Once Bitten, Twice Shy: How to ward off the Ransomware Blues?

“Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off ”- FedCIRC 

This comment, though sounds bit ridiculous comes from none other than Federal Computer Incident Response Center (FedCIRC), a part of the US Homeland Security. It in a way gives a nutshell perspective on how difficult it is to restore the lost digital sanity of those affected by security threats like ransomware.

This is what happened with the latest WannaCry ransomware attack. It has taken the world by storm and those impacted are limping back. The attack unfolds a new premise in enterprises security and opens up the ‘Pandora’s Box’ on whether the current security management practices, technologies and end-points are good enough to de-risk the enterprises from online digital assault.

Quips Sudhindra Holla, Country Manager, India & SAARC, Axis Communications, “ These kind of attacks can neither be predicted nor can they be stopped. There can be many liabilities in the network architecture which only come to light when the system is under attack. The main difference today is that the attackers are aiming at making money. What we saw this time was the synchronization which affected across countries and continents. Cybersecurity is a complex ecosystem and the level of these attacks have yet again proved that Government and intelligence agencies have to work in tandem with the industry and vendors to avoid large scale incidents. Organizations need to be more proactive and have adequate crisis response teams to tackle and recover from these incidents."

So how do we fix the liabilities? It seems there is no one sure-shot way in fortifying the digital assets with class leading technologies. Clearly, 100% digital security SLA is an utopia and the custodians of the digital security -the CISOs, CIOs, and CTOs, often times were caught unaware with instances like WannaCry and in the end, it’s the win some, lose some game.

The WannaCry outbreak created havoc across the world and luckily the impact on India was somewhat subdued despite the fact that a lot of mid-market enterprises still use outdated and pirated version of Windows OS. At the macro level WannaCry activated the alarm bells as it is a wake-up call for organizations that hackers are getting smarter and in the bargain exposed the shortcomings in the IT security infrastructure. The time is now to totally relook security and making security architecture relevant to the current threat dynamics.

Says Kartik Shahani, Integrated Security Leader, IBM ISA, “ This attack is being billed as the largest global cyberattack ever to use ransomware. If you look at the data from years past, and now, 2015 saw less than 1% of the spam being ransomware. By last year, 40% had a document or web link that activated ransomware, and the current attack threatens to lift that percentage higher. The ransomware attacks will continue, but a silver lining is that with the kind of awareness that has been created with WannaCry, perhaps the number of affected computers and victims will be far less than the ones reported.”

In that line, WannaCry is expected to evolve the enterprise threat defense mechanisms and in the bargain, the overall maturity of the organizations in dealing with threats is only bound to increase.

Before delving into some best practices, let’s decode what is ransomware for the sake of getting a context. Sharda Tickoo, Technical Head, Trend Micro, India says, “ Ransomware is any type of malicious software that is designed to block access to a computer system until the desired sum of money known as ransom is paid. There are various channels through which a ransomware could land on the system. The most common ways include phishing email, USB, network or website compromise. Once a ransomware is executed on a system it encrypts the data, renders files inaccessible, presents a ransom note and asks the user to pay a ransom.”

A perfect bloodless crime by a nameless, faceless enemy!

Experts call incidents like WannaCry, as a form of digital extortion and what was unique in the current episode is that the attackers asked the ransom in Bitcoins. That’s a pretty interesting twist to the whole thing and opens up altogether a new debate on how Bitcoins will be wrongly used in the days ahead by hackers.

Giving a larger perspective, Saket Modi, CEO & Co-founder, Lucideus says, “ This is a major attack not just in India but globally. India on the other side has seen less impact in comparison to Russia and few Western European countries. The attack shows how unprepared the world is when it comes to sophisticated cyber attacks. WannaCry on the other end can have a major impact on the government because most government departments don't have specific different OS for its operations and patch management is not even in the policy in most government institutions."

Agrees Pandurang Kamat, Chief Architect - Innovation and R&D at Persistent Systems, “This is a huge wake-up call globally for CXOs and governments about taking security and patching seriously. This was a ransomware-based on US government harvested security exploits that were hacked and leaked by Russia-backed group, Shadowbrokers and then weaponized and exploited likely (some early clues point to this) by a group linked to North Korea. Experts have called on governments to not build such stockpile to computer weapons because as in this case those will leak and used by criminal elements.”

Clearly WannaCry’s uniqueness and sophistication have baffled experts and moreover the hackers have gained innovative ways in extorting money online. Andrew Macintosh, Executive Director, South Asia Practice, Control Risks says, “ While the threat of ransomware is not new, with the first attacks of this kind has happened in 1989, this particular attack is unprecedented in terms of geographic spread and scale. With estimates that 60% of the victims are organizations, rather than individual computer users, I would hope that the most significant ramification is that senior executives across all sectors take the opportunity to review their approach to the “cyber hygiene” of their organizations.”

Taking Control

Clearly many companies still have a reactive approach to security and hence they struggle to bounce back when they fall victim to ransomware or any other data breach. What is needed is a complete rethink of the security processes and practices that enable one to deploy a security policy that is in sync with the threat landscape and is pro-active and not reactive. Says Holla “The best way to reduce the threat is to have system updates ready to be rolled out soon after the attack. Vendors and OEMs need to ensure that there is an immediate action plan ready for customers to mitigate risks. A reliable vendor will always be the first to respond to a crisis like this.”

