As organizations digitalize, increased technological dependence requires them to embrace cybersecurity as a strategic pillar. In recent years, we have seen ransomware attacks harm businesses at unprecedented rates. During the first half of 2020, there have been over 121.4 million ransomware attacks. The severity of these attacks calls us to understand them so that we can better protect ourselves.
What are ransomware attacks?
Ransomware attacks use a type of malware that infects a device and then proceeds to encrypt the victim’s data, denying them access to their files. The attacker then extorts the victim by demanding the payment of a ransom in exchange for the decryption key. This type of attack cost organizations over 7.5 billion USD in 2019.
Traditionally, ransomware attacks have been opportunistic in nature: threat actors would send emails distributing the malware in massive and indiscriminate spam campaigns that would hit both personal and corporate computers.
But recently, the landscape has seen a shift towards increasingly sophisticated and targeted attacks. Cyber criminals are now accurately choosing their victims and specifically targeting certain organizations that they believe will be able to face large ransom payments. Their attacks are now more advanced, more challenging to prevent, and more damaging to their victims, creating a great disruption of their normal operations.
The price of the ransom has increased meteorically, reaching up to six and seven-figure sums from previous three-digit ranges.
Additionally, attackers are now conducting extensive reconnaissance to find and steal sensitive information in addition to encrypting the data. They later threaten the victims to leak said information if the ransom is not paid.
What are the most common attack vectors for ransomware attacks?
- Remote Desktop Protocol (RDP). This technology allows a user to connect to a remote Windows PC or server over a local network or the internet. Currently, RDP’s are the largest ransomware attack vector. Cybercriminals will scan the internet for open RDP ports and conduct brute force attacks to gain access to the user’s system.
- Phishing emails. Creating trustworthy looking emails, cybercriminals seek to lure the user into executing the ransomware.
- Software vulnerabilities. Cybercriminals will exploit known vulnerabilities present in software that has not been properly updated or patched and infect the system with malware.
How can we defend ourselves?
To avoid having to face the ethical dilemma of whether to pay the ransom, we must build the fundamentals of an organization’s cybersecurity strategy which should consider these steps:
- Know the attacker’s Tactics, Techniques, and Procedures (TTPs). Understanding how the threat agent orchestrates attacks will help us build appropriate defenses and provide more efficient ways to predict, detect, and respond to incidents.
- Develop an Incident Response (IR) Plan. This is a documented, written set of instructions that outline an organization’s response to a security incident to effectively contain, remediate, and recover from it.
- Have a robust backup recovery strategy. Having backups of your data can potentially be a cheaper and more reliable way to recover than succumbing to the attacker’s demands. To keep them safe, backups should be stored in an isolated network with limited permissions.
- Test your recovery process. Regularly attempt to restore your backed-up data, ensuring the quality of the backups and the effectiveness of the process to restore operations.
- Consider hiring a cyber insurance policy. This financial service can help you cover the potential losses incurred during an attack.
- Lock down your Remote Desktop Protocol. Make sure you have made all the proper settings to secure RDP. Failure to do so will leave your service exposed creating an opportunity for an attacker to infect your systems.
- Provide user training. Security awareness is fundamental to develop organizational resilience and minimize human errors.
- Implement email filters. These solutions can provide an extra guard against ransomware attacks by scanning for malicious code and quarantining suspicious emails.
- Configure your application allow list. Create a list of safe and approved applications that a system can access. This will prevent unknown files from executing until proven safe.
- Establish adequate roles and administrative permissions. Removing local admin rights and applying least privilege access across users, applications, and systems will not prevent every ransomware, but it will mitigate the impact of a ransomware incident by closing down lateral pathways and reducing the ability to gain elevated access.
- Keep your systems up to date. It is important to install software updates in a timely manner because these often include critical patches to known security vulnerabilities that attackers could exploit.
- Deploy an Endpoint Detection and Response (EDR) Solution. These solutions combine detection and response capabilities in a single lightweight agent to help you secure your endpoints.
- Establish Data Loss Prevention (DLP) Controls. Deploying this set of tools can mitigate the threat of data exfiltration and prevent being subject to data leak extortion.
- Continuously monitor your infrastructure. Adopt an assume breach mindset and develop capabilities to monitor the most critical assets of your business environment.
- Establish alerts for any suspicious activity. Set up detection processes that trigger alerts when suspicious or malicious activity on your network is identified and allow for the appropriate response to be initiated.
- In order to avoid the ransomware from further spreading, immediately disconnect and isolate any affected devices from the network.
- Launch your Incident Response plan. If you have access to incident response experts, engage them in the process. You should also notify the pertinent law enforcement and data protection agencies.
- Establish the scope of the incident. Gather as much information as possible about what happened. Collect data from tools, systems, and analyze event logs to determine the scope of compromise and identify which systems have been affected.
- Determine the ransomware variant. This will help understand which actions the ransomware might have taken and establish which sanitization tasks should be performed. Knowing the variant of the malware will also help locate a decryption key for the encrypted files if there is one publicly available.
- Restore from backups. If you cannot decrypt your files, you should proceed to restore your data from the latest clean backup.
- Determine the original infection vector and address any related security issues.
Ackcent offers a wide range of Managed Detection and Response services to allow organizations to add 24/7 dedicated threat monitoring, detection, and response capabilities via a turnkey approach. To learn more about Prevention, Detection, and Response of ransomware attacks, contact us.