Ransomware — a type of cyberattack in which malicious code locks up computer files and cybercriminals demand a ransom to release them — has emerged in the past year as the most problematic cyberthreat facing most companies.
In 2017, two things are expected to happen. The number of ransomware attacks will increase and evildoers will deploy diversified methods to spread their malware.
Ransomware + SaaS
Many businesses, particularly smaller ones, rely on Software-as-a-Service (SaaS) -based applications to run their operations — and this number is growing.
SaaS is attractive because larger SaaS providers tend to have a much more sophisticated information security apparatus, and also handle new software installations, maintenance, upgrades and patches.
But ransomware is proving to be a different animal.
Companies benefit from using a cloud file solutions such as Google Drive because this creates a second copy of local data and stores it easily in the cloud. So the data is backed up, right?
If you’re infected with ransomware, the files on a local hard drive will be held at ransom (by encryption) and any backup copies in Google Drive will be overwritten when the computer is synced. This means the “backup” data is now essentially also being held for ransom.
What SaaS Users Can Do
In light of the ransomware threat, how can SaaS users protect and secure their data?
Having one’s own backup and recovery plan is the first and most fundamental line of defense against ransomware. Once files are encrypted, there’s not much an organization do — besides cut their losses or pay up.
Even when organizations do pay up, there’s a chance they won’t get their files back, meaning they may be out their files and their cash. A solid data backup strategy is the most important, ultimate weapon in the war on ransomware.
One effective technique is cloud-to-cloud backup, which enables data stored in one cloud to be backed up to another cloud. This type of “multi-cloud” strategy, advocated by many industry experts, provides an invaluable layer of protection.
Given the increasing velocity and volume of ransomware attacks, effectively making ransomware the “new normal,” we can expect significant advances in this space. For instance, backup tools will not just back up data, but actually identify ransomware attacks and the impacted files, and expedite data recovery, helping minimize business disruption and downtime.
Training Combined With Technical Controls
There are multiple ways ransomware can be spread, some of which are more prevalent than others.
Malicious spam email remains the most common method of ransomware dissemination. Employee training programs can help workers become more adept at identifying and avoiding phishing emails.
However, hackers are working around this by deploying more creative social engineering tactics, as the recent GoldenEye ransomware demonstrated (targeting HR managers specifically, knowing they are more accustomed to opening emails and attachments from strangers).
Other common infection vehicles include exploit kits (which exploit vulnerabilities in software to install malware); malvertising (malicious ads running on ad networks to trusted websites); self-propagation (worm-like behavior by spreading to all contacts on a device’s address book using SMS messages) and third-party apps.
Due to the sheer size of this threat range, organizations need to focus their training on where it can yield the biggest positive impact, and third-party apps is one of these areas.
Many employees download third-party apps to supplement existing SaaS functionality, and while their intentions are good (trying to be more productive), a growing number of these apps (which connect directly to SaaS-based data and systems) have been identified as extremely risky and conducive to spreading ransomware.
Employees may not like to be told they cannot download third-party apps without IT’s knowledge and permission (a trend known as “shadow IT”), but employees must understand the clear danger that ransomware can pose to the organization’s very survival.
In addition to training, organizations should consider implementing technical controls to better support employees as they move quickly through their day-to-day jobs. For example, incoming emails can be scanned for suspicious attachments, including examining all compressed attachments. Any email with an attachment containing a script or a .scr file can be automatically quarantined. Third-party apps should also be scanned and automatically disallowed if they are discovered to be risky.
Ransomware attacks are constantly evolving, and while it’s impossible to predict what the next attack vector will be, SaaS users should constantly monitor the latest ransomware news and discoveries and evolve their anti-ransomware standards accordingly.
There are numerous excellent sources for up-to-date ransomware information, including news media, cyber security vendor blogs and even the FBI’s flash alerts.
One example this last spring was PowerWare, a form of ransomware that was cloaked within PowerShell, the scripting language inherent to Microsoft operating systems. The PowerWare attack was an example of a larger, more worrisome trend — attackers adopting increasingly sophisticated methods to remain undetected.
In response, many organizations have adopted the best practices of disabling Microsoft Office macros by default, selectively enabling them only for those that need them; as well as disabling or removing PowerShell on all non-administrative workstations.
Customers and partners frequently access collaboration apps. That creates a major challenge for SaaS users. This can lead to a “fan out” effect — meaning that when a customer or partner is hit by ransomware, it has potential to impact a much broader range of parties and take down a whole operation.
It therefore becomes imperative to encourage across all system users strong cyber security hygiene, including training, technical controls and strong awareness/rapid response to the latest ransomware attacks and methods.
Of course, having backup is the ultimate protection against ransomware attacks (and organizations should always maintain their own backup). But improved ransomware detection and protection on the part of customers and partners can help ensure backups are a final resort, helping minimize ransomware-related disruptions.
Reduce the Threats
In 2017, all businesses will be vulnerable as attack targets, whether they are a Fortune 500 company or smaller businesses depending almost all (or in part) on SaaS-based applications.
While SaaS providers deliver exceptional cyber security protections overall, SaaS users are largely on their own when it comes to addressing and preparing for ransomware.
Eliminating the threat of ransomware entirely may be unrealistic, but the good news is there are sure ways for all organizations, particularly SaaS users, to reduce the likelihood of attacks, protect their data and ensure business survival if an attack does take place.