Part 5: A Security Expert’s Guide to Ransomware on Networks

We’re wrapping up our ransomware series on Rethink: Security this week with a look at network exploits and remediation. In the past four weeks, we’ve covered exploits and remediation on Android, Apple, and Windows devices.

Network Exploits

The corporate network is not immune from ransomware exploits. Microsoft SharePoint, file shares, and file servers that contain critical company data, like financial documents, trade secrets, software source code, and user databases, are vulnerable without the proper security controls in place.

Distributed denial denial-of-service (DDoS) that slow or prevent access to critical data have been employed, and company productivity can be delayed or stopped completely until the ransom is paid.

Recent network cyber attacks have evolved into using encryption of the data on servers and file shares at healthcare providers. Hospitals are often targeted because they store personal patient information, which can be breached, stolen, and sold to other cybercriminals in the deep web and darknet marketplaces for a large sum of money.

In recent incidents, ransomware prevented access to patients’ electronic health records, leaving doctors, nurses, and emergency care providers unable to treat their patients. This type of cyber attack occurred at hospitals in Texas, Florida and California just within the last six months. The hospital in California recently paid the equivalent of $17,000 in Bitcoin to cybercriminals in order to retrieve their critical patient personal data.

Network Remediation

  1. Employ a layered network security strategy and controls.Place next-generation firewalls (NGFW) that are context-aware, deployed with an inline malware detection engine, and have a built-in intrusion detection and prevention system, at the corporate perimeter, and DMZ networks, as well as all network segments, in both the ingress and egress directions.
  2. Place critical storage servers under several layers of network protection, or disconnect them from the network until they are required. These servers can also be stored offsite from the enterprise headquarters in another secure facility.
  3. Utilize dynamic URL filtering services that employ real time web reputation information to block known malware web servers around the world.
  4. Integrate an EMM solution to securely manage mobile devices running Android, iOS, Mac OS X and Windows 10. One of the integral functions is checking for device posture, blocking rooted Android and jailbroken iOS devices from registering with the network service, and access to the corporate network.
  5. Deploy digital identity certificates that use SHA256-bit or stronger signature hash algorithm, RSA 2048-bit or ECC 256-bit or stronger asymmetric keys for mobile device clients and network servers. MobileIron Core can issue identity certificates to registered mobile devices using these strong cryptographic algorithms.
  6. Enforce Full SSL Strict mode on all network file servers, email servers, and web servers.
  7. Perform routine backups of critical company data both locally on password-protected and encrypted storage. Place these backup storage in a highly protected network segment or VLAN within the enterprise network. Make secondary and tertiary backup copies and store them in other geographical locations to insure high availability (HA) and disaster recovery (DR).

    Also perform routine data restoration from these backups to insure that stored data is not corrupted.

    If a malware outbreak is detected, disconnect servers and file shares from the network. This will cut off the command and control (C2) communications to the remote server on the Internet, or any zombie infected botnet servers within the enterprise network. Remediate and perform network forensics on any compromised servers and hosts.


Ransomware sophistication and development are evolving rapidly. Cybercriminals are selling ransomware kits and ransomware-as-a-service from darknet marketplaces, making it extremely difficult to remediate their malicious effects on desktops and mobile devices quickly. This strain of malware has been projected as the number one cyber threat to mobile device users for 2016. With 8.6 billion mobile devices globally today, the majority of them are personally-owned and are used to perform both personal and work-related tasks while inside or connected to their company’s enterprise network over VPN. It is a matter of time that more enterprises and mobile device users will experience a ransomware exploit in the near future, requiring them to pay money to regain access back to their critical company or personal data. C-level types, network administrators, and security architects must have a plan to combat and remediate all malware threats including ransomware.

James Saturnio

Senior Solutions Architect at MobileIron

About the author

James Saturnio is a Senior Solutions Architect for the Technical Marketing Engineering team at MobileIron. He immerses himself in all things cybersecurity with equal parts mobility and IoT technologies. He has been with MobileIron for 5 years. Previously, he worked at Cisco Systems for 19 years where he started out as a Technical Assistance Center (TAC) engineer, then a software engineer, and as a Technical Leader in the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.