News of successful large-scale ransomware attacks are becoming more frequent. In some instances, companies considered part of the U.S. Critical Infrastructure have been compromised and their normal operations have been disrupted. Ransomware has become a collective concern and many organizations are seeking guidance on how to protect themselves against it. Oracle has fielded many such inquiries from concerned customers. The purpose of this blog is to provide some clarity about the ransomware threat, introduce certain nuances, and provide general security recommendations for coping with this threat.
Ransomware is a type of malicious payload. The term “ransomware” best describes the malevolent intent of the perpetrator who seeks to extort a payment from the victim (the “ransom”, typically paid in the form of crypto currency) because the attacker has managed to successfully take control of the victim’s data or systems.
The perpetrator will typically use multiple menaces. Unless the ransom is paid:
Ransomware is technically one of the means used by criminals to engage in cyber extortion. Cyber extortion is not a new phenomenon, and it can take multiple forms. Generally, malicious actors will seek to obtain payments because they can compromise IT systems and adversely affect the normal operations of their victims with or without the use of malware (e.g., a number of years ago, the simplest form of cyber extortion was by threatening a denial of service attacks or a web site defacement).
It can be argued that ransomware attacks are more frequent because of two reasons.
The first reason is that easy-to-use resources are available to malicious perpetrators to design and execute attacks on a large scale. Perpetrators are generally opportunistic and will not typically single out a specific organization. In some instances, criminals may target specific industries because of the belief that security expertise in the targeted industry is lacking, or because of the high value of the data (e.g., trade secrets) typically associated with the industry. Criminals will typically develop malicious payloads (using toolkits available on the dark web) that can technically be executed on a large number of systems. Generally, they will distribute this payload indiscriminately through malicious web sites and spammed emails. Interestingly enough, it seems that some crooks may place self-imposed limitations in their malicious payload to avoid angering certain countries. As in the case of email spamming, it is also likely that cyber extortionists leverage social media sites to identify potential victims.
The second reason ransomware attacks are more frequent has to do with the impunity with which crooks can operate and the availability of payment forms that provides some form of anonymity while allowing transfer of tangible wealth. Global ransomware attacks would decrease if the commission of such crime was more systematically punished (increasing personal risks to the perpetrators), and at the same time, the financial gain was made less certain by lowering the potential reward for the perpetrators.
The short answer is that basic security hygiene and good operational practices can help organizations prevent ransomware outbreaks and limit their impact. Let’s put this short answer in the context of a typical ransomware attack lifecycle.
Generally, ransomware attacks can occur because the unsuspecting victim has let untrusted code execute on the targeted environment. Ransomware attacks occur through successive phases:
Organizations can take a number of steps to prevent the initial delivery of malicious payload in their environment.
Organizations need to recognize that human nature can be an enabler of ransomware attacks. General users need to be educated and remain vigilant in two areas:
Organizations need to implement technical controls around the various technological enablers of the propagation of malware. For example, organizations need to:
In addition to running endpoint protection products (with up to date signatures) where appropriate (to provide some level of defense against known malware), organizations should have identity and access management practices that reflect the nature and are commensurate with the value of the data and systems they’re intending to protect. For example:
Generally, organizations need to ensure that strong authentication and the principle of least privilege are enforced throughout their technical environments. This obviously includes:
Strict control over privileged accounts (e.g., root and admin OS accounts, DBA accounts)
Obviously, all the above recommendations could become useless if the organization fails to maintain basic security hygiene:
Many of the above recommendations will help limit the introduction and propagation of malicious payloads that make their way into an IT environment. However, a number of additional recommendations need to be emphasized:
Organizations that maintain a good security in depth posture have a lower chance of experiencing a major ransomware outbreak. However, it is wise to “prepare for the worst and hope for the best.” As such organizations business continuity plans should include the provision for frequent and safe backups with effective and verified recovery procedures. It is important to note that before proceeding with restoring systems, organizations need to have determined with a reasonable level of confidence when and how the initial compromise took place. This is because victimized organizations may inadvertently restore the compromise and re-establish the infestation while performing its recovery. A cost-benefit analysis needs to be performed to choose between restoring an older, but known to be safe state, versus restoring to a more recent, but possibly infected state to minimize business disruption.
Obviously, the organizations need to have effective control over their backup files and resources (some malware are known to target backup files and resources) to ensure backup data is available when needed.
Commercial cloud providers have typically very mature security practices intended to protect the cloud resources against various security threats. It is important that cloud customers remember that ransomware attacks typically occur because the victim has allowed untrusted code to execute on the targeted environment. Whether in the cloud or in a data center, executing malicious code can lead to a compromise. Software as a Service (SaaS) environments generally do not let customers execute untrusted code, and the risks of a successful ransomware attacks is therefore quite limited. However, SaaS customers need to remain vigilant when enabling third-party integrations, plugins, or other forms of external code in association with their SaaS environments. In a typical Infrastructure as a Service (IaaS) environment, cloud customers can generally execute whatever they desire. As a result, IaaS cloud customers may unwillingly execute malicious code, and this can lead to a compromise. Such compromise will generally be limited to the affected customer instance. Note that any malware scanning prior to uploading code in an IaaS instance (either performed by the cloud provider or the customer) will offer limited protection. IaaS customers should perform due diligence to ensure that any code they execute in their IaaS instances is safe (free of malware) and secure (free of major vulnerabilities).
In addition, customers should not blindly assume that their backups in the cloud are safe. This is because as we have seen in the previous section, while backing up to the cloud may provide additional level of assurance that the backup data will be highly available, the data contained in the cloud may still be infected (whether malware scanning took place or not). The cost-benefit analysis previously mentioned still needs to take place.
Oracle’s corporate security site describes how Oracle has implemented many of the security practices discussed in this blog entry.
With over 20 years experience in helping customers deal with securing complex IT systems, responding to cyber incidents, and developing comprehensive security strategies to manage technological risks and meet regulatory requirements, Eric Maurice helps define corporate security assurance policies and programs for Oracle’s on-premises and cloud offerings.