Enterprise Ransomware Protection Insights

This past year, ransomware has extorted vast sums of money from enterprises.  Ransomware is a form of malware that encrypts data and then demands a ransom payment to decrypt it.  The most common ransomware encrypts files likely to contain work product, cherished memories, or user-created content such as documents, spreadsheets, source code, pictures, music, and videos.  Such files are of high importance to users.  Other ransomware encrypts entire hard drives or targets database files for Oracle, MySQL, Microsoft SQL Server and email databases. 

The results have been disastrous for companies without backups.  Those companies had to cope with lost data or pay the ransom and not all companies that paid, received their data back.  Even those with backups were affected, albeit to a lesser extent, by exerting time and effort restoring systems and eradicating the ransomware.  Ransomware by its nature cannot be ignored.  Ransomware hits home; it hits our pocketbook, and its impact is wide-reaching

Fortunately, there are some advanced technologies available to prevent ransomware from infecting your business.  I had the pleasure of interviewing Liviu Arsene (@LiviuArsene), Senior E-Threat Analyst at Bitdefender, on ransomware and he had some great insights.   

Vanderburg: How do you differentiate ransomware from other malware?

Arsene: If other malware’s purpose is to covertly collect and broadcast sensitive data from a victim’s computer, ransomware is all about restricting access to that data and demanding payment to restore access to it. Ransomware is a strictly financial type of malware with a huge conversion rate, causing hundreds of millions – potentially close to one billion – dollars in financial losses. Another difference is that while other malware may try to elevate it’s privileges in order to gain persistency on a victim’s computer, ransomware is all about encrypting specific files or databases with little regard about persistency. Ransomware’s goal is simple, to the point, and strictly financially driven. 

Vanderburg: How is ransomware currently circumventing security controls?

Arsene: While the actual payload that starts the file-encrypting process is relatively simple to detect, ransomware comes packed in various layers that shield the malicious payload. Using highly obfuscated packers that alter the original binary’s data and then restore it (more or less) before execution, their goal is to compress the file-encrypting payload to the point where a traditional security solution won’t be able to recognize the malicious code. 

Ransomware developers also employ polymorphism techniques for altering the malicious code for each infected victim, but keeping the original function (its semantics) the same. This way, the malicious code will always look different, but it will perform the same – file encrypting – functions.

Vanderburg: How does Bitdefender detect and eradicate ransomware before it begins encryption? 

Arsene: Machine learning is a really powerful tool in Bitdefender’s arsenal for fighting ransomware. We’ve been relying on patented machine learning algorithms since 2009 to identifying new and unknown threats. Properly training them to accurately identify even unknown ransomware sample was only natural, as traditional security mechanisms cannot cope with the new techniques employed by cybercriminals. Reverse engineering is also important, as analyzing ransomware samples security researchers are able to either reverse engineer encryption algorithms and provide decryption keys to victims, or create generic heuristics capable of even identifying unknown malware that belongs to the same family.

Vanderburg: Where do enterprises need to focus to combat the ransomware threat?

Arsene: Ransomware has become a nuisance for enterprises because cybercriminals have figured out that organizations have much more to lose if their data is lost, rather than the average users. Consequently, an organization would be willing to pay a great deal more than $300 to regain access to its data. Considering that two healthcare institutions (Hollywood Presbyterian and MedStar Health) have admitted to paying $17,000 and respectively $18,000 to get the decryption key to their ransomware-encrypted files, it’s safe to say that cybercriminals have made a lot of money just by infecting two victims.

To that end, organizations need to focus on making sure that critical data is constantly backed up offsite or in a segregated network, security and email-filtering solutions are deployed across the entire organization, and that employees are trained into spotting phishing emails with malicious attachments. The weakest link in the security chain is usually the individual behind the computer, so it’s vital they’re not tricked into executing malicious attachments or downloading ransomware-infected applications from untrusted websites.

Vanderburg: What is Bitdefender doing to protect against tomorrow’s threats?

Arsene: Bitdefender has been employing anti-ransomware technologies, such as machine learning and ransomware-specific heuristics, for accurately identifying new and even unknown ransomware. We’ve even developed an anti-ransomware vaccine, whose purpose is to immunize computers from known ransomware families and prevent infection from similarly-behaving ransomware.


As always, thoughts and ideas are my own. This insight wouldn’t be possible without the help of my associates at Bitdefender.

Top security initiatives for 2016

2016 is going to be a big year for security. News of data breaches and the major technological innovations of 2015 will put more pressure on companies to implement effective organizational security. I believe 2016 will see major initiatives in these seven areas:

  1. Securing the supply chain

2015 demonstrated the need for organizations to ensure that their weakest security link does not lie among one of their suppliers. Some of the security breaches that occurred were the result of suppliers or partner companies that were handling or had access to company information.

The supply chain relies on sharing of information in order for it to function effectively and 2016 will see an increase in initiatives to implement a standard or minimum set of security controls throughout the process and wherever sensitive data is shared with suppliers or other partner companies.

  1. Leverage more data analytics for security

Big data has been growing more and more each year. It has been leveraged greatly in determining shopping habits, customer needs, process improvement and many other areas but I believe 2016 will see a growth in the use of big data in security. Big data can be used to predict likely targets, identify attack patterns, detect network or data anomalies that indicate abnormal activity such as a data breach, validate data sources to better screen out garbage data or identify areas where security controls are performing well. This is all very valuable in protecting organizational assets. It is also valuable to governments trying to protect their citizens and companies against attacks from foreign nations and companies.

  1. Internet of Things security

The Internet of Things (IoT) is expected to explode next year. As more and more devices come online, companies will develop new strategies and technologies to protect the devices and the data produced from those devices. I expect the innovation in IoT and IoT security will also trickle over to other areas of security, helping to improve security overall.

  1. More companies will hire a security executive such as a CSO

The Chief Security Officer (CSO) will be a more common member of the “C-suite” in the next year as companies realize that top level support is required and an independent executive division is needed to ensure transparency and functionality between technical, operational, financial, legal and other critical business areas.

CSOs will be expected to implement security best practices and work with compliance officers or teams to ensure adherence to relevant regulations. They will also be responsible for aligning businesses and security goals so that security initiatives are more effective.

  1. Find ways to hire and retain valuable infosec talent

2016 will see an increase in hiring of other infosec professionals, as well. CSOs will need a team to achieve their objectives and they will not be able to fill that need entirely from existing resources. Such resources may include risk management professionals, security analysts, penetration testers, security engineers and architects, security managers and other security professionals.

  1. Extend security to the mobile device

Employees today are not just mobile, they are mobile with multiple devices. Employees may have a laptop, tablet, and smartphone each connected to the corporate network. Companies will be implementing more controls to extend organizational security to the mobile device. This will include mobile device management systems but also more transparent security such as data driven security, identity management systems that integrate across mobile and traditional platforms and cloud systems that offer services to mobile and traditional systems alike.

  1. Encryption is the new “minimum” security

The regulations have spoken and encryption is practically the new minimum standard for security. 2016 will see an increase in the use of encryption for key systems such as email, network communications, web traffic including traffic that was previously not deemed sensitive, end user computers and mobile devices and servers. Those systems that are already using encryption will most likely get an upgrade to the type of encryption used or to the way they manage keys so that they are in line with best practices.

Do you see any other security initiatives coming forward in 2016?  Please share your thoughts with on Twitter @evanderburg and copy @DellPowerMore.

Continue reading

Ineffective Security Policy Adherence Results in Another Data Breach

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are worthless.

Do you have a mobile device encryption policy?  If so, do you know if employees are following it?  Don’t let this happen to you.