Cisco has recently published its 2016 Midyear Cybersecurity Report which suggests many organizations are simply not equipped to deal with the next generation of ransomware. The use of ransomware by cybercriminals has increased significantly in recent months, with many new and sophisticated variants already been released.
Locky and CryptXXX currently pose the biggest threat to organizations. Locky is delivered via malicious email attachments, while CryptXXX is the main ransomware threat from malicious websites hosting exploit kits. Both of these crypt-ransomware variants are highly sophisticated. The next generation of ransomware promises to be even more difficult to detect and remove.
Attackers are now not only conducting attacks on end points, but are also launching server side attacks. The methods used to attack organizations are evolving rapidly and ransomware authors are becoming much more adept at obfuscating their activity.
According to the report, organizations are failing to contain the operational space of attackers. This is one of the biggest cybersecurity challenges currently faced by IT pros. Cisco says organizations are slow to detect ransomware infections, giving malicious actors far too much time to operate. Many organizations also have a fragile infrastructure and exercise poor network hygiene.
Cisco points out that ransomware is now the most profitable form of malware ever developed. Entire networks can be held to ransom. Organizations are often given little choice but to meet the attackers demands. The latest ransomware variants can spread on their own, lay dormant to avoid detection, and can tell if they are installed in a sandbox and delete themselves.
Cisco predicts that the next generation of ransomware will be able to limit CPU usage to avoid detection and will not require command and control server communications, which is how many infections are identified. Future strains of ransomware are also likely to be able to perform reconnaissance of systems and self-replicate. They will be able to spread faster and infect more devices and cause significantly more damage.
Organizations need to improve the speed at which new threats are detected. The current average time for detecting new threats is 200 days. It is essential for organizations to implement technology to improve the median time to detection in order to constrain attackers and minimize the damage caused.
Many organizations make it far too easy for attackers by failing to install patches and by continuing to use unsupported programs and operating systems.
Attackers have been focussing on healthcare organizations in recent months due to the increased likelihood of the organizations paying ransoms to recover their data, and the ease at which attacks can take place. However, all organizations are at risk. Cisco says in its report that all industry verticals are being attacked and that ransomware is a now a major global problem.
If organizations are to repel the next generation of ransomware it is essential that comprehensive risk analyses are conducted and security gaps are identified and plugged.
Cisco recommends some simple steps that should be taken by all organizations to reduce the risk of ransomware attacks being successful and to protect against the next generation of ransomware strains.
Network hygiene must be improved and patches need to be implemented on time. Email and web security solutions also need to be deployed. Security defences need to be integrated, rather than simply using a variety of standalone products. The time to detection must also be reduced to limit the damage caused. Cisco also recommends making metrics part of organizational security policies.
Organizations must protect their entire networks from attack and protect users wherever they work, rather than just protecting the systems they interact with. Since no security system can be 100% effective, organizations must ensure they have viable backups of all critical data and make sure that backup devices are also not susceptible to compromise.