Cisco recently released its 2016 Midyear Cybersecurity Report and, according to its latest threat intelligence and trend analyses, while ransomware is not a new threat, it has evolved to become “the most profitable malware type in history.”
Ransomware is a massive revenue generator with strong staying power due to the fact that adversaries are typically paid in Bitcoin, which provides the hackers anonymity, the Cisco researchers stated. In addition, the majority of known ransomware cannot be easily decrypted, leaving victims with little option but to pay the asking price, according to the Cisco report.
“We expect the next wave of ransomware to be even more pervasive and resilient. Organizations and end users should prepare now by backing up their critical data and confirming that those backups will not be susceptible to compromise,” the Cisco researchers wrote in the report.
Cisco researchers also observed organizations lacking self-awareness about their appeal to attackers. “Industries such as healthcare have become more attractive to bad actors in recent years because they offer the combination of valuable data with traditionally weaker security,” the Cisco researchers wrote.
In particular, the researchers examined attackers’ use of JBoss back doors earlier this year to launch ransomware campaigns against organizations in the healthcare industry. This serves as a strong reminder that adversaries, when given time to operate, will find new ways to compromise networks and users—including exploiting old vulnerabilities that should have been patched long ago, the Cisco researchers stated.
The healthcare industry has faced several ransomware attacks this year. In its analysis of Cisco customers in the healthcare vertical that were hit by ransomware attacks, the Cisco researchers identified a number of enterprise vulnerabilities that had made infections more likely for these organizations. Those vulnerabilities include shared passwords and “overprivileged” accounts; insufficient security logging that would allow the detection of compromised passwords; web applications with OWASP top 10 vulnerabilities and unpatched operating systems and application.
Cisco researchers also found that all the PCs in a hospital often run the same vulnerable versions of software like Windows XP, Adobe Flash player, or Java. “Of note, most recent ransomware infections of healthcare workstations that we investigated could be traced to clinical staff web browsing from a workstation that was missing Flash player patches. Lack of a formal process to ensure the timely installation of security patches was also a common theme across our healthcare customers,” the Cisco study authors wrote.
“In addition, most medical providers targeted by ransomware did not have incident response plans in place, which greatly undermined their efforts to respond effectively to attacks. Also, few healthcare organizations have dedicated security teams. Maintenance of IT assets is typically handled by one or more IT generalists who lack security expertise,” the Cisco study authors stated.
Cisco researchers recommend that businesses with similar security challenges take the following actions, at minimum, to improve their overall security posture, such as conducting basic hardening of systems to resist malware and hacking attacks and assessing the IT landscape in the organization by asking questions such as, “What and how many devices are on the network? Where are those devices located?”
And researchers recommend organizations educate users about threats and best practices, develop an incident response plan and monitor the network actively for evidence of compromise.
Cisco researchers also concluded that organizations’ security teams need to reduce the unconstrained time that adversaries have to operate.
“Today’s attacks currently outpace defenders’ ability to respond. As long as attackers are permitted unconstrained time to operate, and innovate, their success is all but ensured. But if an organization can limit adversaries’ time and opportunity to lay the foundation for and carry out an attack, they are forced to make decisions under pressure that place them at higher risk of becoming known—and taken down,” the Cisco researchers stated.
“As has always been the case, organizations and end users play an important role in helping to reduce the time that threat actors have to operate. For enterprises, there has perhaps never been a better time—or more urgent need—to improve security practices. Upgrading aging infrastructure and systems and patching known vulnerabilities will undermine the ability of cybercriminals to use those assets to carry out their campaigns,” the researchers wrote.