Organizations can live and die by their access to their sensitive data. Data is “the new oil” and many organizations routinely collect data about their customers in order to better tailor their products and services to potential clients.
In recent years, ransomware has become a significant threat to an organization’s ability to access their data. Instead of stealing the sensitive data and selling it on the black market, this type of malware allows hackers to deny an individual access to their own data and demand a ransom in exchange for the secret key necessary to decrypt the data and restore access.
In many cases, the value of the data outweighs the cost of the ransom and organizations will elect to pay the ransom rather than lose the data. However, this can still be a significant cost to the organization, and taking the appropriate steps to protect against ransomware attacks can be a more cost-effective and proactive solution. While implementing a robust data backup system is always a good idea, a good data leakage prevention (DLP) system can be worth every penny when dealing with ransomware. By monitoring the actions taken by programs on a system and looking for signs of the actions performed by ransomware, a DLP system can detect and shut down ransomware before it does significant damage.
The Threat of Ransomware
Ransomware achieved global recognition with the WannaCry ransomware outbreak of 2017. The WanaCry malware was a ransomware worm designed to use an exploit called EternalBlue to spread itself from computer to computer. EternalBlue was developed by the National Security Agency (NSA), leaked by a group called the Shadow Brokers, and exploited a vulnerability that was unpatched by many individuals and organizations at the time of the WannaCry attack. As a result, WannaCry had a global impact and cost millions of dollars in damages.
After WannaCry, there are some ransomware variants designed to have a widespread impact, but some ransomware developers have changed tactics to more targeted attacks. Instead of trying to extract small ransoms from many targets, they choose victims that are able and likely to pay larger ransoms.
As a result, many cities have been infected by targeted ransomware attacks. In Florida alone, three attacks have netted ransomware hackers upwards of a million dollars in paid ransoms. The success of these attacks, and the vulnerability of the municipalities targeted, means that this pattern of attack is likely to continue.
In June 2018, cybersecurity source Cybersecurity Ventures prepared an estimate of the expected cost of ransomware in 2018. At that point, the expected cost of ransomware to its victims was in excess of $8 billion. This cost includes paid ransoms, the cost of lost productivity and data, and any other actions that are necessary to recover from the attack. As hackers continue to deploy ransomware against organizations, the cost of these attacks will likely continue to rise.
How Ransomware Works
Ransomware attacks take advantage of modern encryption algorithms to deny individuals or organizations access to their data. Encryption algorithms are designed to protect data from access against unauthorized parties. Anyone with access to the decryption key can access the data, but anyone without the key is incapable of doing so.
With ransomware, the hackers are the “authorized” parties controlling access to the victim’s data through the use of encryption technology. Ransomware is a type of malware that is installed on a machine and then systematically opens files on the device’s memory, encrypts them, and deletes the decrypted version of the file from memory. In the end, the malware informs the victim of what has occurred and offers to provide them with the key necessary for decryption of the files in exchange for a ransom payment.
For the hacker, the primary challenge with ransomware is managing to install and execute the malware on the victim’s machine. If the malware can slip past the antivirus and any other defenses that the victim has in place, the computer provides the functionality necessary to perform the encryption. Different ransomware variants may have additional functionality like the ability to spread itself from device to device (like the WannaCry ransomware worm) or the ability to search for and encrypt removable media (USBs, etc.) or shared network drives.
Fighting Ransomware with DLP
Ransomware attacks can have a significant impact on any business. The loss of valuable data can destroy an enterprise’s ability to operate competitively, forcing it to pay the ransom in order to regain access to this data.
The high potential cost of a ransomware attack underscores the importance of deploying the appropriate cybersecurity protections to prevent this type of attack. With ransomware, having a strong automatic backup solution is helpful since it minimizes the amount of data that is lost due to an attack.
However, some data is lost, and the time spent recovering data from backups can still pose a significant cost to the organization. A better solution is to supplement a strong backup solution with the ability to detect and block ransomware from encrypting files on an infected system.
This is where a strong DLP solution can be an asset for an organization. A good DLP solution can identify the file access patterns used by ransomware (reading, encrypting, and writing files) and shut down the attack before it can encrypt all of the files on a machine. This minimizes the impact on the organization and the cost of the attack to the organization.