Dec. 19, 2016
Image (IDG) - Ransomware
As part of a Look Ahead to 2017 series, Computerworld Malaysia recently asked Sumit Bansal (pic below), director for ASEAN & Korea, for UK headquartered infosecurity company Sophos, for a 'rapidfire' interview of ransomware during 2016. Ransomware was flagged as a significant leader in the threat landscape at the beginning of 2016 by many security analysts, which included a national alert from CyberSecurity Malaysia.
We also ask Sumit how organisations should be arming themselves against ransomware threats in 2017.
First of all, would you give us an overview of the state of Ransomware globally during 2016?
SB: Ransomware is on the rise globally. Over the years, we have seen several variants of ransomware, from CryptoWall that encrypts files to exploit kits that exploit security holes found in software applications.
Year after year, this 'industry' has succeeded in luring more victims and the attacks continue to increase rapidly. We have also observed that cybercriminals trend to target the healthcare, education and financial services sectors.
Although the US has the largest concentration of ransomware attacks, infections are also being spread out over other countries. Ransomware is proving to be more successful today than five years ago because cybercriminals are targeting and filtering out specific countries when designing ransomware and other malicious cyber attacks.
Photo - Sumit Bansal, Director for ASEAN & Korea, Sophos
What's been the toll against businesses in Malaysia and APAC as a whole?
Ransomware has become a critical threat for businesses in Malaysia and across APAC, especially for small and medium sized enterprises (SMEs).
Many SMEs, especially in APAC seem to have inadequate protection against these threats. It is common for SMEs to settle for low-end security products that lack necessary capabilities, either due to tight budgets or limited resources.
However, with the rapid growth of ransomware, it is important for businesses to invest in a powerful ransomware protection that is not only capable of automatically stopping ransomware attacks when detected, but also rolling back affected files to their pre-attack state.
For example, we recently launched Intercept X is our next-generation endpoint security solution, which stops zero-day malware, unknown exploit variants, stealth attacks, and also includes an advanced anti-ransomware feature that can detect previously unknown ransomware within seconds.
We combined several techniques for faster identification and responses that are coordinated to recognise malicious behaviours and stop potential attacks sooner. The entire process should be coordinated to support IT professionals without the need for specialised security staff, while saving considerable time, resources and money.
Please describe some of the advanced techniques adopted by cyber criminals in recent cases.
In a recent SophosLabs research, we found that 'designer' cyber threats are on the rise, with cybercriminals targeting and even filtering out specific countries when designing ransomware and other malicious cyberattacks.
In order to lure more victims, cybercriminals are now crafting customised spam to carry threats using regional vernacular, brands and payment methods for better cultural compatibility. To be as effective as possible, these scam emails now impersonate local postal companies, tax and law enforcement agencies and utility firms, including phony shipping notices, refunds, speeding tickets and electricity bills. SophosLabs has seen a rise in spam where the grammar is more often properly written and perfectly punctuated.
With ransomware cleverly disguised as authentic email notifications, complete with counterfeit local logos, it is harder to spot fake emails from real ones, and there is a higher chance for users to click on fake emails and be infected.
What sort of businesses have opted to pay off criminals to get back control of their data?
The businesses that opt to pay off criminals are usually from industries that possess large amount of client data, such as hospitals, schools and financial institutions. As they possess data that is crucial to sustain business operations, enterprises in these industries have little choice but to pay up the ransom.
What is your general advice to companies hit by Ransomware?
The first thing to do is to locate the source of the ransomware, as locating the source on the company network will not only help the user locate all the encrypted files but also give an insight to how this attack happened. This will help the user to change security settings appropriately to reduce the risk of this happening again
The next step would be to protect and clean infected machines, as it is important to ensure that the installed security products are working correctly.
Then, the focus should be on restoring data. Although most files encrypted by ransomware cannot be restored, occasionally there are some variants of ransomware that can be restored, and this is possible if the used encryption method is weak or the ransomware criminals made a mistake in their code, or the criminals were arrested and the authorities got the decryption keys.
Finally, the company should aim to invest in a powerful ransomware protection that is not only capable of automatically stopping ransomware attacks when detected, but also rolling back affected files to their pre-attack state.
We also recommend for enterprises to encrypt their data as encryption can prevent online fraud and theft of financial and personal information. Encryption is also valuable as it slows hackers down. For example, if hackers steal encrypted data, they would still have to search a few days for the encryption keys, and in this time, IT security teams have a higher chance of detecting suspicious activity.
