Ransomware risk heightened with BYOD

Users circumventing corporate policies in the office or on their mobile devices can end up having both their personal and company data being held hostage, if they get infected with ransomware.

Ransomware is different from targeted attacks, because they do not choose their victims but rather, the opposite, Jason Siew, technical engineer at Kaspersky Labs Southeast Asia, observed. It usually takes place when a user visits a malicious site or downloads an infected attachment, he explained.

Essentially, this means anyone connected to the Internet can be infected, and employees may unwittingly introduce ransomware to their corporate networks, Siew pointed out.

Another industry watcher, Righard Zwienenberg, senior research fellow at ESET security agreed, noting some corporate end-users have been hit by ransomware but paid up without informing their bosses. One of the reasons they get infected is because they circumvent corporate policies by downloading or installing files, or browsing Web sites, which are not authorized, he explained.

However, hiding the act of paying up without informing their bosses can be "very risky" because they never know if they managed to get everything back once they have paid up, or if the ransomware is fully gone from the company's network, he pointed out.

Ransomware also works by encrypting crucial data and then demands a fee to restore it, in the hope of disrupting businesses and causing financial losses, Michael Sentonas, CTO of McAfee Asia-Pacific, observed. This is especially so for businesses that are time-sensitive and have secretive data such as stock exchanges and banks, he said.

Their comments come in light of McAfee's latest threat report in September which found the number of new ransomware samples jumped about 50 percent between the first and second quarter this year to more than 120,000 --four times more common than a year ago.

BYOD heightens ransomware risk
With the bring your own device (BYOD) trend, the risk of an organization being affected by ransomware has also heightened, Macky Cruz, technical communications specialist at Trend Micro's TrendLabs, pointed out.

She noted sensitive corporate data and confidential information will now reside in mobile devices, which end-users heavily use. When these devices are used outside the organization and accidentally download ransomware, their data, along with the company's will be in the hands of cybercriminals, she observed.

Reiterating Zwienenberg's perspective, she noted employees would not know what happens to their data before they pay up. Data could be sold to the cybercriminal underground, before being returned to their owners, she pointed out.

Educate employees, enforce policies and security measures
The best way for organizations to protect themselves is through employee education and training, Cruz pointed out. They should advise employees on who they can approach if they face a situation where their devices or desktops has ransomware and not attempt to tackle the problem on their own, she said.

Employees must understand that even if they broke the company's policy and got affected with ransomware, it is better not to hide the incident and "come clean" with it, Zwinenberg explained.

"It's worse trying to hide it as there may be other backdoors or Trojans installed, or the information that is taken hostage is not sent to the malware authors," he said. "There may also be no guarantee that everything is returned when they pay up."

On the technical side, organizations need to put in place proper active and complied policies for proper data handling movement, usage and storage, and encrypt data at rest, Anthony Lim, regional director of SecureAge, noted.

This includes the server cloud and backup, and will minimize any malware, rootkit or advanced persistent threat getting at it and trying to use it for ransoming purposes, he said.

The basics must also not be forgotten--organizations should ensure that their enterprise-wide security software is up-to-date, and encourage employees to update the security software on their personal devices, Cruz noted.