When it comes to ransomware, there is good news (sort of) and bad news (definitely).
“Once ransomware hits, the good news is you know about it,” said Eric Cole, founder and executive leader at Virginia-based Secure Anchor Consulting and a former member of the White House Commission on Cyber Security. “You know it”™s on your system because you can”™t access your data.”
And the bad news? In a webinar presentation sponsored by Norwalk-based Xerox, Cole ”” who is also a former chief technology officer at computer security company McAfee and former chief scientist at aerospace and arms company Lockheed Martin Corp. ”” noted that many people might be working on devices infected with ransomware without knowing their situation.
“We”™ve seen a lot of attackers who are actually putting the payload on the system in what we call a ”˜time bomb,”™” he said. “There”™s a probability that you might have ransomware on your system that has not been activated.”
Cole divided the business world”™s approach to ransomware into two categories: either spending “a little bit upfront to make sure your data is protected, secured and locked down” or paying “a lot of money on the back end, after there”™s a breach and after there”™s a problem.”
Ransomware, Cole said, is a truly universal experience ”” it impacts operations of all sizes around the world, and even Cole”™s dentist had his office computer locked up by an attack. He recalled an incident where a physician affiliated with a hospital chain in the U.K. used his work computer to check his personal email and discovered a message from FedEx regarding a pending delivery.
“He went in and opened it up,” Cole said. “It turned out to be a phishing attack. And when he clicked on the link, he was hit with ransomware and not only on the data on that computer. Because this was a senior doctor that had access to a lot of information, that one click encrypted 80% of all the hospital records across three different hospitals in the U.K. They had to move patients and shut down operation for four days in order to recover and get back up and running again.”
Cole acknowledged that while the hospital had backup systems in place, “they were replicating the data across all four hospitals. The problem is it was all transparent backups and that doctor had access to all of it. So once the ransomware hit and crawled through the network and was able to encrypt all of the backups and all of the data, the hospital wasn”™t able to recover in any timely manner.”
Cole said ransomware has evolved into a big business, to the point that companies exist around the world that employ hackers to launch attacks on unsuspecting victims around the world.
“Imagine an office building with 30 people working full time and their sole job is to target your organization, hold your data ransom and cause negative impact to your business,” he said. “That”™s the threat you”™re up against.”
Complicating matters, Cole said, was the abrupt ascension of the remote workforce during the COVID-19 pandemic.
“Because organizations are focused on a remote workforce, they”™re not focused on security,” he said. “In many cases, security was put on the back burner just to keep your business up and running. Adversaries know that, and adversaries are also struggling during these hard times ”” they”™re looking for money. We”™ve already seen just in the last few months a 300% increase in ransomware and we”™re projected that this is going to continue to be a big area of focus and target for adversaries.”
Joining Cole on the webinar was Priyank Ghedia, practice manager for cybersecurity and risk management at Lewan Technology, a Xerox company based in Denver, who advised the use of “defense in depth” strategy in the fight against ransomware.
“You may have heard of this term before,” Ghedia said. “Defense in depth means having multiple layers of security, just like layers of an onion. A good defense in depth strategy helps you catch attacks even at the inner layers if the upper layers missed it. For example, if the email filter misses it, the firewall catches that.”
While phishing emails and drive-by downloads ”” the latter involves compromised web pages where users unknowingly download malware ”” a lesser-known avenue for ransomware hackers involves Port 3389.
Ghedia said, “3389 is used for remote desktops, also known as RDP. RDP is a legit business application. However, it is also vulnerable to password guessing attacks, also root force attacks that can be exploited if it”™s exposed to the internet. In a search I did yesterday, it showed me about 4.1 million IP addresses, which could be accessed with RDP. Stolen RDP credentials go for as little as $3 on the dark web, and attackers could use a central stolen credential to log into exposed RDP and conduct further attacks.”
Ghedia recommended putting the RDP behind a virtual private network so only company users can access it, and also stressed the importance of ensuring all computers in a Windows-based network are updated with the latest cybersecurity tools from Microsoft.
But the ultimate weapon in this digital battle, Ghedia said, involved an educated workforce that knows how to avoid dubious external emails and to identify potentially spoofed internal emails.
“According to the Infosec Institute statistic, one in 25 users actually clicks on the phishing links in emails,” he said. “That is why we need to train our users. They are our biggest assets and our biggest allies in this fight against ransomware.”
