How to Guard Your Company Against Cryptojacking and Ransomware

Published in Security

The bull market for bitcoin is catching a lot of attention. Most notably among hackers. This is why the cost of a ransomware attack was expected to grow 1500 percent between 2015 and 2017 to a predicted $5 billion. Some expect costs to rise to $11.5 billion in 2019.

Others saw a drop in ransomware toward the end of 2017, as cryptojacking continued to grow in popularity; hackers are stealing CPU bandwidth through compromised websites or malware.

One locks down your systems, the other slows them down. Both feed hackers’ appetite for cryptocurrency. Here’s how to stop them.

Companies are stocking up on cyrptocurrencies to pay off hackers

How to Guard Your Company Against Cryptojacking and Ransomware

The ransomware epidemic has gotten so bad that companies are proactively buying bitcoin just in case they have to pay up to get their systems back.

A recent Qualtrics survey of 510 IT decision-makers found that 53 percent had purchased cryptocurrency like bitcoin as a precaution against ransomware attacks. More than half (51 percent) said their organization had stockpiled $100,000 or more in cryptocurrency, with 12 percent purchasing $1,000,000 or more.

The average ransom payment is $1,077, but the cost can quickly skyrocket when multiplied by the number of locked machines. Nearly 73 percent of the respondents work at organizations with more than 1,000 employees. You do the math.

When Hancock Health Hospital’s systems were held ransom in January, one hospital executive noted that “the amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.”

Hancock Health was forced to pay up since its backups were compromised, but paying the ransom also seemed like the best choice. The cost was competitive compared to the effort required to get systems back up and running on its own. That made it a lucrative payday for hackers and a tough decision for the organization.

Do this so you don’t have to stock up on cryptocurrency

While not recommended, ultimately, paying a ransom is an executive and board decision. But instead of purchasing cryptocurrency in advance, efforts should focus on prevention.

Don’t ignore the basics:

  • Back up your critical data at an interval that makes sense. For some businesses, backing up once a day is fine. Others might need to back up every hour.
  • Segment your backups from the rest of your network so they aren’t infected along with other devices. Hancock Health learned this the hard way.
  • Use tools to spot ransomware, like file-integrity monitoring services or security information and event management (SIEM) services.
  • Educate your employees on how to spot and report phishing emails before they click any suspicious links.
  • Test your disaster recovery plan and process to make sure it will hold up under a real-world attack.

If you take steps ahead of time to prevent and quickly mitigate ransomware, there’s no reason to stockpile cryptocurrency.

But you do have to watch out for the newest scheme, which has grown more prevalent in the last year: cryptojacking.

What is cryptojacking?

Cryptojacking is secretly hijacking processing power to mine cryptocurrencies.

It can be done through compromised websites or through malware that can spread across a network and create a botnet dedicated to mining. It’s a more subtle and lucrative way to steal than locking down an organization’s devices.

Adylkuzz, a cousin to the ransomware WannaCry, spread quietly last spring, and could have produced more than a million dollars for its creators.

Last fall, a bit of Javascript on Showtime’s website tapped visitors’ computers to mine the cryptocurrency Monero. Reports say that up to 60 percent of visitors’ CPU capacity was conscripted into the mining operation.

Now more than 4,200 government websites around the world are said to be compromised and mining Monero. The attacks are stealing processing power from prominent companies too.

Large botnets, once feared for their ability to level massive DDoS attacks, are now raking in cash. The Smominru botnet, for example, has infected 520,000 machines and has already mined $2.3 million in Monero.

How to guard against cryptojacking

While cryptojacking may seem less impactful than ransomware which completely shuts companies out of their systems, it does take resources away from systems critical for business.

Guarding against cryptojacking, like guarding against ransomware, comes down to the basics:

  • Install security patches.
  • Set strong passwords, and don’t reuse them.
  • Train employees in security awareness.
  • Harden systems.
  • Set strong egress filtering to block outbound connections to command and control servers, and monitor for those connections to alert on attacks.
  • Segment networks to protect against propagation of malware.
  • Maintain clean backups for quick and easy restoration.

As long as there’s money to be made, criminals will do their best to exploit every vulnerability. With bitcoin and other cryptocurrencies so highly valued, this will be an attack we’ll see for a while. Prepare accordingly.

Cryptocurrencies and criminals

It’s pretty obvious why criminals like cryptocurrencies. They can be used anonymously, they’re increasingly easy to use, and they’re surging in value – what’s not to like?

Your organization is often what’s standing between criminals and the payments they seek. With a focus on cybersecurity basics, you can avoid becoming the next victim and funding further exploits.

Learn more about how to make your business more resilient against cyberthreats.


Cybersecurity Myths You Should Stop Telling Yourself

Published in Security

Cybersecurity can be a magnet for myths. Attacks emerge and cripple systems availability or swipe data quickly and unexpectedly. It happens so fast that the myths so many of us hold onto as facts are only apparent in the aftermath of an attack.

While many cybersecurity myths persist, some are more damaging than others. Let’s examine four common cybersecurity myths and their impact on risk.

Myth 1: Small organizations are low-value targets for hackers.

Cybersecurity Myths You Should Stop Telling Yourself

Buying into cybersecurity myths can leave your company vulnerable to attack.
Learn about common cybersecurity myths and how they impact risk.

