Ransomware: just one click

Blog by: Mark Wainwright, Enterprise Security Solutions, Adept4 - 26-Apr-2017

The recent WannaCry ransomware attack perpetrated against the NHS in the UK which took down over 200,000 machines in 150 countries is proof of how even relatively crude attacks can have devastating consequences. In this instance, the attack exploited a vulnerability in Windows XP which is deemed at end-of-life by Microsoft with support only given on a custom basis.

Microsoft has now taken the unusual step of issuing a patch but this illustrates the importance of updating and patching systems: a process that often gets sidelined as organisations focus on their day-to-day business. Keeping on top of licensing and applying patches is crucial to the cyber health of the organisation to mitigate this type of attack. In addition, a back-up regime can allow the organisation to recover quickly but it’s also critical to look at other methods of defence.

What is it?

Let’s take a step back to define what Ransomware is. Essentially, it’s malware that locks devices, networks and data centres and stops them being used until a ransom is paid. Specifically, Crypto Ransomware stops a device booting up, other types encrypt drives or files. Some even incorporate a timer which starts to delete files until the ransom is paid. Business-critical systems are taken offline, essential data is rendered unavailable, productivity is severely restricted and ultimately, business is damaged. Common delivery methods include:

  • Infected link or file attached to an email
  • Drive-by downloading – malware is downloaded from an infected website without the user’s knowledge
  • Social media and web-based instant messaging apps

Vulnerable web servers

The difficulty is, for many of your employees, clicking on attachments and searching the Internet is part of their job. In addition, phishing attacks have become very convincing. Spear-Phishing masquerades illegitimate emails as legitimate ones by making the bad look good. To the user, these disguised emails can look just like the real thing and results in the deployment of encryption software or malware onto the network.

Ultimately, it’s simply human nature to click on an unexpected invoice or critical message “from your bank”. More often than not, users believe that security is someone else’s job, not theirs.

Keeping it secure

Securing our networks and our data is no longer done the way it used to be. In the past the types of attacks were handled by deploying a firewall to keep people out, but now, with a plethora of ways to attack and bypass security devices, it is necessary to defend the integrity of your network and data using different methods.

The main challenge for organisations is to be able to take the information from multiple devices and correlate it together to provide a wider picture so that actionable intelligence can take place. However, bringing solutions together can be challenging and resource intensive. That’s why Adept4 has been working closely with Fortinet to deliver security solutions that meet these challenges, and our combined defence against ransomware is a great example of this joined up approach.

By using an application-aware Next Generation Fortinet Firewall to guard the perimeter of the network, both for inbound and outbound traffic, we can put more granular restrictions in place, rather than using traditional rules that are mostly ineffective against today’s type of attacks. This appliance can restrict user access to the internet on the basis of several factors including the URL, content of the location or even the type of application in use.

The vast majority of ransomware attacks use email in order to initiate and propagate their activity. Therefore email protection is essential in order to fall foul to this type of attack. Our email security protection monitors and then allows, deletes or quarantines email entering into the business. If it identifies an email that looks suspicious, it accesses the Fortinet Security Cloud to check any link or file for possible threat outcomes before passing the email to the user’s inbox. This means that users can be assured that when they have an in email it has been checked for viruses, malware and any other anomalous factors.

Where an email is proven to be suspicious it is deleted and an update sent to the Firewall to provide awareness updates. This means that if the firewall sees this type of traffic again it will block it and if the email contained a website link, this will be added to the restricted sites so that users are not able to gain access.

With a Fortinet security fabric, all devices feed information back into a reporting tool that provides key and critical metric information that keeps you aware of the activity of users and safe in the knowledge you’re taking a holistic approach to security.

Topics: Security

Sign up to our blog