunch; those who suffered at least one ransomware attack had to defend against six attacks on average. Of those who had faced an attack, 42% said the type of data targeted was employee information, 41% said it was financial data, and 40% described it as customer information. How did the ransomware attacker get access in the first place? Phishing via email or social media was extremely common (81%). Clicking on a compromised website ensnared 50% and infection via a computer that was part of a botnet got 40%.

How much does ransom cost?
Some organizations are being targeted for high ransom amounts. Network World cites Federal Trade Commission Chair Edith Ramirez as providing the example of Hollywood Presbyterian Medical Center, which paid bitcoin valued at around $17,000 to the perpetrators of a ransomware attack. CSO Online reports that the original ransom demand was $3.6 million.

The FBI estimates that criminals reaped more than $1 billion from ransomware in 2016. Many victims don't report their losses, so the amount could be much higher. Ransomware-as-a-service (RaaS) is a new monetization model that gained steam in 2016. The authors of the ransomware are said to get a percentage of each paid ransom, thus creating incentive to provide frequent software updates, service and new features.

Unfortunately, the FBI reports that even if payment is made, the decryption key provided by the perpetrator to unlock the files may not work due to system configuration issues. Or the perpetrators may not provide the key after receiving the money and instead follow up with a second ransom demand.

Backups may not be enough
The FBI offers tips for dealing with a ransomware threat. A key point to ensuring business continuity in a world of ransomware is to back up data regularly and test the backups. Any backups, including cloud backups, need to be secured in a way that they are inaccessible to spreading ransomware virus. Many ransomware infections will encrypt any accessible data including external storage, USB drives and mapped and unmapped network drives.

Having a secure and validated data backup program is the easiest way to avoid having to pay ransom. Even then, it typically takes 33 employee hours to replace the stored data, according to survey respondents. Preparing in advance with a business continuity plan, disaster recovery plan, and the help of a company with cloud security and disaster recovery expertise can help you avoid the headache of ransomware and other security breaches - and help you to ensure faster mitigation and recovery if your organization is attacked.

Machine learning: taking a bigger step to stop ransomware
Seven in ten organizations hit by ransomware agreed that they needed a new solution to protect their organization from ransomware. Sixty-five percent agreed that traditional cybersecurity techniques cannot protect from the next generation of malware such as ransomware attacks. Advanced malware and ransomware is now getting past signature-based anti-virus software. Although Security Information and Event Management (SIEM) solutions stop many attacks, attackers know how SEIM solutions operate, so they can work around them.

Machine learning techniques available today in cloud computing solutions such as Microsoft Azure can provide protection against both known and potentially never-before-seen ransomware and other breaches that may make it past anti-virus and SEIM systems. Machine learning allows organizations to track the normal behavior of internal and external users and typical traffic patterns - and take action when behavior differs even subtly from what is expected. For example, if a user doesn't usually encrypt, copy or delete large numbers of files, it's a red flag if they attempt to do so. You can bring much more power to your ransomware deflection efforts when you have adaptive systems in the cloud.

Limiting the reach of a ransomware infection
It's best to assume your infrastructure will be breached by malware such as ransomware, and plan accordingly. If ransomware gets to your network, there are ways to limit its reach. For example, it is best to assume credentials will be compromised and assign roles based on the least privilege required to complete a task and no more. Multi-factor authentication can also prevent damage from a phished username/password pair, and machine learning can be applied to anticipate if a user access attempt is legitimate.

With security protocols and technologies smartly designed and implemented, even when a threat actor gets in it's possible to prevent or minimize damage. With proper segmentation, security zones isolate elements and prevent the lateral movement of attackers. In a best practices zero-profile implementation, cloud firewall policies will be architected to prevent all inbound and outbound connectivity on all ports by default. The security profile will then be modified to provide services with the minimum required connectivity.

Backups, replication and disaster recovery plans
Having a secure and validated data back-up program is the easiest way to avoid having to risk paying to decrypt files rendered unusable by crypto-ransomware. It's important that your backup and replication plan meets the unique needs of your organization to ensure business continuity. A disaster recovery failover plan can dramatically improve the effectiveness and speed of restoring your systems to full operation.

