THE BLOG

The Only Way To Shut Out Ransomware Like WannaCry And Its Nasty Imitators

31/05/2017 16:01

WannaCry is unlikely to be the last mockingly-named piece of ransomware that we all get to know about in a short time.

It almost crippled the NHS and successfully penetrated the cyber defences of 220,000 computers in 150 countries around the world. For many organisations, it seemed to come out of nowhere, notwithstanding that people like me have been warning about organisational vulnerability to ransomware for what seems like a long time.

Even organisations in Russia and China found themselves its victims - countries that are that are often considered to be at the cutting edge of cyber security and cyber warfare. Now the finger of suspicion is being pointed at the North Koreans, who it is suggested, see ransomware as a viable source of foreign exchange.

No matter who is responsible, what might reduce WannaCry's victims to tears is the knowledge that none of this would have happened had their organisations had effective email security in place. The hackers who perpetrated this massive cyber-attack will almost certainly have used a simple email attachment to gain admission to their victims' respective systems.

Weaponised email attachments

We know that more than 90 per cent of successful malware attacks are delivered through email attachments of common file types such as Word documents, Excel spreadsheets, PowerPoint files and PDFs. The criminals hide malicious code either in the content or the structure of these files and attach them to convincing-looking emails that lure employees into the one or two clicks required to trigger the attack.

Relying on employees for protection is futile. Research has repeatedly shown how staff are ready to click open attachments that appear to be from people or companies they are familiar with. And given the sophistication of these socially-engineered messages, it is hard to blame them.

Criminals can vacuum up social media details about employees and their interests and they can combine that information with authorship details and other metadata left on website documents or outbound files. All this data is put together to create an email that appears to be from a trusted contact or colleague, addressing a subject of immediate relevance, quite possibly using a subject line already circulating.

The inevitable result is that the email attachment is opened, triggering either an immediate attack or a zero-day malware download. The malware, which will be newly-created and unrecognisable to anti-virus software, heads for an organisation's IT system before locking up data and demanding a ransom at a date set by the criminals.

One of the great lessons of WannaCry is that anti-virus defences are no longer any use against these attacks. Anti-virus solutions only detect code already known to be a threat - not the new threats and zero-day attacks being devised by phenomenally well-resourced, and probably state-sponsored, hacking groups every day.

Look at the evidence

It is only necessary to consider the analysis by threat intelligence experts Virus Bulletin to be convinced. It shows that between 2015 and 2016, detection of previously unknown threats by many of the big names in anti-virus technology decreased from a midpoint of around 80 per cent to between 67-to-70 per cent. Even detection of known threats fell from between 90 and 95 per cent to about 90 per cent. Remarkably, Virus Bulletin even revealed that some vendors achieved better testing results with their free products than they did with their premium.

The analysis was no more reassuring about the email security offered by big-name vendors. What appear to be high scores in eradicating spam still leave organisations wide open to zero-day threats. These vendors simply do not know what they are looking for.

Reliance on sandboxing technology is not effective either. Many pieces of ransomware are now engineered so they can recognise when they are being tested in a sandbox environment, where in theory they can be exposed without doing any damage. Having identified where it is, the malware simply deactivates itself and waits to be passed as clean.

New defences

The battle against ransomware calls for a more radical approach in which we ditch our total belief in conventional anti-virus defences. The only effective solution is to use more innovative technology that no longer relies on the detection of known characteristics, or "signatures". File-regeneration technology, for example, is capable of validating common file-types, measuring them against the manufacturers' standards in fractions of a second.

A clean, compliant version is generated that is 100 per cent secure. What is and is not allowed in can be set by the company according to who needs to use it. It means malicious elements are kept outside the front door and it takes the heat off employees who no longer have to agonise about what they should be opening.

If they have no means of gaining access, the hackers' clever pieces of code are simply left to wither outside. It makes the age of your operating system and the installation or availability of patches hardly relevant.

Most importantly, it eliminates by far the most common area of vulnerability for any business or major organisation - the malicious threats in email attachments, no matter where they come from or how new they are.

Comments

CONVERSATIONS