CyberSecurity Malaysia released a national warning about Ransomware at the beginning of this year - what more can government and enforcement agencies do?
Government agencies could collaborate with ICT companies and legal authorities to create an avenue for victims to receive appropriate technical and legal advice where necessary. It is also important to ensure that victims report ransomware to law enforcement agencies so they are in a better position to help mitigate the threat.
Taking a 2017 perspective, do you think are there any differences around the world in ransomware - in how it is delivered, and handled?
Based on the research by SophosLabs on 'designer' cyberthreats, we found that versions of CryptoWall predominantly hit victims in the U.S., U.K., Canada, Australia, Germany and France, while TorrentLocker attacked primarily the U.K., Italy, Australia and Spain. It was also found that TeslaCrypt honed in on the U.K., U.S., Canada, Singapore and Thailand.
Specifically in APAC, we found that there is plenty of worm activity in Singapore and once infected, the malware has a tendency to focus on password stealing Trojans, remote access Trojans (spying) and ransomware. TelsaCrypt is the most prevalent ransomware strain in Singapore, which is distributed widely via exploit kits that uses a process known as drive by download, invisibly directing a user's browser to a malicious website.
In India, we have seen a wide variety of threats, primarily worms, banking Trojans and spam bots, which collects email addresses for sending unsolicited emails. The prevalence of worms suggests that India has a higher percentage of PCs that aren't getting security updates.
Looking Ahead to 2017, what are your general security expectations and key messages to individuals and businesses?
In 2017, cybercriminals will continue to devise new ways to launch cyber attacks targeting individuals and businesses. Also, with the rise of the Internet of Things (IoT), hackers will increasingly target smart devices with an aim to gain access to all other connected devices.
IoT vulnerabilities will inevitably open up new possibilities for hackers and pose several threats, apart from just privacy invasion. For example, kettles and baby monitors are getting connected to the internet with security flaws still in place, and these devices can be easily discovered by a search engine like Shodan, that prides itself as being the world's first search engine for internet-connected devices. This means that hackers can not only spy on baby monitors, security webcams and wearables, but also steal personal information, take control of the device or even authorise other users to remotely view and control the device.
With ransomware being one of the biggest threats today, we recommend the following best security practices for enterprises in 2017:
1. Back up files regularly and keep a recent backup copy off-line and off-site. Encrypt the backup for an additional layer of protection.
4. Don't enable macros in document attachments received via email as infections can be spread this way.
5. Be cautious about unsolicited attachments and refrain from opening it.
6. Do not stay logged in as an administrator longer than required, and avoid browsing and opening documents while logged in.
7. Consider installing the Microsoft Office Viewer, as the application provides a preview of the document without opening them.
8. Patch early and patch often. Any ransomware that is not spread via document macros, often rely on security bugs in popular applications such as Office and Flash.
9. Stay updated with new security features in your business applications. For example, Office 2016 now includes a control called "Block macros from running in Office files from the internet", which helps protect against external malicious content without stopping you using macros internally.
At Sophos, we have people behind the scenes constantly collecting, correlating and analysing data to provide the best protection for enterprises. With ransomware being one of the most widespread and damaging threats today, we have recently launched a host of next-generation endpoint protection solutions for enterprises.
As I mentioned earlier, our Intercept X solution blocks zero-day attacks and threat variants within seconds, without the need for traditional file scanning or signature updates. Intercept X is a component of our synchronised security strategy and is enabled with the Security Heartbeat to share threat intelligence with Sophos' next generation endpoint and network solutions for a coordinated and automated response to attack.
To finish off, what have been the high points for Sophos in 2016?
This was a good year for Sophos. Sophos was named the only IT security company to be positioned as a Leader by Gartner in three security Magic Quadrant reports: September 2015 Magic Quadrant for Mobile Data Protection Solutions, February 2016 Magic Quadrant for Endpoint Protection Platforms, and the Magic Quadrant for Unified Threat Management (UTM).
Sophos was also positioned as a 'Leader' in Forrester Research, Inc.'s new report, The Forrester Wave: Endpoint Security Suites, Q4 2016, and recognised as delivering "the most enterprise-friendly SaaS endpoint security suite.
We believe these victories are due to our unique product strategy of complete security made simple. We are also a leading provider of both enduser security and network security, and have recently added a new wave of security innovation called synchronised security, which for the first time allows endpoint and network security products to actively and continuously share threat intelligence with each other to effectively protect against today's sophisticated threats.