Security Technology Executive

FEB-MAR 2018

Issue link:

Contents of this Issue


Page 48 of 61

www. • Februar y/March 2018 • SECURIT Y TECHNOLOGY E XECUTIVE 47 How fast does ransomware strike? There are several observations to derive from recent ransomware attacks. The first is that once the malware has gained a foothold on an 'index machine,' the rate of infection to reach all vulner- able devices is very rapid. The infection spreads exponentially and can only be stopped by isolat- ing uninfected vulnerable devices from the net- work. In recent attacks, two organizations with several thousand endpoints were compromised in under one hour. The first organization did not have a robust reporting and alerting system, so the infection did not stop until every vulnerable device was compromised. The second organiza- tion had a security incident and event monitoring tool and an anti-virus console which alerted the IT staff and allowed them time to isolate some of the network. Both organizations detected the event but because of the zero-day nature of the attack, these tools were unable to automatically stop the spread. Eventually, most of the vulnerable devices in multiple geographic areas were compromised. Public-sector problems with ransomware have been at a low simmer for a while, with 35 state and local governments reporting problems in 2014, according to the Multi-State Information Sharing and Analysis Center, an organization that tracks cybersecuri- ty issues for states and localities. But in 2015, the FBI warned that the problem is on the rise —growing 114 percent in 2014 — and said that unlocking the files is so difficult that the agency often suggests just pay- ing the ransom. Image courtesy The rapid response of isolating all network seg- ments saved a few devices but not enough to continue operations. I've been infected with ransomware, so what should I do? First, remember that law enforcement officials encourage organizations to not pay the ransom because it only fuels the criminal elements and leads to more attacks. Regardless if a victim pays or not, the decryption keys only allow organiza- tions to decrypt their data, but those keys will not remove the malware that delivered the encryption payload in the first place. Removing the malware is a huge effort that can take even midsize organiza- tions weeks to accomplish because every infected device must first be identified, then reimaged. Removing the malware is also very expensive — for example, it cost one organization 60 percent of the annual IT budget recover from the ransom- ware attack. Another reason for the long recovery time is that normal operations cannot resume

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - FEB-MAR 2018