Skip to main content

How to Survive Ransomware: Play it Small

Monday, 27 Feb 2017

IA

Crypto-ransomware is on the rise. What should you do if your organisation gets hit?

 "Your best bet is to look small, and poor."
This is the advice of Ed Skoudis, Faculty Fellow and Penetration Testing Curriculum Lead at SANS Institute, should your organisation become the victim of a crypto-ransomware attack.
If you call to say you're a Fortune 500 company and ask to please decrypt your files, expect to be paying through the nose, he said, speaking on a panel The Seven Deadly Attacks at cybersecurity event RSA Conference 2017.
Cybercriminals, Skoudis explained, are savvy enough to know some money is better than no money, so you should look like a small individual who will have trouble scraping together a couple of bitcoins to pay the ransom.
Ultimately, though, the decision to pay or not is a business one: be prepared to separate your principles from business reality if the cost of paying the ransom is cheaper than the operational loss you're suffering.
Skoudis also advised including a ransomware attack in your cybersecurity preparations, especially "deciding who gets to decide" well in advance. If your company is hit by an attack, who will be responsible for the decision to pay or not to pay the ransom?
Crypto-ransomware, also known as cryptoware, is growing rapidly Skoudis observed because cybercriminals don't need a command and control system for it (as with botnets, for example), data doesn't have to be exfiltrated (as with data theft through malware), and the victims contact you to give you money. From a cybercriminal perspective, it's a no-brainer.
The prevalence of IoT devices and their vulnerability was also a focus, especially the potential for cryptoware to spread through IoT devices – instead of holding just files hostage, very soon we could be seeing the infrastructure of a business held hostage too.
"What would you pay to turn your lights back on? What would you pay to turn your heat back on?" Skoudis asked.
Combine this with IIoT (Industrial Internet of Things) and industrial control systems – "what could possibly go wrong?" Skoudis observed dryly – and the question becomes: 'What would you pay to turn your factory back on?'
The problem, of course, is exasperated by the notoriously poor security features on the majority of IoT devices today. Changing default passwords, disabling telnet and HTTP, and shutting off remote access if it's not absolutely essential are all common sense safeguards for IoT in your business. But also raised was the importance of extending penetration-testing to your IoT devices, and not just workstations and servers.
Further, if an IoT device is recalled, make sure you return it: aside from the security implications, Skoudis noted the market pressure this would put on IoT vendors, which in turn would encourage better security design from the outset for future devices.
When asked where ransomware threats are heading Skoudis, along with panellists Michael Assante, Director of Industrials and Infrastructure and Lead for the ICS Curriculum at SANS Institute; and Johannes Ullrich, Dean of Research, SANS Technology Institute, singled out small to mid-sized banks because "that's where the money is", but also realtors because they deal with a lot of money and "don't necessarily have IT infrastructure support".

Click HERE to read the full article.