Ransomware -- a form of cyberattack that interrupts access to an organization's data until that organization pays a ransom fee -- has grown from a rare occurrence in IT to a substantial and growing threat for enterprises. Ransomware encrypts files with a key only the attacker has, making it impossible for target organizations to crack it.
Ransomware threats apply to any IT asset, whether on premises or in the cloud. Roughly 44% of malware found in enterprises' cloud apps have delivered ransomware, and 56% of malware-infected files found in cloud apps are shared publicly, according to a recent report from Netskope, a cloud security services provider based in Los Gatos, Calif.
Ransomware threats become more prevalent
Ransomware has blossomed to the point where it now represents about one-third of the incidents handled by Creative Breakthrough Inc. (CBI), a managed services provider focused on IT security and risk assessments, based in Detroit.
"This is a reflection of the criminalization of hackers that we have seen over the past several years," said J. Wolfgang Goerlich, director of security strategy at the company, adding that, just because your workloads are in the cloud, "doesn't mean you are in the clear."
Ransomware threats are prevalent because they're profitable for hackers, said Gartner analyst Peter Firstbrook. Estimates place the ransomware industry between $300 million and $1 billion annually. And despite the head-in-the-sand view that the cloud is largely "safe," corporate assets that aren't on premises are just as vulnerable.
"The kind of malware [used in ransomware] represents a pretty standard technique to get on endpoints, but it has dramatic impacts on businesses and individuals, and it is very costly," Firstbrook said.
In general, hackers try to find organizations that are vulnerable, he added. They sometimes target organizations through emails if they think the organization has weak security, but attacks have been largely opportunistic rather than carefully targeted. In many cases, the attackers may demand less money than they could actually squeeze from a victim, but that is changing.
Ransomware risks and how to prevent them
Traditionally, attackers targeted ransomware threats at documents and Excel files. But those are things that corporations can often survive without, and they likely have paper copies of that information. However, attackers have recently started to focus on database files, while paying closer attention to the nature of the target organization. Databases often hold critical information and are hard to restore, Firstbrook said. If an organization doesn't continuously back up them, days of data loss could occur. And the ransomware itself doesn't really care whether it encrypts files on premises or in the cloud.
That's the bad news. The good news is that there are some inexpensive ways to dramatically reduce the risk of a ransomware attack in the cloud.
"Ransomware attackers use three primary techniques: known vulnerabilities, user exploits and mobile code," Firstbrook said.
Vulnerabilities are typically related to Windows, browsers and Flash. Keep patches up to date -- up to the minute, if possible -- to help reduce risks. Exploits are the now-familiar emails that encourage users to click on a video or other file that can transmit malware. Mobile code, such as Java and various macros, can also infect an endpoint and, in turn, make a call to a website to download the actual infection.
"For my part, I recommend removing Java and Flash," Firstbrook said.
In addition to educating end users about the latest ransomware threats, IT pros should also implement a Microsoft Baseline Security Analyzer, which helps spot vulnerabilities on some Windows systems.
Basic antivirus products also provide "pretty good protection" and are improving, according to Firstbrook. He warned against changing an antivirus product to make it easier to use; if you are dealing with too many false positives from the product, just implement whitelists, he said.
There are some next-generation or add-on antivirus products that can supplement or replace traditional ones. These products are not purely signature-based, meaning they don't rely on spotting the tell-tale characteristics of known viruses or malware. Instead, they perform other, more advanced analytics to spot potentially dangerous code.
Finally, Firstbrook added, make sure you have backup -- ideally, continuous backup. That alone can make you nearly immune to a ransomware attack, whether in the cloud or on your desktop.
It's important for organizations to take these steps, as attackers are likely to become more sophisticated in the next few years, CBI's Goerlich said.
"There is not a lot of intelligence now about this, but I think next year, the crooks will get even smarter; in other words, they will start to know if they are dealing with a bank or a hospital," he said.
Guard against these seven common cloud security risks
An enterprise guide to building a cloud security strategy
Implement multifactor authentication for public cloud