Ransomware gangs operate like professional companies, replete with business model, affiliate outsourcing, documented Standard Operating Procedure, anonymous/untraceable crypto-payment gateway, etc. …but without any Corporate Tax liability. Ransomware-as-a-Service (RaaS) is literally a several billion dollar industry, and it is this fact that Enterprises must always bear in mind because it clearly explains why Ransomware gangs and their affiliates will leave no stone unturned to force a payday. Even a slight crack in one’s defences can be discovered and lead to compromise with serious consequences.
Passive activities, such as maintenance of a good backup policy to help recover one’s data, are indeed important in general, but these do not deal with the ever-present ransomware threat. In the case of ransomware, especially, prevention is far better than cure, precisely because in most situations a satisfactory cure is not even possible.
Now, in order to prevent the initial compromise phase effectively, or at least to make it as difficult as possible, it is vital for enterprises to keenly understand how most breaches happen so that any holes can be plugged. According to our incident analyses at K7 Labs, insecure RDP is the most common culprit as far as ransomware-related breaches are concerned; RDP configured on the default port (3389), with guessable or weak passwords which can be brute-forced or dictionary-attacked, and missing two-factor authentication or VPN. We have also encountered unpatched, hence vulnerable, internet-facing systems, poorly-configured firewalls, and repeated ignoring of enterprise security product alerts that indicate the presence of malware before they are deployed and cause damage! Good security entails good, persistent cyber hygiene, but it seems in many cases that convenience, ignorance and complacency are preferred to diligence, robustness and action. Herein lies the greatest challenge; acquiring a strong self-conviction amongst enterprises, regardless of size, that comprehensive, holistic, pervasive cybersecurity is indeed worth the investment of time, effort and money, in particular given the lack of stronger cyber legislation to enforce best practices.
Want to know more? Well, I’ll be speaking on the panel at AISS (Day 2 2:45pm-3:30pm) which is set to discuss “Ransomware: Clear and Present Danger… A real and imminent threat demanding fundamental changes”. Hope to see you there.