THE BLOG

Are All Ransom Attacks Considered Ransomware?

07/09/2017 11:59

Ransomware has loomed large in the news of late. The untraceability of Bitcoin payments, coupled with new blackhat tools available to anyone at little (if any) cost, means extortion attempts will continue to grab headlines worldwide.

But is ransomware the only form of cybercrime extortion? People commonly refer to any form of online extortion as ransomware, but it may have nothing to do with ransomware in the strictest sense of the word. Specifically, ransomware is a form of malware that encrypts files and decrypts them once a ransom is paid. But illicit demands for payment--by definition, a ransom--can be associated with other types of digital extortion requests.

This matters when it comes to mitigating extortionary attacks; just because a solution may detect ransomware, doesn't mean it protects against other extortionary attacks. And we expect extortionary attacks to increase. To a certain extent, the darkweb is saturated with PII for sale. This drives down cybercriminal profits. It is likely many cybercriminals add extortionary attacks as they attempt to optimise their profits.

Traditional Ransomware

Ransomware attacks take advantage of human, system, network, and/or software vulnerabilities to infect a victim's device--which can be a computer, printer, smartphone, wearable, point-of-sale (POS) terminal, or other endpoint. Ransomware can target either endpoints or file servers. It doesn't need to be "local" to infect; ransomware that infects an endpoint can encrypt a remote file share without having to run locally on that remote file share.

There are several kinds of ransomware distribution techniques, but the most common is email. An attacker sends an email--ostensibly from a trusted source. When the victim clicks the attached link, visits a web page, or installs a file, application, or a program that includes the malicious code, the ransomware is covertly downloaded and installed.

Phishing attempts have become increasingly more sophisticated. Messages usually appear to come from a large, well-known company or website, such as Google. In the case of spear phishing, however, the apparent source of the email is likely to be an individual within the recipient's own company--generally someone in a position of authority--or from someone the target knows personally."

Data Theft and Extortion

Dubbed extortionware (a.k.a., doxware), another common threat involves the theft of personal or sensitive data coupled with a threat to openly release it--perhaps to the internet at large--unless a ransom is paid. Author and enterprise threats expert Nick Lewis describes extortionware as "...when a cybercriminal threatens a person or organisation with some sort of harm by exposing personal or sensitive information. For example, a criminal could compromise a database with sensitive data and then tell the enterprise [they] will post the sensitive data on the internet if [their] demands aren't met."

Another type of ransom-related attack is akin to the threat above, but in this case the enterprise doesn't retain access to its data. A recent widely known example of this is when an entity calling itself The Dark Overlord, earlier connected to a health care breach, claimed to have stolen several new episodes of Netflix's popular Orange Is the New Black show and demanded an unspecified ransom in exchange for their return.

Like a similar theft involving the BBC, Netflix confirmed that one of its production vendors--also used by other studios--had been breached. The Guardian suggested that, "Pirated copies of the show could dent Netflix's subscriber growth and the company's stock price."

What You Can Do

For any of these threats, it's back to basics: protect your systems and data. The ransomware trend is expected to continue as incentives increase and it becomes easier for cybercriminals to execute shakedowns armed with new ransomware-as-a-service (RaaS) tools, BYOD user vulnerabilities, improved encryption methods and untraceable Bitcoin payoffs.

Good defence begins with running regular backups and always using accounts having the fewest permissions. The ability to dynamically assign and, more importantly, retract user permissions through machine learning and granular data inspection is a solid best practice.

Ideally, you want to immediately detect ransomware behaviours and quarantine impacted users before ransomware can spread to network file servers. One approach is deception-based ransomware detection, which consists of using strategically planted, hidden (decoy) files to identify ransomware at the earliest stage of the attack. The decoy files are planted at carefully planned file system locations in order to identify ransomware encryption behaviours before they can touch legitimate files. Having monitoring and blocking measures in place--in addition to admin alerts and granular activity logging--would also help minimise the disruption to your core business processes were a ransomware attack to occur.

When it comes to preventing DDoS attacks, organisations can also invest in always-on DDoS protection that automatically detects and mitigates attacks targeting websites and web applications, as well as protects against DDoS attacks that directly target your network infrastructure.

Along with these measures, other basic defences such as business continuity and disaster recovery planning should be part of any comprehensive information security program.

Comments

CONVERSATIONS