Ransomware: Can we finally start learning from past mistakes?

ransomware learningThere is a phrase I am finding quite relevant lately. It is attributed to the philosopher George Santayana and it goes like this: “Those who cannot remember the past are condemned to repeat it.” The reason it comes to my mind a lot these days is the headlines we are seeing relating to the latest ransomware attacks against companies’, hospitals’ and government departments’ systems.

Previous headlines highlighted how criminals used DDoS attacks to extort money from victim companies, and we regularly see stories on how organizations lost money after falling victim to CEO fraud (i.e. BEC scams).

Coming fast and furious behind these news stories are the sales pitches, blog posts, and press releases from security vendors and consulting firms on how their latest and greatest solution will prevent your organization from falling victim to any of the above attacks.

This coverage often calls these attacks sophisticated or the result of the dreaded APTs (Advanced Persistent Threats). This gives the impression that our systems are constantly being bombarded by highly skilled adversaries and that no matter what we as defenders do we will not be able to protect ourselves.

But, if we examine these attacks, there is really nothing new or sophisticated about them.

Ransomware attacks and CEO fraud are mostly the result of phishing attacks. We have had the threat of DoS and DDoS attacks for as long as we have put our servers onto the Internet. None of these attacks are new. It is true the attackers may use or abuse new technologies or services to commit their attacks but the majority of attacks we suffer from are through known attack vectors.

The Verizon Data Breach Investigations Report (DBIR) reinforces this conclusion. Each year the DBIR analyses incidents it receives from many organizations, such as law enforcement agencies, Computer Security Incident Response Teams, and security firms, from all over the world. Verizon then analyzes the data relating to these breaches and publishes the findings. Year after year the same message keeps coming through: the majority of attacks are not sophisticated, but exploit basic security vulnerabilities, bad security practises, or poor implementation of security controls.

So, despite the evidence that we are not learning from our mistakes and following the basic requirements to protect our data and systems, we are constantly distracted by new security solutions.

This latest scourge of ransomware is a prime example of this. Ransomware is basically run of the mill malware, except this time it has a particularly immediate and effective payload. We’ve been battling malware for decades so it is disheartening that we still see so many individuals and companies fall victim to these attacks. To compound the issue, most ransomware is delivered via spam or phishing emails, attack vectors that by now we should have gotten better at defending against.

Basic security hygiene

The following are just some of the basic security hygiene guidelines that we should follow and, if implemented properly, they could significantly reduce the likelihood of infection by ransomware or any other future type of attacks:

  • Implement a reputable AV solution and ensure that all PCs, laptops, and mobile devices are kept up to date with the latest versions and signatures.
  • Implement a means to keep all devices patched with the latest versions and patches for all key software employed on those computers.
  • Block all outgoing I2P and other peer-to-peer network traffic at the firewall to prevent infected computers communicating with their masters and receiving further instructions.
  • Subscribe to a reliable threat intelligence source which will regularly update you with details of malicious and suspicious URLs, domains, and IP addresses on the Internet. Access to these malicious and suspicious URLs, domains, and IP addresses should then be blocked.
  • Install ad-blocking software on your firewall to prevent infections via malicious ads on websites.
  • Disable ActiveX content in the Microsoft Office Suite of applications. Many computer viruses use macros to take advantages of ActiveX and download malware onto the vulnerable PC.
  • Look at ways to block executable files from the %APPDATA% and %TEMP% paths on computers with the Microsoft Windows OS installed. These folders are often used by malicious software to download and execute files associated with ransomware and other malicious software.
  • For Windows-based computers use Software Restriction Policies to allow only authorized software to run on your computers.
  • Remove local admin access to Windows-based computers, and the equivalent for other operating systems, to minimize the likelihood of malware being installed on the device by the user.
  • Look at ways to segment your network so that you can control network traffic or isolate parts of your network to contain an outbreak.
  • Run regular security awareness campaigns to enable users to identify and deal with potential threats.

In my mind ransomware is not an indication of how attackers have become more sophisticated but a reflection of how we have failed as an industry to effectively implement basic security controls. So instead of looking for a silver bullet to ease our security woes, let’s look at the past and learn from our mistakes instead of repeating them again and again.