Tuesday, June 27, 2017

New Tool to Detect Ransomware May Prevent a Cyber Catastrophe

We here in the CAT – Law pressroom occasionally come to have a dispirited world view due to our constant and laser-like focus on the topic of catastrophes.  However, our Magic 8 Ball has been saying “it is most probable” every time we ask if the recent “WannaCry” ransomware virus might actually be the dark just before the dawn.  So rather than our normal article on a possible catastrophe, here is our take on a type of cyber catastrophe that is now more easily prevented.

Last month, hackers attacked businesses and government entities in 150 countries with a ransomware worm known as “WannaCry.” These hackers gained access to business and government servers, infecting them with WannaCry, either by exploiting software vulnerabilities in an older, yet popular, Windows operating system or through phishing emails designed to trick users into giving hackers access. Once WannaCry was in, it spread rapidly and autonomously throughout the system, encrypting the files on the victims’ systems and thus denying the victims access to their own data. The hackers then demanded a ransom, requiring victims to pay, on average, $300 for the release of their information.

Although WannaCry is the latest cyber-attack to make the news, it is by no means the only threat. IBM President and CEO Ginni Rometty, has described cybercrime as “the greatest threat to every profession, every industry, every company in the world.” And analysts predict that cybercrime will cost consumers more than $2 trillion globally by 2019, nearly four times the estimated cost of breaches in 2015.

But massive ransomware attacks like WannaCry are now more easily prevented.

The cyber-security community has developed a sophisticated new weapon for battling malware generally, and ransomware specifically, known as Endpoint Detection and Response (“EDR”). EDR software focuses on protecting each user device, which are known as endpoints. Endpoints include not only servers but individual computers and portable devices as well. EDR software uses artificial intelligence to learn and analyze system activity. So when a virus attempts to perform a function out of the ordinary, such as encrypting all of one’s files, it becomes a red flag and the EDR software can act to detect and prevent it.

Because EDR software focuses on the behavior of a program, it can detect malware other more traditional virus protection programs cannot. For example, traditional signature-based virus detection programs function by blocking malware when the program’s coding—or signature—reveals that it’s malware. Thus, traditional malware detection programs can only stop known viruses. But because EDR software focuses on a program’s behavior, rather than its signature, it’s able to detect malicious software (including unknown viruses) that affect the function of the endpoint. In short, EDR software is a more effective, proactive tool against cyber-attacks.

Entities looking to improve their odds against cyber-criminals should consider adding EDR software to their arsenal, to compliment their other weapons against cyber-crime such as ongoing training of personnel and restricting user privileges. And insurers covering the risk of loss from cyber-attacks should consider recommending—or even requiring—that policyholders use EDR software to better prevent or minimize loss from cyber attacks, thereby lowering their exposure to such losses. The use of EDR software as part of a diligent cyber-security plan may dramatically reduce the risk of loss from a number of cyber attacks.