Ransom, where? In your virtual machines

Ransomware has quickly become one of the most dangerous cyber threats and attacks against small and large organisations are on this rise.

According to Symantec’s Ransomware and Business Report for 2016, nearly 43% of all ransomware victims were organisations; Windows users continue to dominate the ransomware landscape, and the trend is likely to continue.

Virtual desktop and server environments are especially vulnerable to attack – unsuspecting users may be targeted through common email applications.

An inadvertent installation of a malicious file could result in a complete takeover of workloads that exist on that host. The cost of which could be astronomical, and could potentially cause public embarrassment and significant downtime.

>See also: Want to beat ransomware? Let it run!

Fortunately, there is plenty of advice out there on how organisations can proactively defend themselves against ransomware.

Both the FBI and the UK Government (with its Cyber Essentials program) recommend a very similar course of action. This basically boils down to the following:

  • Set antivirus (AV) and anti-malware programs to conduct regular scans automatically.
  • Configure firewalls to block access to known malicious IP addresses.
  • Implement an awareness and training program, because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies likes sender policy framework (SPF), domain message authentication reporting and conformance (DMARC), and domain keys identified mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Patch operating systems, software, and firmware on devices. Consider using a centralised patch management system.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

The problem here is that there’s no mention of virtualisation – physical endpoint security solutions have gaps in their ability to defend against malicious ransomware files in the cloud.

>See also: The year of the cloud: availability and agility

In this environment, these solutions not only have serious implications for server performance – for example, antivirus scans across multiple virtual machines (VMs) can bring a server to its knees and even cause serious data loss – but they can also fail to pick up communication between VMs meaning that infections can spread quickly and unchecked.

Fortunately, these issues aren’t insurmountable, but they do require different technologies and a change in attitude and understanding on the part of those managing the networks.

For example, with firewalls, you need to be able to isolate the VMs. One answer here is an agentless solution that sits inside the Virtual Switch – a low-level piece of software that controls traffic between VMs, and between VMs and the outside network.

Again for AV, host-based solutions enable admins to maximise performance. Additional functionality such as change block tracking increases the speed of scans, which increases the frequency that they can be done.

In both situations, with nothing actually inside the VM it means that you have the added benefit that hackers can’t disable the protection or hardware from the inside.

When it comes to effectively tracking new types of attack, there are a number of other additional technologies coming onto the market that network managers can turn to for help in the cloud, including behaviour analytics and machine-learning techniques; multiple advanced pattern analysis and machine learning-based malware prevention; and user and entity behavioural analytics (UEBA).

>See also: New ransomware offers victims free decryption key…for a price

Finally, for tracking activity in the cloud, you need to ensure that at the very least you have the ability to control network traffic for those machines and have that you have access to the logs.

Analysing these logs will allow system administrators to keep a wary eye on network activity – from packets sizes to the amounts data being transferred and when.

This enables them to build activity trends and spot (and flag) any potentially suspicious deviation in this activity.

Protecting cloud-based systems and data is not about re-inventing the wheel. The same basic principles apply, you just need to be aware that the cloud is a very different environment and that requires a different set of unified security technologies.


Sourced by Ryan Oistacher, senior director of marketing at 5nine Software

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics