In February, the Federal Bureau of Investigation (FBI) issued an alert over a new ransomware called MSIL (AKA Samas/Samsam/Samsa), but a recent confidential advisory was obtained by Reuters, in which the FBI asked U.S. businesses and the software security community for help to deal with the growing enterprise ransomware threat from MSIL.
The new ransomware is particularly nasty as it is capable of infecting networks, not just individual computers. In February, the FBI alert provided details of the new ransomware and how it attacked systems by exploiting a vulnerability in the enterprise JBoss system. Any enterprise running an outdated version of the software platform is at risk of being attacked. The FBI’s list of indicators was intended to help organizations determine whether they had been infected with MSIL.
Just over a month later, the FBI sent out a plea for assistance, requesting businesses to contact its CYWATCH cybersecurity center if they suspected they had been attacked with the ransomware. Any business or security expert with information about the ransomware was also requested to get in touch.
Recent high profile attacks on healthcare organizations and law enforcement have resulted in ransoms being paid to attackers in order to unlock ransomware infections. Oftentimes there is no alternative but to pay the ransom demand in order to recover data. However, paying ransoms simply encourages more attacks.
The Enterprise Ransomware Threat is Now at A Critical Level
Ransomware is not new, but the methods being used by cybercriminals to infect systems is more complex as is the malicious software used in the attacks. The volume of attacks and the number of ransomware variants now in use mean the enterprise ransomware threat is considerable, with some security experts warning that ransomware is fast becoming a national cybersecurity emergency.
The healthcare industry is being targeted as hospitals cannot afford to lose access to healthcare data. Even if electronic patient medical files are not encrypted, systems are being shut down to contain infections. This causes massive disruption and huge costs, which attackers hope will make paying the ransom the best course of action.
Dealing with the enterprise ransomware threat requires a multi-faceted approach. Attackers are using a variety of methods to install ransomware and blocking spam email is no longer sufficient to deal with the problem. MSIL attacks are being conducted by exploiting vulnerabilities in enterprise software systems, end users are being fooled into installing ransomware with social engineering techniques, drive by downloads are taking place and the malicious file-encrypting software is also being sent via spam email.
How to Protect Against Enterprise Ransomware Attacks
The FBI is trying to encourage business users and individuals never to open untrusted email attachments and to ensure they are deleted from inboxes. Fortunately, the high profile attacks on large institutions have put enterprises on high alert. With awareness raised, it is hoped that greater efforts will be made by enterprises to reduce the risk of an attack being successful.
Some of the best protections include:
- Ensuring all software is kept up to date and patches are installed promptly
- Using spam filtering tools to reduce the risk of infected attachments being delivered to end users
- Backing up all systems frequently to ensure data can be restored in the event of an attack
- Conducting regular staff training sessions to help end users recognize phishing emails and malicious attachments
- Disabling macros on all computers
- Using web filtering solutions to prevent drive-by downloads and block malicious websites
- Issuing regular security bulletins to staff when a new enterprise ransomware threat is discovered