The Horrors of Ransomware and the Mid-market Enterprise

Mid-market enterprises do not generate big headlines as far as data breaches go. After all, why would a nation state or an organized cybercrime group take the time and effort to target an organization with a limited customer base and few commercially-valuable assets? They can’t really use them for cyber warfare or monetize in the black market.

In a dinner the other day I sat by a friend who owns a law firm. He told me his firm was a victim of a Ransomware attack. A paralegal opened up a phishing email attachment and her, anti-virus protected, PC disk was maliciously encrypted by Cryptowall malware. The firm had limited backups and the advise he got was to not pay the ransom. Apparently, the private/public key system used by the malware had “bugs”, which means he could end up with useless files even if he paid. He gave up the data and made a decision to move to Office 365 in the Cloud.

Mid-market enterprises may think they can hide in the crowd and that their anonymity will protect them vs. the likes of Target, Anthem or Sony. They are wrong. Unlike APT which is a custom attack, executed by experts with specific objectives, Ransomware is a generic, massively scalable attack. It is basically sharing a very similar concept to the Zeus financial trojan: it generically infects as many users as possible through malicious email messages or compromised web sites and than runs generic crime logic to encrypt their data that is highly automated and require no “manual intervention”. Mid-market enterprises with limited resources and weak anti-virus protection are a particularly good target: they have just enough assets worth paying a ransom for.

There are multiple opportunities to stop ransomware: detect malicious attachments before they are opened, alert users on malicious web sites before the user navigates to them or detect malicious files in a sandbox before they are downloaded. And, if you do get infected you have another shot. The ransomware has to connect to its C2 (Command and Control) server to get the encryption key pair generated and the public key delivered to the machine. If you can detect that outbound request and stop it, the encryption may never happen.

What is common to all of these capabilities? Many of them are considered “large enterprise” capabilities. They are too difficult to acquire, install, configure and maintain by a mid-market enterprises. The team at Cato Networks understands these gaps and we are working to address them with our Secure Network as a Service solution. We are still in stealth mode, but if you run network security for a mid-market enterprise and want to learn more about our upcoming beta, drop us a note, or read our related blog post ‘How to Stop NotPetya.’