Issue link: https://securitytechnologyexecutive.epubxp.com/i/956571
www. SecurityInfoWatch.com • Februar y/March 2018 • SECURIT Y TECHNOLOGY E XECUTIVE 47 How fast does ransomware strike? There are several observations to derive from recent ransomware attacks. The first is that once the malware has gained a foothold on an 'index machine,' the rate of infection to reach all vulner- able devices is very rapid. The infection spreads exponentially and can only be stopped by isolat- ing uninfected vulnerable devices from the net- work. In recent attacks, two organizations with several thousand endpoints were compromised in under one hour. The first organization did not have a robust reporting and alerting system, so the infection did not stop until every vulnerable device was compromised. The second organiza- tion had a security incident and event monitoring tool and an anti-virus console which alerted the IT staff and allowed them time to isolate some of the network. Both organizations detected the event but because of the zero-day nature of the attack, these tools were unable to automatically stop the spread. Eventually, most of the vulnerable devices in multiple geographic areas were compromised. Public-sector problems with ransomware have been at a low simmer for a while, with 35 state and local governments reporting problems in 2014, according to the Multi-State Information Sharing and Analysis Center, an organization that tracks cybersecuri- ty issues for states and localities. But in 2015, the FBI warned that the problem is on the rise —growing 114 percent in 2014 — and said that unlocking the files is so difficult that the agency often suggests just pay- ing the ransom. Image courtesy bigstockphoto.com The rapid response of isolating all network seg- ments saved a few devices but not enough to continue operations. I've been infected with ransomware, so what should I do? First, remember that law enforcement officials encourage organizations to not pay the ransom because it only fuels the criminal elements and leads to more attacks. Regardless if a victim pays or not, the decryption keys only allow organiza- tions to decrypt their data, but those keys will not remove the malware that delivered the encryption payload in the first place. Removing the malware is a huge effort that can take even midsize organiza- tions weeks to accomplish because every infected device must first be identified, then reimaged. Removing the malware is also very expensive — for example, it cost one organization 60 percent of the annual IT budget recover from the ransom- ware attack. Another reason for the long recovery time is that normal operations cannot resume