banner

Thales Blog

Stop Ransomware in its Tracks with Strong Data Security

August 13, 2020

Charles Goldberg Charles Goldberg | VP, product marketing More About This Author >

Ransomware attacks are crippling cities and businesses. Last year alone saw a 41% increase over the previous year. And Cybersecurity Ventures predicts that a business will fall victim to a ransomware attack every 11 seconds, and the estimated cost to businesses will be around $20 billion by 2021.

To put this in perspective, below are some ransomware-related stats that will make anyone pause and think about taking proactive actions to prevent their business from grinding to a complete halt.

Ransomware Infected

  • Nearly 1,000 US organizations were impacted by ransomware attacks in 2019 according to Emsisoft, as shown in the figure above.
  • Municipal governments, universities and private businesses have spent more than $144 million responding to the biggest ransomware attacks of 2020 (so far), spending on everything from rebuilding networks and restoring backups to paying the hackers ransom, according to CRN.
  • The average cost of ransomware caused downtime increased over 200%, from $46,800 in 2018 to $141,000 in 2019, according to Datto.

So how does ransomware infiltrate your business?

Ransomware, in a nutshell, is a vicious type of malware that cybercriminals use to block access to your entire system or specific sensitive files/databases, until you or your company pays a ransom. While a ransomware attack usually doesn’t result in a data breach, cyber criminals have been moving toward taking a copy of the data before triggering the encryption, and then threaten to expose the data to pressure the victims into paying up.

Here is how a ransomware attack plays out:

  • You unknowingly click on a suspicious link or email attachment with malware as the payload.
  • The malware runs on your laptop, and encrypts all your files on the system --preventing you from accessing your data.
  • The malware can laterally move from your laptop to a server, and encrypt all business critical files on that server, which could impact your entire company.

Baseline security countermeasures are falling short

Most organizations follow the baseline security countermeasures below to defend against ransomware attacks.

  • Security Awareness Training: training your employees to recognize suspicious phishing emails through simulation exercises to defend against attack delivery. However, it only takes one employee to make the mistake of opening a phishing email and infecting his company’s network.
  • Deploy Secure Email/Web Gateways: This technique can be used to defend against ransomware attacks delivered through email. However, security web/email gateways are unable to detect a new strain of malware, because it does not have the signature.
  • Apply the Latest Software Patches: By regularly scanning all your systems and patching high priority vulnerabilities, helps defend against holes exploited by a ransomware. However, ransomware can be easily delivered exploiting unknown (zero-day) vulnerabilities, for which there are no patches yet.
  • Monitor DNS Queries: After a ransomware infects a server/endpoint, it typically calls home to a command and control (CnC) sever to exchange encryption keys. Monitoring DNS queries to known ransomware domains (e.g. “killswitch”) and resolving them to internal sinkholes can prevent ransomware from encrypting files. However, DNS servers are unable to block any unknown CnC domains used by new ransomware attacks.
  • Backup Critical Data Regularly: There still may be times when all security defenses fall short, and the ransomware attack succeeds in encrypting all business critical data. The best way to recover from a ransomware attack is to maintain a secure backup and also have a clear recovery plan that enables organizations to restore their business critical data. However, restoration is expensive and time consuming.

While these are tried and true best practices, many companies are still coming up short in preventing ransomware attacks. So what can you do to safeguard your data from ransomware more adequately?

Preventing ransomware attacks with data access policies

To effectively block any unknown malware (ransomware binaries) from taking your data hostage, you need a strong data security solution that can provide the following capabilities:

  • Application Whitelisting that identifies “trusted applications” – binaries which are approved to perform encryption/decryption of business critical files. It also needs to provide a way to check the integrity of these applications with signatures to prevent polymorphic malware from getting into approved binaries.
  • Fine-grain Access Control to your business’s critical data, which defines who (user/group) has access to specific protected files/folders and what operations (encrypt/decrypt/read/write/directory list/execute) they can perform. Some malware depends on escalating privileges to gain great system access. Appropriate access control solutions can bar privileged users from examining and even accessing resources.
  • Data-at-rest Encryption protects data wherever it resides in on-premises data centers or in public/private clouds. This makes the data worthless to intruders when they steal business -critical or sensitive data, and threaten to publish it if the ransom is not paid. In addition, some ransomware selectively encrypts files so that it doesn’t take systems entirely offline. Others look for sensitive data and only encrypts those files. In these cases, encrypted files aren’t possible to scan by the malware and, therefore, are not attacked.

Don’t let ransomware attacks disrupt your business

Vormetric Transparent Encryption is one of the widely deployed data protection products within the Thales Data Security Platform that enables organizations to protect their business critical data by transparently encrypting data-at-rest in files, volumes and databases on Windows, Unix and Linux OSs across physical and virtual servers, both in cloud and big data environments.

Vormetric Transparent Encryption also provides application whitelisting capabilities using fine-grained access control policies that enable organizations to block any rogue binaries from encrypting files/databases, even if the intruder has execute permissions for that binary and read/write permission to the target file that contains business critical data.

For more information, please download our “Preventing Ransomware Attacks from Disrupting Your Business with Thales Data Security” white paper.

Related Articles

No Result Found