How to Protect Your Company’s Server from Ransomware Attacks
Your company’s server is the center of your organization’s IT operations. The server is where your company’s critical data are archived. All of your organization’s computer workstations are also linked to it.
Your company’s physical server is where server software works and provides services such as file transfers to other connected computers.
Because of the server’s core functions, this has become the target by ransomware cyberattackers – a point of entry where they believe they can make the most out of the attacks.
What is a Ransomware?
A ransomware is a malicious software, also known as malware, that encrypts computer files preventing users to access their files and asks for ransom payment, typically in the form of Bitcoin, to decrypt or unlock the files.
According to Malwarebytes, ransomware was the tool of choice by cyberattackers in 2017. Ransomware attacks against businesses increased by 90% in 2017, Malwarebytes reported. It added that the rate of monthly ransomware attacks increased 10 times in 2017 from the rate of 2016, with September 2017 having the largest volume of ransomware attacks ever documented against businesses.
Rise of Cryptoworms
The malware type called “worm” has been used by cyberattackers for over a decade now. This type of malware is considered as one of the most potent cyberthreats to the security of an organization’s server. A worm is installed only once onto a single computer, copies itself or self-replicates without human intervention and spreads itself to other connected computers.
A cryptoworm combines the dangers of a ransomware and worm, thus the name “cryptoworm”.
SamSam Ransomware
The first known cryptoworm – a malware that exhibits both ransomware and worm capabilities – is the malware called “SamSam”, also known as Samsa or Samas.
SamSam was first observed in the wild on March 2, 2016. This malware falls under the category of ransomware – a type of malware that encrypts computer files, preventing users to access their files and demands a ransom payment in the form of Bitcoin to decrypt or unlock the files. It’s also considered as a worm as it self-replicates and infects computers connected to a server.
Most of SamSam victims are in the healthcare sector. In early January this year, Greenfield, Indiana-based hospital admitted that it was a victim of a new variant of the SamSam ransomware. The Indiana-based hospital said that it paid the attackers 4 Bitcoins, valued at $55,000 at the time.
Symantec reported that the original version of SamSam ransomware infects physical servers that run “unpatched” JBoss server software. The word unpatched refers to a software that’s used despite the fact that a security update is already made available. Cyberattackers often target unpatched software.
“The big takeaway here is the growing trend that criminals are directly targeting organizations in ransomware attacks. The success of these recent attacks signals a shift for cybercriminals as they seek to maximize profits by setting their sights on vulnerable businesses,” Symantec said.
Regarding the new SamSam variant, Cisco said, “Although the infection vector for the new variant [SamSam] is not yet confirmed, there is a possibility that compromised RDP/VNC [Remote Desktop Protocol/Virtual Network Computing] servers have played a part in allowing the attackers to obtain an initial foothold.”
WannaCry Ransomware
WannaCry is another example of a cryptoworm. It made headlines in May 2017. This ransomware affected hundreds of thousands of computers around the world.
Similar to SamSam, WannaCry is both a ransomware and a worm. Victims of WannaCry were locked out from their computers and were asked to pay ransom money in the form of Bitcoin to unlock the infected computers.
WannaCry attackers were able to infect a good number of computers around the world as this is also a worm that has the ability to spread itself within networks without user interaction. Companies using Microsoft operating systems that were no longer “supported” – meaning, the company no longer issues regular security updates – such as Windows Server 2003 were affected.
Computers running Microsoft operating systems (those prior to Windows 10) that failed to install the company’s March 14, 2017 security update were also affected by WannaCry. This particular security update fixes the security vulnerability exploited by WannaCry attackers.
Unlike other ransomware, WannaCry also proved to be devastating to victims as while other ransomware victims can decrypt or unlock computer files using the encryption key provided by the attackers upon payment of a ransom, in the case of WannaCry, attackers themselves can’t unlock the infected computers as the code of this malware was written in such a way that the attackers can’t determine which infected computer paid ransom and which one didn’t.
Preventive Measures
Here are some security best practices to protect your company’s server from ransomware attacks, specifically those with worm-like capabilities:
1. Use Supported Server Operating System (OS)
WannaCry was a learning curve for many businesses that used unsupported server OS. A supported server OS ensures that the software maker regularly issues security updates. Cyberattackers are quick to attack a software that has long been abandoned by its developer.
The reality about any software is that they aren’t released as perfect software. It’s always a race between cyberattackers and software maker to discover security loopholes in the software. In most cases, software makers themselves are the first ones to identify these security loopholes and are quick to issue security updates to fix vulnerabilities.
2. Install Security Updates As Soon as Possible
WannaCry and the original SamSam ransomware cyberattacks demonstrate the importance of installing security updates as soon as possible. Security updates fix known security vulnerabilities. Failing to install security updates only exposes your organization’s server to cyberattacks.
3. Practice Network Segmentation
In some cases, it’s not possible to install security updates as soon as they are released. One of the security best practices to block or limit the effects of a cyberattack is through network segmentation.
Network segmentation is the practice of dividing your company’s computer network into subnetworks. This ensures that if one subnetwork is infected, the other subnetworks won’t be affected.
4. Backup Data
Backing up critical data is a must in every organization. Ransomware attackers won’t have leverage against your company if regular data backup is consistently done.
At GenX, we offer cybersecurity services that protect your company’s server from ransomware attacks such as server OS update and cloud-based data backup.
Connect with us today to learn more and get a guaranteed protection against ransomware