Whether your systems go down due to power loss, user error, natural disaster or ransomware, the result can be devastating. The best disaster recovery plans use both backup and replication. A backup is a copy of your data at a point in time. Backups provide good long-term storage but are limited to the snapshot of data stored at the time of the backup. Replication can meet much lower recovery time (RTO) and recovery point objectives (RPO). Replication runs a mirror image of your data operations and can take over at the moment of failure. Failover to a replicated site can keep a business running with little to no downtime. Regular failover testing is essential to ensure your systems will return to production levels in the timeframe and with the data quality desired after a ransomware attack.

Disaster Recovery as a Service (DRaaS) goes beyond traditional disaster recovery. DRaaS manages a variety of backup and replication systems - in the cloud, co-located and in your own data center - unifying all under common interface to reduce complexity and improve resilience when you need to restore or failover.

It's time to take action
Most tech executives agree that they lack the necessary skills internally to keep their systems and data secure. Organizations that put off mitigating a security risk such as ransomware to a later date often never deal with it at all. Consider whether your organization has the expertise and the current bandwidth to ensure you don't become a ransomware statistic.

A cloud engineering team can work closely with your organization to identify your key challenges and objectives and to map out a cost-effective plan that provides your company with a secure, compliant, robust and flexible IT architecture that grows with you and blocks ransomware and other attacks. Managed security services including machine-learning analytics can help keep your organization protected from ransomware and other cybersecurity threats.

Resources

Disaster Recovery as a Service Solutions Brief [http://www.tierpoint.com/wp-content/uploads/2016/11/SOLUTIONS-BRIEF-DRaaS1.pdf]

SentinelOne Ransomware Research Data Summary [https://go.sentinelone.com/rs/327-MNM-087/images/Data%20Summary%20-%20English.pdf]

FBI Ransomware Prevention and Response for CISOs [https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view

More Stories By Paul Mazzucco

Paul Mazzucco is Chief Security Officer at TierPoint where he is responsible for all company standards regarding physical, information and network security. He leads the charge in acquiring and maintaining all industry-specific compliance certifications, including PCI DSS, FISMA and the FedRAMP/NIST Cloud Security standards.

Paul completed his undergraduate work at Lehigh University, studying Human Behavior and Cyber Security. He is a Certified Information Systems Security Professional (CISSP), Microsoft Certified Systems Engineer (MCSE), and Certified Ethical Hacker (CEH) answering to the FBI, the United States Secret Service, Pennsylvania Electronic Crimes Task Force (PAECT) and the United States Computer Emergency Readiness Team (U.S. CERT).

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"delaPlex is a software development company. We do team-based outsourcing development," explained Mark Rivers, COO and Co-founder of delaPlex Software, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that Technologic Systems Inc., an embedded systems solutions company, will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Technologic Systems is an embedded systems company with headquarters in Fountain Hills, Arizona. They have been in business for 32 years, helping more than 8,000 OEM customers and building over a hundred COTS products that have never been discontinued. Technologic Systems’ pr...
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that Auditwerx will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Auditwerx specializes in SOC 1, SOC 2, and SOC 3 attestation services throughout the U.S. and Canada. As a division of Carr, Riggs & Ingram (CRI), one of the top 20 largest CPA firms nationally, you can expect the resources, skills, and experience of a much larger firm combined with the accessibility and atten...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
SYS-CON Events announced today that Cloud Academy will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud computing technologies. Ge...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
MongoDB Atlas leverages VPC peering for AWS, a service that allows multiple VPC networks to interact. This includes VPCs that belong to other AWS account holders. By performing cross account VPC peering, users ensure networks that host and communicate their data are secure. In his session at 20th Cloud Expo, Jay Gordon, a Developer Advocate at MongoDB, will explain how to properly architect your VPC using existing AWS tools and then peer with your MongoDB Atlas cluster. He'll discuss the secur...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buyers...
Imagine having the ability to leverage all of your current technology and to be able to compose it into one resource pool. Now imagine, as your business grows, not having to deploy a complete new appliance to scale your infrastructure. Also imagine a true multi-cloud capability that allows live migration without any modification between cloud environments regardless of whether that cloud is your private cloud or your public AWS, Azure or Google instance. Now think of a world that is not locked i...
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, will present a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to m...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that SD Times | BZ Media has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. BZ Media LLC is a high-tech media company that produces technical conferences and expositions, and publishes a magazine, newsletters and websites in the software development, SharePoint, mobile development and commercial UAV markets.
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...