Ransomware: Why we're still losing the fight – and the changes you need to make, before it's too late

Ransomware has been around for a long time but is still finding fresh victims. What's going wrong?

Ransomware: Why paying the ransom is a bad idea for everyone in the long run ZDNet's Danny Palmer explains that some cyber-insurance companies encourage their clients to pay the ransom to get back up and running as quickly as possible - but here's how this just causes more problems. Read more: https://zd.net/2OaoVSf

Ransomware is running rampant this year, with high-profile attacks by cyber criminals using the data-encrypting malware almost occurring on a daily basis.

Local governments, schools and universities and hospitals and healthcare providers have all fallen victim to ransomware attacks that now see hackers demanding hundreds of thousands of dollars in Bitcoin in exchange for returning files.

Victims often give into the extortion demands and – despite advice not to – pay up. In other cases, the organisations resort to attempting to fix the issue themselves, losing working hours and revenue for the days or weeks the network is down.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The damage that can be done to an organisation that falls victim to a ransomware attack – the financial costs of fixing the problem, plus the potential reputation damage that comes with falling foul of hackers – is plain to see. So why is it that despite the warnings about ransomware, the attacks are still so effective?

Part of the problem is that many boards still aren't taking cybersecurity as seriously as they should be.

"It's exactly how it's been for more than 20 years: security still isn't considered a priority as part of business operations – it's shunted off to the IT department or to the side," says Jennifer Ayers, senior director of security response at security company CrowdStrike.

"There have been some changes, especially over the last ten years with more in investment, but at the end of the day security teams are considered a smaller group off to the side and not a critical part of the business".

Without a dedicated, well-resourced information security team it becomes too easy for organisations – whether by intention or not – to avoid basic security tasks like applying patches to operating systems or software.

For example, Microsoft emphasised the importance of installing the critical security update for EternalBlue – the vulnerability that powered WannaCry – but the scale of the global attack made it clear that a significant proportion of victims hadn't applied the patch, despite the warnings.

In other cases, the patches are being applied, but because the work isn't being done by specialist staff, sometimes they're not installed correctly, leaving organisations vulnerable to attacks they think they're protected against.

"Most incidents actually happen as a result of a vulnerability you already know how to fix. We know what the right answers are and it's not that companies aren't taking action, it's some of the controls they're using are fallible and the complexity of deploying them is a hard problem," says Christy Wyatt, CEO of Absolute Software, a endpoint security and data risk management company.

"If you don't have this immune system, these things are going to find their way in," she adds.

Failure to patch properly remains one of the leading reasons cyber criminals can deliver malware in the first place, alongside insecure remote desktop protocols (RDP) being left exposed to the internet with default login credentials.

Often, these RDP ports can be completely forgotten about, leaving organisations with a weakness they didn't even know they had – and that's handing an advantage to attackers because a security team can't work to protect something that it doesn't know is there.

"Think about your network: you need to make sure you have visibility on all your devices because if you can't see it, you can't protect it," says Wyatt. "Devices that aren't managed don't have a fighting chance: without visibility, you're fighting with one hand tied behind your back."

Unfortunately, while those who fall victim to ransomware might do so because they lack visibility of their network, the same can't be said for the criminals behind the attacks.

Ransomware attacks are more sophisticated than they were even just a few years ago when phishing emails delivered and deployed the malware – now after gaining to access to a network, hackers will spend weeks or months inside it, moving across the network with the aid of stolen or weak credentials to ensure everything that can be targeted with ransomware is hit.

Only then will the attackers pull the trigger on the attack; encrypting the whole network of a victim and demanding a huge sum in return for returning the files.

SEE: Ransomware: 11 steps you should take to protect against disaster

It's therefore crucial that organisations work to ensure that that RDP ports are as secure as possible – and that even if an attacker gains entry to the network, protections are in place to stop them in their tracks

"You want to limit attackers' ability to remotely access networks by either doing things like locking internal RDP access to environments or requiring multi-factor on any remote access tools or gateways," says Charles Carmakal, vice president and strategic services CTO at FireEye.  

"Minimising credential access and the different ways Windows exposes credentials on a system can make it much harder for an attack to take place," he adds.

Implementing protections of this kind is vital, not just to protect against ransomware attacks right now, but to do so going forward. The success of ransomware means that even more cyber criminals will want to get involved in what many have come to believe is an easy payday, not least because victims – or their cyber insurance providers – are paying out.

"There are a lot of attackers trying to make money, so we're going to see a lot more ransomware," says Carmakal.

Unfortunately, sometimes it does seem that the only thing that pushes an organisation towards taking network security seriously is falling victim to a major incident, be it a ransomware attack, a data breach or any other kind of cyberattack.

That, however, needs to change, because if organisations don't properly protect their perimeters, cyber criminals will continue to take advantage of weakness: so organisations and their boards need to pay attention sooner rather than later – or risk becoming the next high-profile victim of a ransomware attack.

"We're certain it's not going to stop," says Ayers. "You may have not been hit now, but now's the time to up your cyber game."

MORE ON CYBERCRIME