Ugly New Ransomware Vulnerabilities—and How to Fix Them
How do you get ransomware? Traditionally, it begins with a suspicious email in your inbox … maybe an infected file attachment or a link to a malicious website. But over the past year, we’ve seen several other ransomware vulnerabilities that left organizations at risk of a major attack.
In this post, we look at the most common ways your organization may be vulnerable to ransomware—including the most recent vulnerabilities—and what you can do about it.
Recent Ransomware Vulnerabilities
1) Software/OS Exploits
The 2017 WannaCry and NotPetya attacks showed that users don’t have to open a bad email, or touch a device at all, for a disastrous attack to happen. Ransomware developers figured out how to infect machines by exploiting known vulnerabilities in operating systems.
In the case of WannaCry and NotPetya, the exploit was EternalBlue. EternalBlue exploits a known vulnerability in Windows that allows an attacker to execute code through the Server Message Block (SMB) protocol. This allowed attackers to drop their ransomware infection on not just one computer, but nearly all other vulnerable computers on the same network.
Attacks were also aided by other exploits affecting the SMB protocol: EternalRomance and EternalChampion.
- Patch your systems! EternalBlue was a known vulnerability. Microsoft had already released a patch for it. Only machines that were unpatched were affected by the WannaCry and NotPetya attacks.
- Set a better patching schedule: If you can’t have systems or software update automatically, make sure there’s a revolving schedule for installing new patches shortly after they’re released by developers.
2) Mobile ransomware
The threat of ransomware isn’t limited to just servers and desktop machines. Tablets and smartphones are also vulnerable, and experts say these attacks are on the rise.
SLocker and LeakerLocker are popular forms of mobile ransomware that have existed for years. But researchers saw a spike in attacks in 2017, aimed at Android and Apple mobile operating systems. The tactics are very similar to traditional ransomware attacks. SLocker, for example, locks your mobile screen, encrypts your files (or in some cases simply hides them) and shows a message purporting to be law enforcement agencies requesting payments for “fines.”
In a 2017 survey by Datto, 4% of more than 1,700 IT providers said their business clients suffered a mobile ransomware attack in the previous year. A report by Trend Micro also noted that mobile ransomware attacks had risen 415% in the previous year — from 120,000 in 2016 to 468,837 in 2017.
- Set restrictions on app installations on all company-provided mobile devices. Only whitelisted apps should be utilized.
- Educate staff on mobile device policies and on the risks of mobile malware.
Malvertising (short for malicious advertising) is another method that hackers use to spread ransomware, often with little to no user action.
In March 2016, several high-profile websites began serving ads that hijacked user’s computers and infected them with ransomware. To be clear—these weren’t porn sites, phishing pages or torrenting communities, which are notorious for malware. The sites were The New York Times, the BBC, AOL, and the NFL, among others. It took about 24 hours for all the bad ads to be pulled.
According to the Guardian, “The malware was delivered through multiple ad networks, and used a number of vulnerabilities, including a recently-patched flaw in Microsoft’s former Flash competitor Silverlight, which was discontinued in 2013.”
In Datto’s 2017 survey, MSPs reported that malicious ads and websites were the third most common reason for their clients’ ransomware infections.
- Use ad-blocking software to prevent malicious ads from loading at all.
- Set restrictions on Internet browsing and whitelist only the sites that users need to perform their jobs.
- Make sure all browsers and operating systems are properly updated and patched.
4) SaaS Ransomware
Just because your files are stored in Dropbox, Google Drive or some other cloud app doesn’t mean it’s safe from ransomware.
New forms of ransomware, like ShurL0ckr, have been found to evade detection inside these services, even when there’s built-in malware security. Not only that, ShurL0ckr proliferates in these services. Researchers found at least three enterprise SaaS applications infected with malware, according to Trend Micro. And in Datto’s survey, 26% of MSPs found ransomware infections within their SaaS-based applications. Among those MSPs, 76% found infections in Dropbox, 32% in Office 365, 21% in G Suite, 5% in Box and 2% in Salesforce.
Applications used by today’s businesses are increasingly running in the cloud. But without the right safeguards in place, these apps can be a vulnerability that allows ransomware to lock up your critical data.