Thinking you’re not a target is one of the biggest mistakes your company can make. According to data collected from more than 2,200 confirmed data breaches, 58 percent of security event victims were small businesses. Why would malicious actors target small companies?

  • Compute resources are valuable – Malicious actors seek out available computing resources as network nodes to expand their bot networks, which they use to initiate DDoS attacks, for cryptojacking, to propagate ransomware and spam or for numerous other crimes. Malicious actors build their networks by leveraging free resources, and your systems might be among them.
  • Data is power  Every organization stores some data that’s critical to its business, but holds little value to others. Malicious actors exploit this by unleashing ransomware that cuts off data access, availability, or both, crippling the organization. Malicious actors then generate revenue through ransom payments.
  • You’re an easy target – Malicious actors use continually running, automated tools to target vulnerable organizations that allow them easy access. That increases their chances of a quick win, especially since vulnerable targets might not realize they were attacked for months.
  • Your access is valuable – Small businesses can be used as a “beach head” into other targets. Malicious actors might target seemingly innocent, low-risk third-party vendors to get to those vendors’ customers. A breach at customer service software company earlier this year gave malicious actors access to Delta Airlines, Sears, Kmart and Best Buy.

Myth 2: There’s no reason to invest in security when organizations with tight security controls still experience security breaches.

Some organizations rationalize a small cybersecurity budget by arguing that investing in security is a losing game. They hear about security breaches at large organizations, with presumably large cybersecurity budgets, and assume if these organizations can fall victim, then what chance does their organization have? Let’s look at a few reasons why this is not the case.

  • Tools are just one pillar of a solid security strategy  People and process are the two others. An organization allocating budget toward security might not be funneling it to the most effective areas. An organization can have a big budget for tools but if it lacks the right cybersecurity talent or its processes are faulty, it can still get hit.
  • Tools do help – Multiple breaches have illustrated how long it can take before an intrusion is detected. Malicious actors stole 880,000 payment cards from Orbitz in a data breach that occurred between October and December 2017, but the company didn’t spot the evidence until March 2018. Tesla only discovered a cryptojacking operation in a cloud account when third-party researchers tipped off the car maker. Organizations that invest in reactive security controls like SIEM tools, in combination with proactive security controls such as Intrusion Prevention Systems (IPS), may identify suspicious behaviors earlier and limit the damage. With such security controls, an organization can more quickly and easily identify when the breach occurred, the potential infiltration source and how the malware spread.
  • The cost of recovery can be higher than the cost of security – Organizations that shrug off tight security controls are focusing solely on the immediate effects of infiltration, not on the total cost of the security incident. Granted, security controls are not 100 percent effective at detection and prevention, but they can save significant time and money during each of the subsequent incident response stages: analysis, containment, eradication, recovery and post-incident activities.

Myth 3: Our organization has not been breached before, so we’re still safe.

Often, organizations incorrectly assume their security risks remain relatively static, when they don’t have a way to effectively evaluate those risks. Projecting future risks based on historical events can be dangerous, especially because people often underestimate the following:

  • What needs to be secured – Defining the scope of what to secure requires identifying exactly how many applications, servers, network devices, storage devices and more are within your organization. When faced with either insufficient or overwhelming amounts of data, the scope may be simplified and assumptions drawn that can lead to vulnerabilities.
  • Unexpected delays – An organization might not include adequate protection for an obsolete server that’s being decommissioned. Schedules slip, and vulnerabilities are introduced when the old, no-longer-patched Windows 2003 server remains connected to the environment months later.
  • Underestimated targets – Similarly, organizations might assume a particular server doesn’t contain sensitive data and is less likely to be the target of an attack. As we’ve discussed, it might not be data that malicious actors are after. Your servers might be valuable as a foothold into the environment, for example.
  • Human psychology – Lastly, people often underestimate risk due to future aversion – the problem of assuming that because the future is unknown it cannot be tested.

Myth 4: Security is an expense, not a revenue generator.

Organizations prioritize investment in services that generate revenue, especially when budgets are tight. This can leave cybersecurity, viewed as an expense, on the back burner. But cybersecurity can be a revenue generator – here’s how.

  • Security influences buying decisions – Organizations that store personal, financial and other sensitive data need to ensure it’s secure. Organizations can influence customers’ perception of security by proactively marketing the high level of security they adhere to, differentiating their organization from their competitors.
  • Lack of security impacts availability – Data breaches are only one impact from an adverse security incident. Another is downtime. Consumers can’t purchase products or pay for services if a web site, or the infrastructure that supports web transactions, is unavailable. When ransomware brought the City of Atlanta to a standstill, for example, it couldn’t accept payment from residents for common city services for six days. The lack of adequate security directly impacted core business operations.
  • Security can be a value-added service – For instance, a Software-as-a-Service (SaaS) provider may offer three tiers of service to its customers: gold, silver and bronze. It could bundle in a Service Level Agreement (SLA) with higher levels of availability and higher levels of security controls associated with higher service tiers. Whether your organization has the in-house tools and skill sets required to offer specific security services or you’re passing the costs of a Managed Security Service Provider onto the end customer, security can become a new revenue stream.

The bottom line

Whether it’s assuming you’re not a target or that security spend is only ever an expense, buying into these common cybersecurity myths can set your organization up for serious disruption, unhappy customers, a tarnished reputation, not to mention the cost of recovery.

What are some other cybersecurity myths you’ve encountered?

Subscribe to this RSS feed