Managing and mitigating ransomware and other security threats call for a multi-pronged approach. It's not just about technology only - a policy-driven approach is needed. Security has to be managed through an eco-system where each element is in sync with other and creates a proactive infrastructure.

Experts like Modi have a word of caution as well. He says, “What we are seeing now is just the tip of the iceberg. Corporates need to invest in awareness sessions and increase their spend on Cybersecurity. The major reason why ransomware impact has such ramifications is due to the fact that people do not keep backups. The day you ensure that each and every person in the organization has a backup of their data, the problem of ransomware can be dealt with very easily,”

The key learnings for a tech head from this incident would definitely be to make security a first class design decision when designing and operating systems. Reflecting on this Kamat says, “ It is essential to run up to date anti-malware protection solution and network security monitoring the networks. One also need to be current on patches, upgrade OSes and multi-level backups on systems that have the different set of access controls from the systems being backed up is another way to save oneself from Ransomware. Also, it is important to maintain clean images of your enterprise systems (code not just data) so that recovery is expedited.”

Quips Macintosh, “ I believe the key learnings here are important to the full executive leadership of organizations – not just the CISO and CIO – as this situation helps to drive home that the issue is a contemporary business risk, which should be addressed and mitigated as part of a complete risk management program. In the same way that organizations plan for the management of crises, natural disasters, and other acute risks, they should be considering and preparing to respond to it”.

Meanwhile, Anand Ramamoorthy, Managing Director, South Asia, McAfee suggests 3 best practices in managing ransomware:

#1: Back up your files: Always make sure your files are backed up. That way, if they become compromised in a ransomware attack, you can wipe your disk drive clean and restore the data from the backup.

#2: Update your devices: There are a few lessons to take away from WannaCry, but making sure your operating system is up-to-date needs to be near the top of the list. The reason is simple: nearly every software update contains security improvements that help secure your computer and removes the means for ransomware variants to infect a device.

#3: Faith in Cloud: Using cloud storage with anti-virus scanning abilities to share files will help users to mitigate any possible threats.

“Cyber security is a critical area for CIOs and CISOs and assumes paramount importance. With the continuing proliferation of technology, it is extremely important to build a highly effective cyber security landscape that is capable of safeguarding businesses from sophisticated attackers,” says Sunil Chandna, CEO, Stellar Data Recovery. “One of the biggest challenges is that despite such widespread impact, many organizations still have not taken corrective measures such as updating their desktops and servers to prevent such incidents. The recent infections that occurred as late as 19th May were reported to Stellar Data Recovery. Fortunately, data recovery is possible in several cases.” adds Chandna.

According to Rajender Singh Bhandari, Director – Systems Engineering, NetApp India, “ The CISOs and CIOs need to prioritize and plan for data encryption and security practice at the data management layer itself. They need to make sure that the company’s backup, restore and archival strategies have the quick turn-around and instant recovery, prepared for any disaster be it cyberattacks or otherwise. For instance, implementing a storage system with comprehensive APIs and protection capabilities with long-term recovery options that perfectly compliments the application or data environment of any organization, can protect them from threats like the ransomware attack. “

“Again, what is important at this stage is to have an access policy control framework in place which needs to be driven top down from the CEO, for it to become a part of the DNA or the behavior of any organization. Organizations will also have to corroborate the policy framework by deploying technologies to govern perimeter security and application security. Threats need to be assessed from time to time and there are various services and solutions available in the market which allow any enterprise or CIOs to constantly check for the vulnerability in the system and subsequently beef up the system if needed,” adds Bhandari.

Up Ahead

The writing is clear on the wall. The threat landscape is changing by the day, the CIOs and CISOs and other stakeholders need to ink a relevant security strategy that helps them to deal with ransomware. Says Shahani, “ Enterprises with robust security practices and security service agreements in place were spared many of the damaging effects. The key learning here is to always be vigilant and take action on the updates that come from security experts. Creating and maintaining an incident response plan is key to a quick recovery from any security incident.”

Experts also expect the security vendors’ strategy to undergo a fundamental shift with a tangible deliverables becoming part of SLAs. Today, the spotlight is on vendors now , and the security offerings they sell should come with a high degree of trust, and even after having a security suite, and enterprise falls prey to ransomware, then they lose credibility and trust deficit comes in.

Sumit Dhar, a senior Information Security leader, aptly sums up. He says, “ The ramifications of WannaCry type of ransomware can be looked at from multiple lenses.  First, across organizations, there will be renewed focus on Information Security at the Board / Senior Leadership level. Companies, which had poor patch management process, will certainly drive improvements in their process to ensure such incidents are not repeated. Overall, organizations that believe security is important for doing business will evaluate ways and means to enhance their security posture.”

“Second, given that ransomware is emerging as a key threat, I would not be surprised if security vendors come out with solutions specifically designed to mitigate this threat. We may also see vendors providing guarantees about their products capabilities. For instance, SentinelOne already does that. They offer $1000 per endpoint, in case of any ransomware issues. Third, this is a difficult prediction but I do see a slight possibility of changes in the way organizations like NSA stockpile such exploits.”

Does WannaCry ransomware impact you? Share your story with us.