04/20/2021 | Press release | Distributed by Public on 04/20/2021 09:28
Ransomware attacks have spiked since late last year - most targeting widely used applications. A recent Checkpoint Research report (CPR) noted a 57% increase in organizations affected by ransomware within the past 6 months, including Hafnium and DearCry that affected over 30,000 organizations using Microsoft Exchange servers. Before that, it was the Sunburst breach that, aside from creating other calamities, allowed these bad actors to look deep into Microsoft's software code, browsing to their heart's content.
Having worked as a software and hardware engineer for nearly two decades, it is scary to think what destructive minds can do once they get unfettered access to the systems that run the world's commerce, education, manufacturing, critical infrastructure, defense, and even entire governments. What have the hackers figured out? How will it inform their future attacks? These are the lingering questions that keeps me awake many a night.
The most common worms and malware causing this surge are Ryuk and Maze. But there are other popular ones - Bad Rabbit, Cryptolocker, GoldenEye, Jigsaw, LeChiffre, Locky, NotPetya, Petya, and WannaCry - to name a few. As these existing malwares, along with an ever-increasing number of variants, gain momentum from well-funded and well-organized adversaries, we can expect to see a growing number of headlines of compromised companies and organizations.
It's no surprise that WannaCry is rearing its ugly head. Back in 2017, the WannaCry outbreak infected as many as 200,000 computers within 72 hours. Using the EternalBlue exploit in Windows SMB (server message block protocol) the malware could infect new victims on its own, spreading exponentially over the Internet. WannaCry is still infecting windows servers. How? Unpatched servers.
It's appalling to note that it's been four years since Microsoft released the fixes for WannaCry, yet there are still unpatched servers that exist today. Common segments targeted by WannaCry are government/military, manufacturing, banking, and healthcare. According to CPR, the United States is the primary target recipient, garnering 49% of all exploit attempts. Auditing of server software is needed immediately to identify unpatched servers, with special attention to those that haven't been powered up in a long time.
So, what can businesses do to protect themselves from ransomware and malware in general? Some simple but effective actions include:
Many ransomware and malware variants rely on unpatched vulnerabilities to get into your network and onto your devices. Though this is a general rule of thumb, the lessons from the Sunburst attack taught us to wait a day or two before applying updates. When seeking guidance on when to patch, look to known credible sources on the timing of those updates.
This will enable you to recover your data and not be beholden to a ransom demand. Many software backup solutions provide multiple flexible time slots to automatically backup data and user dashboards to recover them. Geo-separated replication of backups adds one more level of protection.
Train your employees to help spot phishing campaigns and how to avoid compromised websites. Since most successful attacks start with an employee clicking on something they shouldn't, you should train them regularly to spot malicious activities. Use third-party testing services to ensure they make good decisions.
All businesses must implement a standard IT/Security practice to periodically audit all hardware and software. The process will identify hardware replacements, software and firmware upgrades/downgrades, patches, license renewals, and EOL actions needed, as recommended by the vendors. Having such an IT process will go a long way to close the identified loopholes that ransomwares use to breach your security.
Using updated antivirus software on servers and desktops, upgraded threat prevention, and other perimeter security devices such as next-gen firewalls and IDPSes certainly help. But with bad actors finding ways to usurp those defenses, consider looking for solutions that inspect all your inbound and outbound traffic for malicious connections to identify and kill attacks before they can harm your business.