- Ensure data integrity (i.e. with malware/virus scanning) before files are stored in cloud apps.
- Use cloud-to-cloud backup technologies, like Datto’s Backupify, which provides SaaS protection against ransomware, malware damage and accidental file deletion.
Older Ransomware Vulnerabilities, Same Big Problems
1) Spam & Phishing Email
Spam and phishing emails are still the most common delivery method for ransomware. For hackers, it’s cheap; it reaches a ton of people; and it’s surprisingly effective.
Right at this moment, your spam folder probably contains dozens of ransomware-ready emails, just waiting for you to click their malicious links or open their malicious file attachments. In business settings, these emails are often disguised with messages about receipts, invoices, payments – seemingly important emails that beg to be opened. But alas, they’re bogus. And with one click, they can bring the whole company down for hours, days, perhaps even weeks.
One report found that 93% of all phishing emails now contain ransomware. Keep in mind that most ransomware isn’t targeted to specific organizations. Hackers blast out these emails by the millions, knowing that they’ll get clicks and that some people will pay the ransom.
Surveyed MSPs say that phishing emails remain one of the leading causes of ransomware infections at businesses today.
- Deploy stronger email/spam filters to prevent such emails from reaching inboxes in the first place.
- Use firewall settings to block incoming messages from known malicious IP addresses (which number in the tens of thousands).
- Educate employees on safe email/web practice (see vulnerability #2 below).
2) Lack of cybersecurity training
Even with the stronger spam filters, malicious messages will still slip through. When they do, it’s critical that employees are able to recognize them.
A lack of cybersecurity training is the #1 leading cause of ransomware infection, according to IT providers. It’s possibly the single greatest vulnerability at organizations around the globe—which is why hackers try so hard to exploit with phishing and spam emails. You can’t blame users for inadvertently opening a bad email. Today’s phishing scams are very deceptive, fooling even the upper ranks of an organization. If employees aren’t aware of these scams, don’t know what they look like or don’t understand the risks, then that’s the fault of the company, not the individual.
Every employee should be educated on the risks of ransomware and other malware. They should know how much destruction an attack can cause. They should know how to identify a suspicious email, what to do with it, and who to approach when they’re unsure. By properly training employees, you can drastically reduce the risk of an infection.
- Conduct company-wide cybersecurity training on a regular basis, i.e. once a year.
- Educate new employees on cybersecurity risks and protocols as part of their onboarding.
3) No anti-malware software
No single solution guarantees you won’t be infected with ransomware. But a multilayered approach can drastically reduce your risk—and good anti-malware software is a major component of that.
Anti-malware software can stop malicious file attachments from being opened, and they can prevent fake websites from hijacking a computer after a bad link has been clicked. Even if the malware is not a known strain, good software will detect suspicious sources, data and activity on your systems, stopping an attack at the first signs of a possible infection.
Will it prevent all ransomware? No. New strains and families of ransomware are constantly being developed. And as we’ve established already, new vulnerabilities will continue to pose risks at every organization. But that does not mean you can afford to go without a top-notch anti-malware solution.
- Deploy a business-grade anti-malware solution.
- Schedule automatic file scans; allow real-time file scanning and automatic software updates to ensure the software is actively protecting your systems and using the most up-to-date malware definitions.
4) Poor data backup system
A data backup won’t necessarily prevent a ransomware attack. But it can prevent a ransomware attack from devastating the company.
When your files have been encrypted by ransomware, the easiest way to get them back is to recover a backup. It’s arguably the most important layer of defense against ransomware, because it ensures you always have another copy of every file. After an attack, you simply restore a backup from before the infection occurred, and PRESTO! The data is back, and the ransomware is gone.
Plus, data backup solutions from Datto have built-in ransomware detection, which automatically monitors your data for signs of an infection. This early warning system can do wonders for eliminating the spread of an infection and thus shortening costly downtime.
- Deploy a backup and disaster recovery solution that stores your data both onsite and in the cloud for greater protection.
- Make sure your system can take frequent backups and that backups can be recovered promptly when needed, to reduce the length of downtime.
For more information on how your company can defend against ransomware and other data threats, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email [email protected] or request a free Datto demo today.