Ransomware: 4 Cyber Security Processes To Keep Your Business Safe

Ransomware has plagued businesses for several years, but the recent outbreaks of WannaCry and NotPetya have marked the beginning of a new era of hybrid malware that combines multiple exploits into something much more dangerous. What can organisations do to remain safe when the cyber criminals are innovating so quickly?

Which cyber security processes would have kept you safe from NotPetya/GoldenEye?

The cyber-attacks that are currently making the headlines, dubbed NotPetya or GoldenEye depending on who is taking credit for its analysis, don’t appear to be typical with respect to their motivation of extortion. It may seem like a peculiar conclusion, given it is a ransomware virus, but researchers are now suggesting that its amateur ransomware capabilities were designed to cover the fact that it is a dangerous cyber weapon targeting the Ukraine.

Furthermore, if its motive is cyber warfare rather than extortion, then it is reasonable to conclude that the perpetrator was a nation-state. The Ukraine’s security service has publically stated its belief that Russia is behind the attack.

Some recognition should be given to the malware creators, given its virulence and efficacy when it takes hold in an organisation. However, if the Ukraine security services are correct, it seems it also backfired as it caused widespread damage in Russia as well as the Ukraine.

Nevertheless, businesses should have been prepared, with cyber security processes in place. The foreshadowing of the WannaCry attack a few weeks ago should have seen every business on the planet apply the Microsoft patch that resolved the vulnerability being exploited by EternalBlue.

Interestingly, GoldenEye was transmitted to targets from a compromised Ukrainian news site rather than via the usual ransomware vector of email. This suggests it was aimed at Ukrainian targets rather than being a widespread organised criminal attack. Furthermore, several researchers think that despite the screen demanding a ransom, it does not save the victim’s data. Thus there is no way to recover it. Before this, the basis of ransomware’s success was that the criminals always got paid and then, nearly always, handed over the decryption keys. GoldenEye comes with no such promise, so word soon spreads that it is not worth paying up.

The Importance of Good Cyber Security Hygiene

So what can you do? There is little doubt that if you are in the sights of an attacker, there is a limited amount you can do – this is especially true if the attacker has the resources of a nation-state. Many of GoldenEye’s victims were collateral damage rather than specifically targeted. Collateral victims are not of concern to these attackers.

If you practice good cyber security hygiene, in most cases it keeps your business safe. As recommended by the Australian Signals Directorate the following proactive operational cyber security controls, if properly executed in your business, will assist in protecting you from most opportunistic or accidental malware infections:

  1. Patch everything as soon as you can;

  2. Institute real-time vulnerability management;

  3. Institute protective monitoring; and

  4. Regular off site back-ups and operational testing.

Security experts say it time and time again: patch your operating systems, patch your applications and keep patching them as soon as the patches are available. Most malware strains need at least one unpatched vulnerability to exploit.

A vulnerability management system gives you immediate, contextual feedback on where weaknesses and vulnerabilities exist in your enterprise. You can use a vulnerability management system to prioritise the work of your systems administrators to make sure security fixes are dealt with promptly.

Gain Visibility with SIEM

A modern and contemporary approach to security operations requires you gain better visibility of what’s going on in your network. To do this, collect the security events from your operating systems, network devices, security devices, vulnerability management systems and administration systems into a security information and event management (SIEM) system so that your security analysts can correlate what they see on your networks and investigate for patterns of attacks.

These four cyber security processes can proactively assist in protecting your organisation from most attacks. If you remain patched and compliant, most malware is unable to access your enterprise. Even the most sophisticated malware and malware-free attacks still require vulnerabilities or configuration weaknesses, so the real-time feedback from a vulnerability management system helps you find and fix these issues before the bad guys exploit them.

Monitoring is key to identifying attacks.  Check out our infographic and make use of the content in your work:

Illustration showing the business value of cyber security monitoring

ASD Essential Eight - The Missing Ninth Step