The ransomware threat to the enterprise continues to rise: A recent report conducted by Osterman Research that surveyed 540 CIOs, CISOs and IT directors in the U.S., Canada, U.K. and Germany found nearly 40% of businesses experienced a ransomware attack in 2015.
In this Q&A, IBM executive security advisor Etay Maor shared insight on the strategies employed by cyber attackers, the steps that an organization should take to shield themselves from the surging ransomware threat and the threats lurking on the dark web. As cyber threats continue to evolve, Maor said the ransomware threat could quickly migrate to connected devices in the near future, a point he discussed during a panel on ransomware and the dark web at the recent Cambridge Cyber Summit, hosted by The Aspen Institute, CNBC and MIT.
What are some of the most common attack tactics employed by cybercriminals?
Etay Maor: The type of attacks that we see cybercriminals use has not significantly changed over the last couple of years; they just got better at it. They still rely on several basic elements which are usually some form of phishing, whether it's getting the victim to go to certain websites and expose his details and credentials or phishing in order for them to get infected with something.
Another element is the use of malware and different types of malware depending on what the attacker wants to achieve. For example, if the attack is against just a person and the attacker wants his bank account, then the malware will usually key log his information. If the attack is in the form of, 'Let's try to make quick money,' the malware will be a form of ransomware that encrypts your device and asks you for the money. If the attack is against a corporate device and the attackers want to gain access into an enterprise, then usually the malware will have the capability of a remote access tool, so it will have the capability to take over the device and the attacker will be able to use the victim's identity and the victim's device to go into the company's network.
A third element, which is incorporated into malware and phishing, is social engineering. So whether it is making sure that the victim does what the attacker wants the victim to do once he is infected with malware or calling the victim up and pretending like they are from a security team and are trying to help but are actually taking information away from the victim, social engineering is embedded into every part of these types of attacks.
With more organizations having to deal with the ransomware threat, what steps can they take to create a more secure environment?
Maor: First of all, put a lot of effort and education and also systems in place to not get infected in the first place. You can avoid a lot of the problems if people don't click on bad links and bad files that they may receive. Also, organizations should have systems in place that can monitor incoming emails, incoming links and making sure that people don't fall for it.
The second thing that companies can do is to have regular backups. That's actually pretty much the only way for you to come back from ransomware attacks. Having regular backup that are ready to be retrieved are important, but you want to make sure that you test these systems. You don't want to find out that your backup doesn't work when you have to retrieve it.
Why do you think IoT and connected devices will face ransomware threat in the future?
Maor: We are becoming more and more reliant on these connected devices, so I don't see why the criminals will not go after them. If the attacker infects a victim's refrigerator, TV or car it's a burden on the victim that the victim wants to resolve immediately. So, on the one hand you have the victim who wants to make sure that the attack is over; on the other hand, it is not that complex to get the money out of the victim. Most IoT devices don't have security as a priority. These devices just want to be first in the market; they want to be the number one seller. It's going to be an easier target for the attackers once they figure out how to go after these devices and install the ransomware.
What are some of the high-risk threats on the dark web?
Maor: The dark web itself is not a risk. The dark web allows you to remain anonymous online. What happens is people who go the dark web in many cases are looking for bad stuff, because criminals like anonymity. So the risk is not the dark web itself, but the people who go there and obtain certain information and obtain certain tools. It may also be a form of risk for companies that allow employees to browse the dark web through corporate devices. So if you go into the dark web, if the company permits it, you may actually obtain illegal things while on corporate machines.
Whenever you go on the dark web you go through what is called the Tor. There have been researches that show that some of these are actually infested with malware. So you may be infected with malware while you are on the dark web. A misconception that a lot of people have is they think, 'I am on Tor, I am on the dark web, I am anonymized and safe.' No, you are just anonymized; you are not safe from getting infected by malware.
Is paying up the only option for victims of ransomware?
Steps healthcare organizations can take to combat the ransomware threat
Tips on ransomware recovery strategy