When an entry-level employee, perhaps a brand-new hire who just received database access, receives an important-looking email from the CEO of the company, what does that employee do? In the vast majority of cases, he or she opens that email up immediately—it must be important if it's coming all the way from the head of the company, right? After clicking a bogus link, nothing unusual happens and the email is quickly forgotten about. However, three weeks later, production grinds to a halt as every employee in the company, from entry-level to executive, discovers they've been locked out of the system. Until a Bitcoin payment is made to a secret address, the computers warn, access to the system will be made impossible.
What just happened?
This is a classic malware scenario that involves a particular type of malware called ransomware. As the name indicates, it holds data hostage until a ransom is paid. There are countless permutations on this strategy, including variants where data is encrypted or where data is outright deleted—you're not getting it back whether you pay the ransom or not. Obviously, this is catastrophic from a business perspective, and the IT department will trace the attack to the email innocently opened by an unsuspecting employee.
What is Malware?
Malware is a catch-all term used to define viruses, trojans and worms—software applications that are designed to secretly install themselves on a host computer and harm their users in some way. Many of these technologies have been in use for at least two decades, but it's only recently that cybercriminals have turned their use into a full-fledged enterprise. Thanks to ransomware’s ability to make cybercriminal behavior profitable, criminal entrepreneurs are becoming increasingly common, selling malware applications, stolen corporate data and more through illicit channels on the Deep Web.
There are three basic forms of malware found "in the wild":
- Viruses—These applications spread by replicating themselves, much in the same way biological viruses infect host cells. Once a device comes in contact with an infected device, whether through an open Wi-Fi network, a USB flash drive or an FTP server, it too becomes infected and propagates the virus further.
- Trojans—Trojans masquerade as real programs, tricking users into opening them and then collecting data, copying files or deleting important information. Trojans are some of the most common malware applications found in the wild because they can be highly convincing and very effective.
- Worms—These are applications that target data while it's in transit. Unlike viruses, which spread through infected host files, worms are standalone applications that can travel between systems on their own. They don't need to wait for an unsuspecting user to connect to the network because they can connect themselves and propagate from there.
How Does Malware Spread?
Malware can spread in any number of ways, but there are three vector classes that are of particular interest to modern cybersecurity experts. These are the most common methods by which users expose themselves to malware risks:
- Email—Propagating a malware application by email is surprisingly simple and effective. Just like the scenario described above, attackers can send malware applications that start secretly collecting data the moment they are opened. Emails may appear to come from trusted sources such as the user’s bank, the U.S. Postal Service, FedEx, or trusted contacts within the user’s own list. They may feature links that direct the user towards convincing versions of their bank's website, compelling them to change their password and then sending the login information to a cybercriminal, or they may have infected attachments that immediately begin collecting data on their own once opened.
- Web—Cybercriminals can design websites that exploit system vulnerabilities, human error and common sense. A typical example runs like this: A pop-up ad warns users that they have a virus, so they need to click OK to clean their system registry and get rid of the virus. In fact, clicking OK is what installs the virus on the host system. Other variants include browser exploitation or DNS redirects.
- Direct—Direct vectors include using a USB infected device, exploiting the host operating system from within the network or social engineering tactics. Social engineering is one of the most popular methods of gaining access to closed systems: the idea is to trick a user into compromising their own security. For instance, an attacker may scan a public LinkedIn profile to find an employee's name and title, get their phone number from the company website and then call them, pretending to be from the IT department and asking for login credentials. As simple as it sounds, it works surprisingly well.
What About Ransomware?
Ransomware is one of the most dangerous and profitable cybercriminal enterprises out there. Whereas a traditional malware application may collect company data and give to hackers so they can sell it to the highest bidder, ransomware actively infects the host’s data and makes it completely inaccessible. A common strategy is to encrypt the entire database and force the victim to pay for the decryption key. Downtime is incredibly expensive so unsurprisingly, many companies choose to simply pay and hope they get their files back. Naturally, there is no actual guarantee that any decryption key will be provided, and no guarantee that the ransomware application won't encrypt the system again when the attacker needs more money.
How to Safeguard Your Business From Malware Attacks
With cyber threats on the rise, and ransomware occurrences becoming increasingly common, there is no better time than now to implement a robust cybersecurity defense against malware. The best way to do this is by:
- Adopting a secure corporate culture—Instruct employees to be suspicious. When someone receives an unexpected email that appears to come from the CEO or CFO, they need to feel entitled to pick up the phone and call that individual to confirm. Your directors and executives may get annoyed by dealing with the extra work, but it's nothing compared to losing a few million dollars because a hacker impersonated one of them and gained access to the company bank account.
- Keeping comprehensive, easily recoverable backups—Since there is often no way to decrypt files compromised by ransomware, your only course of action is continuing business from a backup. If you have a comprehensive, highly organized data recovery strategy, this can take as little as ten minutes' time and cost nothing. If your backup strategy is inefficient, irregular or unorganized, however, migrating all your data can take days or even weeks.
- Restricting trusted access points—Find out what points of access in your data infrastructure are unrestricted or automatically trusted and ask why they are so. While it may be convenient, these trusted communications channels offer clear paths for malware applications to propagate through. Entering a few more passwords or implementing a two-step authentication for business-critical processes can save you in the long run.
- Protecting mobile data—Every employee and business partner or collaborator has a mobile device and chances are that mobile device has some of your corporate data on it. This can be through a linked email account or through a cloud application like DropBox. Address these applications with corporate policy that includes erasing data after unsuccessful password attempts and protecting sensitive data when mobile devices get into the wrong hands.
If you implement just these few steps and make them a part of the way you do business, you'll be better off than the majority of companies on the market. The real challenge, however, is eliminating malware from its source. Every ransomware payment made simply reinforces its position as a profitable criminal enterprise. A comprehensive plan for mitigating cybercriminal behavior is a must for any business, in any industry or sector.
