Ransomware has been all the rage lately. And it seems that every information security vendor says they can protect...
an enterprise from ransomware by simply using their products.
Ransomware attacks are morphing by using different techniques, and they're no longer just malware encrypting data on a local system. Now, WannaCry is seeking out other systems to infect and, because of this, there may be more to responding to a ransomware attack than just restoring from backups. That means involving a broader spectrum of vendors.
One of the recent changes around ransomware beyond encrypting data is manipulation of the data. Let's explore the concept of data manipulation attacks and possible enterprise responses.
Data manipulation attack
Ransomware has been around since roughly 1995, when it was spread via floppy disks. With the rise in bitcoin for extracting a ransom from a victim, in addition to ransomware as a service, profits, along with technical tools, have become widely available to criminals.
Ransomware essentially makes data unavailable, which has a variety of negative impacts, and it is why so many enterprises have paid a ransom for their data. Some ransomware even involves blackmail by forcing an individual or enterprise to pay threat actors in exchange for not publishing certain data.
Enterprises are no longer able to simply identify and defend against new ransomware attacks, but must now verify the authenticity and integrity of their data. This is a direct result of the importance of data to a user's productivity.
When gigabytes of valuable data are restored, returned or unencrypted, an enterprise may just assume that the data wasn't modified. For some, assuming that the data wasn't changed might be OK, but for data that is used for decision-making in high-risk scenarios, such as medical and financial situations, just assuming that the data is OK may put people at additional risk. Many times, integrity-related risks, like a data manipulation attack, can slip through the information security cracks, since they can be more nuanced.
A salami slicing attack is one of the early integrity-related attacks where a seemingly insignificant number is changed on many transactions to create a large profit for a criminal. A similar attack could be executed with ransomware, where a victim's data is modified by malware as it is held hostage. Since the victim doesn't have a copy of the data, when the data is returned, the victim can't verify the data's integrity.
It may be enough for the ransomware to just change some of the data, like in every spreadsheet on an endpoint, or in a vulnerable Redis database, for the attacker to collect the ransom. However, this would also require the ransomware to change the data randomly, since the algorithms used to change the data could be reverse-engineered -- much like encryption keys are reverse-engineered or broken when ransomware isn't implemented correctly.
Enterprises already have many options to protect against ransomware impacting the integrity of the data on their systems. Most enterprise backup systems have some sort of hashing or integrity-checking features to ensure that there are no errors when data is restored.
Backups are still among the most critical aspects of data protection. The integrity checks in backups are implemented in case there are any errors writing the data to storage media, degradation of the storage media or errors when restoring the data -- think aging tapes in storage.
An enterprise could implement a file integrity monitoring (FIM) system so that the integrity of the data can be verified upon being returned from a ransomware attack, but it may still be easier to just back up the data to a secure location. A FIM could also send alerts when data is changed by an attacker, which a backup system may not be able to do, and it could identify the specific data that was modified.
More often than not, people don't realize that encryption comes with an integrity check, so implementing encryption to protect sensitive data may also generate integrity checks. The hardest part of data manipulation is that, if an enterprise doesn't have something to prove the integrity of the data, then it might require revalidation of all the data, or for labor-intensive steps to be taken in order to recreate the data.
An enterprise could even add integrity checking to their custom applications to identify unauthorized changes in data. For example, a checksum could be generated for each piece of high-value data inserted into a database, and then the data could be periodically checked to see if it matched the checksum, much like how an FIM works.
Data is the lifeblood of all enterprises and, as such, enterprises should ensure that they have adequate backup procedures to protect against ransomware attacks and data manipulation attacks, including appropriate checks to ensure the integrity of the data. If the integrity of the data is ever in question after it is restored, that might result in worse decision-making than if no data was available.
Find out why data fidelity is important to enterprise security
Read more on the differences between security assessments and audits
Learn about the benefits of applying a hacker mindset to security