Article by ExtraHop senior security director Barbara Kay
Australian organisations, across both public and private sectors, have endured lower profile but equally disruptive ransomware assaults in recent times.
Signs suggest these will continue in 2019 and beyond.
Verizon’s Data Breach Investigations Report 2018 showed ransomware comprised 39% of all malware attacks.
Their prevalence has business spooked – 89% of survey respondents indicated they were somewhat concerned about ransomware, according to the Oracle and KPMG Cloud Threat Report 2019.
Speed and effectiveness are part of the reason for ransomware’s ongoing appeal to the unscrupulous.
Victims can be targeted and shaken down in a short space of time and often relatively easily.
Ransomware attacks don’t just remain prevalent; those which succeed are becoming far more damaging than once they were, courtesy of the fact hackers have switched their focus from endpoints to critical enterprise systems.
While the temporary loss of a single user device or several may be annoying and inconvenient, having a file server or database encrypted can cripple an enterprise, in a matter of days, or even hours.
Faced with a choice between significant economic loss and opening the chequebook, many businesses find themselves forced to choose the latter option.
Staying a step ahead of high-tech hijackers is a perennial challenge for cybersecurity professionals.
It’s well-nigh impossible for organisations that concentrate their efforts primarily on protecting the perimeter.
When they succeed in slipping through, ransomware gangs can wreak maximum havoc in a couple of blinks of the eye, unless there’s a lightning fast detection and containment solution in place.
‘Think different’ was the slogan adopted by Apple as its ascension to the top of the tech tree began gathering pace in the late nineties.
That’s just what Australian organisations need to do if they hope to successfully repel ransomware attacks in 2019.
When a campaign is successful, attackers use automation to vary and implement it against more targets.
Through toolkits, they can make the code used for each individual attack different, in order to bypass standard antivirus and rule-based detections.
Because unusual behaviour within the network can be difficult to detect using traditional tools, security staff may clock some of the signs of a ransomware infiltration – scanning behaviour or ‘data staging’ from a server to a host – but be unable to assemble the full sequence in time to respond and neutralise the threat.
Effective detection relies on dynamic behavioural profiling of the internal network attack activities – not dependence on a definitive rule or signature or endpoint monitoring. Network-based behavioural analysis is essential if organisations are to detect and respond to malicious activity during the late stages of attack – those critical minutes while encryption is taking place.
Reducing the risk of falling victim to a ransomware attack calls for a holistic security strategy.
In addition to keeping pace with emerging tools and technologies, implementing and maintaining common sense protection measures can help enterprises ensure they’re not prime targets for opportunistic infiltrators.
These measures should include:
Ransomware attacks remain an immediate and very real threat to business continuity and viability.
Perpetrators are as resourceful and agile as ever they were and, for Australian organisations whose cybersecurity strategies haven’t evolved apace, successfully repelling an attack seems an optimistic and unlikely proposition.
Of course, ransomware is just one aspect of an overall security program.
With the pressure to perform, many businesses need to commingle security and other business goals and resources for efficient operation.
While improving resilience against attacks that break through perimeter defences, investing in enhanced behavioural protection for mission-critical systems can also pay rich dividends for enterprises worried about business continuity and data integrity.