Originally Published: 08 April 2016
Last week, the United States and Canada issued a joint advisory on the threat posed by crypto based Ransomware. The advisory followed a string of high-profile incidents which had affected a number of hospitals both in the US and other countries.
The CERT advisory can be viewed at: https://www.us-cert.gov/ncas/alerts/TA16-091A
The pervasiveness of this threat is demonstrating just how many organisations are clearly completely vulnerable to this type of threat, often with severe business impact.
While it is clear that the Malware problem is massive. It has been well over a decade since we have seen any form of large scale destructive Malware. Back in 2004, I spent some time in New York City performing a consultancy for a then large financial institution in the wake of a destructive worm infection. On a Friday evening, an Internet Based Worm (which I won’t name here) penetrated their internal network spreading widely and randomly erasing hard disk sectors throughout the organisation. While it was contained, the damage was significant. Fortunately, they had the weekend to recover from backups and restore operations. Had the event occurred at another time, the business Impact may have been in the billions of dollars!
Around that time, and following high profile events like SQL Slammer and Blaster, there were many people, including myself, greatly concerned about the possibility of a large scale destructive worm outbreak and the resulting potential economic impact. Fortunately, the high profile Internet worm trend died off, simply because there was no money to be made and significant personal risk existed for the authors of such Malware. Ransomware is just another form of Malware….. but with a significant financial return! Given the fact so many organisations are openly vulnerable to Ransomeware, again concerns me greatly.
The CERT Advisory recommends a range of fairly fundamental preventative security measures, such as adequate backups, system patching, etc. While those measures are strongly recommended, I would also highlight the importance of a robust network security architecture. Having previously worked with many customers who had been affected by those events, some severely, some far less so, it became very clear that those who had robust network security architectures, and mature operational procedures, were far less impacted.
In light of the current trend and growth of Ransomware, I would additionally highlight the importance of Network Security. This includes the use of Zoned Security Architectures, quality Firewalls, IPS (with auto updates), Network AV and Day-Zero malware detection systems. While there is no silver bullet, these approaches can significantly reduce your organisations risk profile.
I can’t see this problem going away any time soon. I predict it will get worse before it gets better.
_