November 22, 2019
How Researchers Are Fighting Back Against Ransomware
November 22, 2019
Not only is this level of damage potentially crippling for business and industry, but it also provides funding for organized crime network. Every Bitcoin that a company releases to unlock their sensitive data could find its way into the coffers of those dealing in drugs, weapons, human slavery, and international terrorism. As this article reveals later, even law enforcement organizations have been guilty of paying ransoms to decrypt their data.Fortunately, there are signs that government agencies, cybersecurity professionals, and academic researchers are mustering a fightback. Most know there is no ‘silver bullet’ that will finally end crypto-ransomware and that a multi-level, perhaps multi-agency approach is necessary.The first stage in combating a threat has to be to categorize it. To this end, organizations such as ENISA (European Union Agency for Cybersecurity) have separated ransomware from the morass of general cyberattack methods and devoted resources specifically towards tackling it.This article looks at some of the academic activity that has supported this approach, namely the efforts to use real case analysis of cyberattacks to create a taxonomy to organize effective ransomware response.The specific area of focus for this article was a 2019 research project carried out in the UK by the Cybercrime Group at the Center for Criminal Justice Studies, University of Law, Leeds.Through qualitative research methods, the researchers were able to devise a taxonomy of countermeasures. Which could be used by businesses to shore up their defenses against ransomware attacks.The study recognized that ransomware’s effectiveness lies somewhere in the muddy ground between human psychology and flawed machines. From 26 ransomware attack case studies, it identified three different attack vectors: malicious emails, brute force attacks, and drive-by downloads. Whereas the first type of attack requires a human error, the other two are down to IT vulnerabilities.Interviews with those involved in the cyberattack, both as victims and as investigators, were painstakingly transcribed and then analyzed to find common themes. Those failings identified were then turned around into potential action points. These points were grouped into three taxonomies: socio-technical response tools and the enablers of change (front line manager actions and senior management actions).This article focuses only on the response tools category.Response tools were further broken down into sub-categories: user security education, technical measures, network security, security policies, secure practices, and the incident response strategy.In terms of security education, the evidence revealed the need to gradually introduce education to take account of the reduced technical experience and know how of some employees, particularly seniors. Training should include realistic examples and be made relevant to the person taking it by, for example, explaining how their family could be affected by a breach. Regular bulletins and annual exercises would be necessary to keep employees on their toes. It was recognized that creativity might be needed to persuade employees to read the bulletins. For example, one of the victims now releases bulletins with a musical theme to encourage engagement with the documents.One interesting piece of security education advice to come out of the study was to provide training on a face-to-face basis rather than purely online. With many articles on user security education provided by online training providers, it is not surprising that this message isn’t regularly aired.Moving on to technical measures and, as expected, a host of recommendations were promoted. To mitigate the risk of employees opening attachments in phishing emails, various types of email hygiene could be implemented. Examples include adding external identifiers to email originating from outside the networks and the manual scanning of all emails containing attachments.Other technical measures involved patching and upgrade management. Rather than relying on end-users to install patches, these could be centrally-controlled by an IT support team with mandatory patches applied within 24 hours and others within 30 days. Systems should also be upgraded whenever possible, although it was recognized that this might not always be affordable or practical. In this case, mitigation measures would need to be in place. For example, legacy systems could be confined to a subnet or, even better, taken offline altogether. While countermeasures such as anti-virus (AV) programs and firewalls were deemed necessary, it was accepted that there were different types to choose from. Some recovering victims had benefited from switching from signature-based AV programs to AV solutions, which monitored user behavior and could block connections to unknown IP addresses (e.g., when a piece of malware is ‘phoning home’ for instructions). It was also pointed out that cloud-based AV products were automatically updated and used less local processing power than manually installed AVs.Sophisticated ‘next-gen’ firewalls were also recommended as they could perform in-depth packet inspections and block suspicious IP addresses. However, these would have to be configured correctly to provide their service.Backup and recovery measures were highlighted for special attention due to the impact of poorly managed backup procedures, failed backups, and vulnerable locally-stored backups. In one case study, the victim had to fire a third-party backup provider because they failed in their duty. In another, involving a law enforcement organization, a failed backup meant that the ransom had to be paid to the frustration of all concerned. There were also cases whereby locally-connected backups were infected along with the original files.Other technical measures included disabling Flash and the installation of web filters to protect employees from visiting so-called pharming websites. However, this couldn’t prevent drive-by-downloads from genuine websites that had already been infected. It was also an impractical measure in research-intense organizations.Network security measures were given a sub-category due to their importance in preventing malware from propagating from node to node. Three areas of focus were identified: strengthening network infrastructure, improving access control management, and implementing effective remote desktop protocol (RDP) management.Security policies and security practices were important categories since some of the case studies involved individuals panicking and trying to solve the problem for themselves rather than seek appropriate help. For example, one victim responded by shutting down the infected computer and then opening up others on the same network to try to find a solution. This led to additional nodes becoming infected.Finally, the incident response strategy was broken down into three separate plans: the communication plan, the incident response plan itself, and the business continuity plan.
Start on a Guided Career Path: