Blog
← Back to Blog
January 20, 2017 cybersecurity

Ransomware Has Evolved. Has Your Defense?

Evolving cyber threat concept

A year ago, we wrote our first blog post about ransomware and the Hollywood Presbyterian attack. At the time, ransomware was still relatively straightforward: encrypt files, demand payment, move on. Since then, it has evolved significantly. And if your defenses haven't evolved with it, you're more vulnerable than you were a year ago.

What's Changed

Ransomware Now Targets Backups

Attackers have figured out that businesses with good backups don't pay ransoms. So newer ransomware variants specifically look for and encrypt backup files before triggering the main encryption. They search for common backup file extensions, mapped network drives to NAS devices, and even shadow copies (Windows' built-in file versioning).

If your backup is on a network share that's accessible from your workstations, it's vulnerable. Air-gapped or cloud backups that can't be reached from the local network are now essential, not just recommended.

Lateral Movement

Early ransomware encrypted files on the infected machine and any mapped network drives. Newer variants actively spread across the network, exploiting vulnerabilities in SMB file sharing and using stolen credentials to access additional machines. One infected workstation can compromise your entire practice in minutes.

Ransomware-as-a-Service

Criminal entrepreneurs are now selling ransomware kits on the dark web. For a few hundred dollars and a percentage of the ransom payments, anyone can run a ransomware campaign. This has dramatically increased the volume of attacks because it's no longer limited to skilled hackers.

Double Extortion

Some ransomware operators are now exfiltrating data before encrypting it. If you don't pay, they threaten to publish your data publicly. For healthcare practices, this changes the calculus: even if you have backups, the threat of published patient data creates enormous pressure.

Updating Your Defense

  • Isolate your backups. Cloud backup with credentials that aren't stored on the network. Or an air-gapped local backup that's disconnected when not actively running.
  • Segment your network. Workstations, servers, IoT devices, and backups should all be on separate network segments. Limit lateral movement.
  • Disable unnecessary SMB. If you don't need SMBv1 (and you probably don't), turn it off. It's the protocol most commonly exploited for lateral movement.
  • Monitor for unusual behavior. Modern endpoint protection can detect rapid file encryption (a hallmark of ransomware) and stop it before it spreads. If you're still running basic antivirus, upgrade.
  • Maintain offline copies. Keep at least one backup copy that's completely offline. Even if attackers compromise your cloud backup credentials, the offline copy survives.

Ransomware isn't going to get simpler. Your defenses need to keep pace.