“Unbelievable” is what FBI Cyber Division Assistant Director James Trainor called last week the increase in the amount and sophistication of ransomware attacks in the first quarter of 2016, according to CIO Journal.
Last year, there were 2,453 reported ransomware incidents in the U.S., in which victims paid about $24.1 million. We can expect much more in 2016, says the FBI, defining ransomware as “an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.”
Yaki Faitelson, CEO of Varonis, sees a silver lining in the changing threat environment. Ransomware, he argues, is the only type of cybersecurity infiltration where the attackers want their presence to be known, typically shortly after succeeding in obtaining access to the victim’s files and encrypting them.
”Ransomware is very vocal,” says Faitelson, “but it acts exactly like other malicious insider threats.” As such, it can serve as a sort of cybersecurity training exercise, exposing to the victims specific vulnerabilities in their defenses.
“This is what we call security from the inside out,” says Faitelson. “Nearly all data breaches come, in one form or another, from insiders.” Data breaches can originate with a disgruntled employee or one seeking a material gain. But for the most part, they are the result of inadequate management of data access permissions compounded by innocent mistakes committed by insiders, such as clicking on an e-mail with a malware attachment.
You may think that with all the publicity about “phishing” attempts, people are much more careful about opening email attachments from unknown sources. But the 2016 Data Breach Investigations Report found that 30% of phishing messages were opened, up from 24% last year, and that 12% of email users went on to click the malicious attachment.
An additional fuel to the ransomware fire is its increased sophistication, now spreading to your organization not only via email but also with the help of infected websites, taking advantage of unpatched software on end-user computers.
So what’s the best protection? “Ransomware is about backups, more so than anything else,” says the FBI’s Trainor. Faitelson begs to differ. “Most organizations don’t have effective backup,” he says. Their physical backup is not up-to-date and is costly to recover. Their up-to-date backup files are increasingly being targeted by the ransomware attackers who make sure to encrypt them as well.
Instead of relying solely on physical backup, Varonis recommends constant monitoring of the IT infrastructure, looking for mass encryption beyond a certain threshold and looking for the typical extensions that the ransomware software creates.
“The best way to find today’s sophisticated attackers is user behavior analytics, understanding what is normal and what is not, identifying behavioral anomalies for accounts that are targeted by hackers,” says Faitelson.
User behavior analytics is a relatively new cybercrime-fighting tool for Varonis and the industry. Realizing that protecting the perimeter and the endpoints of the IT infrastructure is not enough, the industry is moving rapidly to developing and providing machine learning tools that detect anomalies and alert security staff to unusual activity. Faitelson argues that Varonis has a headstart in this field as it has been monitoring and analyzing how users interact with data and file systems since 2005.
Before he and Ohad Korkus founded Varonis, they worked in professional services for NetApp. While implementing a project in Angola for a large energy exploration firm, someone deleted many critical files: images taken from the ocean floor at great expense. Attempting to find out who deleted the files became a monumental task.
It was then that they realized that enterprises needed a much better way to track, visualize, analyze and protect their data. That led to Varonis’ initial focus on data management, on understanding, mapping, and organizing data ownership, rights, and responsibilities across the enterprise.
That decade-plus experience, specifically the gathering and analyzing of metadata, data about the data, its use, and users’ interactions with it, now informs the algorithms and automated rules Varonis uses to identify abnormal behavior without generating lots of distracting “false positives,” alerts triggered by benign activity. Given the 33% revenue growth announced by Varonis last week, the move to applying its data management expertise to cybersecurity seems to be working.
Ransomware may be changing the dynamics of cyber defense, but it may also change how organizations value their information. That maybe another ransomware silver lining: It quantifies, in monetary terms, what it costs not to have access to specific records and files. Says Faitelson: “Ransomware shows the organization the value of the data.”
Originally published on Forbes.com