How to Prepare for Ransomware Attacks

Ransomware attacks continue to increase, using techniques that are growing more and more sophisticated and targeted. Security and risk management leaders need to look beyond just the endpoints to help protect the organization from ransomware.

Overview

Key Challenges

• Remote desktop protocol, bring your own PC, and virtual private network vulnerabilities and misconfiguration are becoming the most common entry point for attackers. This has been exacerbated by the growth in remote work resulting from the pandemic.
  
• Ransomware is increasingly being operated by humans, rather than being delivered as spam by technology resources.
  
• The cost of recovery and the resulting downtime in the aftermath of a ransomware attack, as well as the reputational damage, can be 10 to 15 times more than the ransom.

Recommendations

Security and risk management leaders responsible for endpoint and network security must focus on all three stages of a ransomware attack:

• Get ready for ransomware attacks by constructing a preincident preparation strategy, that includes backup, asset management and the restriction of user privileges. Determine whether the organization is ultimately prepared to pay a ransom or not.
  
• Implement detection measures by deploying behavioral-anomaly-based detection technologies to identify ransomware attacks.
  
• Build postincident response procedures by training staff and scheduling regular drills.

Introduction

Ransomware continues to pose a significant risk to organizations. Recent attacks have evolved from the autospreading attacks, such as Wannacry and NotPetya, to more targeted examples,^1,2 which attack an organization, rather than individual endpoints. The impact these attacks have on organizations has increased to the point where some organizations have gone out of business,³ and, in the case of healthcare, lives have been put at risk.⁴ Security and risk management (SRM) leaders need to adapt to these changes and look beyond just endpoint security controls to protect against ransomware.

Recent ransomware campaigns, such as REvil and Ryuk, have become “human-operated ransomware,” where the attack is under control of an operator, rather than spreading automatically. Such attacks often take advantage of well-known security weaknesses to gain access. For example, a number of recent ransomware incidents are thought to have started with poorly configured or vulnerable remote desktop protocol (RDP) configurations. Previously compromised credentials are also used to gain access to accounts.

Once inside, the attacker will move around in the network, identify the valuable data, and assess the security controls used, often disabling endpoint protection tools and deleting backups. Then, when the data has been identified, it can either be uploaded and later used for extortion (Doxing), or the ransomware will be launched to encrypt the data. The typical dwell time between the first evidence of malicious activity and the deployment of ransomware is three days.⁵ The goal is to maximize the likelihood of the ransom being paid, often including threats to make data public if the ransom isn’t paid quickly.

Protecting organizations against these attacks goes beyond endpoint protection and encompasses many different security tools and controls. Figure 1 describes the ransomware defense life cycle. It is important to examine all of these phases and to assume that an attack will be successful and plan to respond accordingly.

Figure 1: Ransomware Defense Life Cycle

Analysis

Construct a Preincident Preparation Strategy

SRM leaders should work with the principle that a ransomware attack will be successful, and ensure that the organization is prepared to detect as early as possible and recover as quickly as possible.

The first and most common question is, “Should the ransom be paid?” Ultimately, this has to be a business decision. It needs to be made at a board level, with legal advice. Law enforcement agencies recommend not paying, because it encourages continued criminal activity. In some cases, paying the ransom could be seen as illegal,⁶ because it provides funding for criminal activity. Even if the ransom is paid, the encrypted files are often unrecoverable.

However, if an organization wants to be ready to pay, it is important to establish a governance and legal process that includes the CEO, the board and key operational staff. Setting up a cryptocurrency wallet can take time, so, if payment is a possibility, then making the necessary preparations will speed up the time to recover.

A good backup process and strategy is the primary line of defense against ransomware. Ensure that the backup solution is resistant to ransomware attacks, and continuously monitor the status and integrity of backups . In particular, most backup vendors provide a mechanism to create immutable second copies of backups or immutable snapshots.

Recovery goes beyond restoring the data. Ransomware will effectively lock a machine with the ransomware note and restoring machines to a known good state can be more complex than restoring the data. Having the tools and processes in place to restore endpoints to a golden image can speed up the recovery time. Some organizations resort to USB devices for remote and overseas locations. Gartner occasionally sees clients not even attempt to clean or restore a machine. Instead the ransomware event is a reason to refresh its hardware. Whatever, the process, this should be regularly simulated to uncover deficiencies.

Security awareness for users is also important. Constantly educate users on the types of attacks being seen with regular alerts and security “newsletters” to reinforce the education. Create a simple set of security messages that are repeated regularly. An alert user will not only be less likely to fall for social engineering, but can act as an early warning. Ensure users are regularly trained on how to identify malicious emails, in particular. Provide an easy mechanism for reporting suspicious emails and reinforce it with confirmation that the user has done the right thing. Consider email-focused security orchestration automation and response (SOAR) tools, such as M-SOAR, to automate and improve the response to email attacks.

Security hygiene is critical to protect against “human-operated” ransomware, and a holistic view of the whole organization is required. SRM leaders should include the following as part of their strategy to protect against ransomware:

• Build a reliable asset management process to identify what needs to be protected and who is responsible. Particular attention should be paid to legacy systems.
  
• Implement a risk-based vulnerability management process that includes threat intelligence (TI). Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as vulnerabilities are exploited by attackers.
  
• Remove users’ local administrative privileges on endpoints and limit access to the most sensitive business applications, including email to prevent account compromise.
  
• Implement compliance scanning for misconfigured and noncompliant systems, as well as penetration testing and breach attack simulation (BAS) tools.
• Implement strong authentication for privileged users, such as database and infrastructure administrators, and service accounts. Log the activity. Bad actors will often use known, detected malware to gain access to higher-privileged account credentials.

Ransomware attacks typically follow the attack pattern shown in Figure 2.

Figure 2: Anatomy of a Ransomware Attack