Skip navigation
HNS website cyberattack message, 2017 Carl Court/Getty Images
Message informing visitors of a cyberattack displayed on the NHS website on May 12, 2017 in London, England

Ransomware Grows Up, Goes After Data Centers

Attacks on enterprise infrastructure reach unprecedented scale and ransomware payload

Think your data center is safe from ransomware attacks because the attackers only go after careless end users who click on malicious links or attachments?

Guess again.

One company that got hit recently is South Korean hosting firm Nayana, which was forced to pay about $1 million in ransom after just such an attack. The ransomware was a version of Erebus adapted to run on Linux servers, and the damage was deep. In addition to having to pay the ransom, thousands of customer websites were offline for weeks -- and not all could be recovered even after the company paid to get the encryption keys.

These days, ransomware can spread, worm-like, into any machine, including servers at data centers.

"We should have all seen this coming," David Holmes, threat research evangelist at Seattle-based F5 Networks, said.

The basic idea -- of spreading an attack automatically through networks -- is as old as computers themselves, and has long been used by hackers infiltrating corporate systems to find valuable information.

But the scale of the most recent attacks, and the devastating ransomware payload, is a new development.

"Prior to this, if you had a user who'd have a phishing email and would download ransomware, one user would get infected," Holmes said. "But now, it can do lateral movement and cause so much more damage."

To keep data centers safe, experts recommend keeping systems patched, using analytics to detect unusual behaviors on the servers or networks, and using whitelisting to restrict the processes and applications allowed to run on the servers.

Patches are critical, Holmes said, because some of the most damaging recent attacks weren't actual zero-days. Even with WannaCry, there was time for companies to run updates and install the patches before the ransomware actually hit.

"Everyone who did patch immediately were safe from WannaCry," he said, but admitted that the window of time companies have to install the patches is getting smaller.

"You have to automate as much as possible," he said. "If you have a group of people manually sitting down and testing patches -- it can't be like that anymore."

Signature-based defenses are sometimes inadequate against ransomware because it mutates so quickly. Behavior-based systems can detect suspicious activity, but there are other technologies that companies should consider as well.

"The group of technologies most specific around this would be honeypots and malware exploders," said Holmes.

Honeypots present tempting -- but fake -- targets to attackers who might otherwise be flying under the radar.

And malware exploders, or sandboxes, isolate suspicious processes or applications and run them in a virtual environment to see if they do anything dangerous.

Data centers also need to have their machines locked down as much as possible. Fortunately, data center servers tend to be much more narrowly focused than end-user machines.

That means companies can create white lists of applications for their servers, not allowing anything else to run in their environments.

Eldon Sprickerhoff, founder and chief security strategist at eSentire, also suggests that companies prohibit access by employees or other users who don't absolutely need it and to make sure that databases, developer systems, and other platforms don't have weak configuration.

That's especially true for public-facing servers.

The latest and most common ransomware will attack databases directly through the internet, he said. Attackers can take advantage of weak configurations and credentials to attack the data center.

Many companies are also running obsolete systems, Sean Curran, senior director in the security and infrastructure practice at West Monroe Partners, said.

"Default installs of your system are not good," he said. "For example, many printers are still running AppleTalk, and nobody has AppleTalk networks anymore."

Finally, every company should have regular backups in place, in isolated environments, and test them regularly.

"Restoring two or three files once a month because a user deletes them accidentally is not a recovery test," said Curran. "Most organizations impacted by ransomware and paying ransoms have never tested and validated that they can recover from bare metal."

Correction: September 12, 2017
Latest and most common ransomware will attack databases directly through the internet, not "the data center itself," as the article previously stated, attributing the quote to Eldon Sprickerhoff of eSentire. Attackers can take advantage of weak configurations and credentials to attack the data center, not the servers directly, as the article previously stated.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish