Ransomware attacks have exploded over the last few years. This is due to the success rate and the financial returns that cybercriminals have seen from this cyberattack method. Ransomware works so well that there are now ransomware service solutions available for criminals without the skills to write their own malicious code.
Ransomware is a type of malware (Malicious Software). The goal of a ransomware attack is to bypass network cybersecurity defenses and infect an endpoint device or server. Once a foothold exists on a network, ransomware will look for other hosts it can jump to and infect. Infamous ransomware variants that have caused havoc in the recent past include WannaCry and Cryptolocker.
What is a ransomware attack?
After some time, the ransomware infection will activate and perform tasks that the attackers use to steal data and extort money from the attacked organization. There may be a delay when the ransomware does nothing to avoid detection before it activates, and then another delay before cybersecurity professionals detect the ransomware’s activity. This period is known as the dwell time, and it can be months for some malware types. For ransomware, however, dwell time is typically measured in weeks as one of the activities that ransomware does is so disruptive – namely encrypting an organization’s data.
How does ransomware work?
When active on a network, ransomware will perform these three main activities. Monitoring for these enables detection solutions to discover and alert IT about infections (see later for more on this).
Discover and spread to other systems
Ransomware uses various network discovery protocols to look for other systems on the network. It will then use automated attack methods to try to log in to any discovered systems to spread the ransomware.
Copy data on infected systems
This step has become much more common in ransomware attacks. The cybercriminals will monitor activity on the network (remotely using their malware foothold) and identify suitable data repositories that may have value. They will then copy the data out to servers they control on the Internet.
The terms data exfiltration or data breach get used to describe this data copying. This data is traded on the Dark Web for others to use to plan further attacks against an organization. For example, by using it to build more complete user background profiles to use in future Phishing attacks. It is often also used as another way to extort money from the attacked organization after step 3 happens. In this scenario, the cybercriminals will threaten to release the stolen data unless they are paid not to. Often the stolen data contains sensitive and personal information that will damage the organization’s reputation if released.
Encrypt the data on infected systems
the primary goal of a ransomware attack. Once the attackers have discovered and infected as many computer systems as they can, and possibly copied data for later reuse, they then trigger the encryption phase of the attack. Once devices and servers are encrypted, a message is displayed on-screen demanding a ransom payment to get a code or tool that the organization can use to decrypt the infected devices and encrypted files.
The ransom demands ask for payment in cryptocurrency. Traditionally this has been Bitcoin, but other cryptocurrencies are increasingly requested. There is currently an active debate within cybersecurity circles, law enforcement, and Government about whether anyone should pay ransomware payment demands. At present it’s up to the affected organizations, but there are strong voices who say that it should be illegal to stop the flow of funds to cybercriminals from ransomware attacks. Irrespective of how that debate ends up, studies of organizations that pay the ransom show that 40% never receive a decryption key to recover their files. Additionally, 73% of those who paid the ransom extortion demand were victims of additional attacks — probably using information gained by the attackers in the primary attack.
At the same time as the number of ransomware attacks has increased, the sophistication of the types of ransomware used to carry them out is also changing. New strains of ransomware are getting better at avoiding detection measures and using new ways to infect systems. Some try to bypass endpoint device security software, and others dwell entirely in memory and don’t write out any information to disk that signature-based anti-malware systems can detect.
The Impact of a Successful Ransomware Attack
The fallout and knock-on effects of a successful ransomware attack can be severe for an organization. In extreme cases it can be terminal, and the organization never fully recovers from the disruption. There are three main areas where a ransomware attack can be damaging:
- Financial damage – The Sophos State of Ransomware Report 2021 shows that the average cost to deal with an attack in 2021 was $1.85 million. This was up from the 2020 average of $761,106. These costs cover all the activities required to recover from a ransomware attack. Including paying the ransom, the costs associated with business disruption when IT systems are unusable, operational downtime for machinery and other plant devices usually controlled by IT systems, staff overtime payments during the recovery period, and more. Within the 2021 figures, the actual ransom payment average was only $170,404. So even if an organization decides not to pay this and recovers via other means, the costs will still be high. Preventing ransomware attacks is a better solution!
- Reputation damage – the impact on an organization’s reputation from a ransomware attack can be just as damaging as the financial hit. The sad truth is that If sensitive data is stolen and leaked online as part of the attack, the trust in the organization will be eroded. This can have knock-on effects when people are seeking a business as customers or as business partners. The recent Kaseya attack that allowed ransomware to spread to their managed service provider clients and then on to many third-party organizations whose IT systems these service providers managed may well become a classic case study in how the reputation of an organization gets damaged.
- Operational damage – ransomware encryption makes IT unusable. Many businesses have PCs controlling functions that are vital to their day-to-day operations. If these control PCs or other software-based systems that are vital are offline due to an attack, then business operations will likely stop. This leads to more financial and reputational damage if they can’t deliver services or products.
How to protect your organization against ransomware
Protecting your organization against the ransomware threat requires a multifaceted approach. There is no silver bullet that will provide complete protection. But taking steps to prevent successful attacks and having plans in place to recover afterward should be a crucial part of every organization’s cybersecurity and disaster recovery planning process.
The cybersecurity and other actions that organizations should take are those that most security and IT professionals will be doing for different reasons. Possibly not all measures that they could take will be in use in all organizations. In the remainder of this article, we outline areas that will help deliver better ransomware protection.
Note that the threat landscape is constantly changing, so it is vital to stay up to date with emerging attack methods. Also, in the items outlined below, some help to prevent successful attacks, and some help recovery if the worst happens.
Make Sure Your Backups are Good
Backups could well be the safety net that is relied on to recover from a ransomware attack. If ransomware makes IT systems unusable, and there is no decryption tool available (even after a ransom payment), then recent data backups will be required to get back to an operational state before the attack occurred.
The backup procedures in place must include provision for offline copies of the data. Many ransomware variants actively seek out backup solutions on the network to try and encrypt them. Having backup copies of recent data not connected to the network is essential to avoid losing this vital recovery resource. Each organization will need to decide how best to do this, but syncing over a network between sites may not be suitable as ransomware could spread over this link as well. Technologies like tape or external hard drives & SSD drives have been a staple for this task for decades.
It’s a cliché in IT system admin circles, but true nonetheless: “Untested backups are not backups at all!” Make sure that IT Admins can restore the data from backups by doing periodic test restores. You don’t want to explain to the CTO or CEO why the last three months of data got lost due to faulty backups.
Deploy Network Detection Tools
Assuming cybercriminals will bypass your defenses at some point to deploy ransomware, it makes sense to have tools that monitor the network for unusual activity. This provides a layer of proactive security to discover and get ahead of any attacks in progress.
The Kemp Flowmon Anomaly Detection System (ADS) is a machine learning-based solution that monitors networks in real-time to detect the anomalous network activity that unauthorized users generate. It uses over 40 detectors for various attack activities and methods, combined with over 200 algorithms that use heuristics, machine learning, and other techniques to analyze the data collected by the detectors. See this blog post and the technical articles linked from it for more information.
Use Network Deception Technologies
Decoy systems are increasingly being deployed on networks to fool any attackers who gain access. As outlined above, one of the things ransomware does is survey the network to discover other systems to attack and infect. Deception technology solutions put honey trap systems on the network for attackers and malware to find. These decoys mimic production servers, applications, databases, and other items found on a network. They have no production users or data on them. Instead, the deception technology solutions typically use machine learning algorithms to simulate users and other activity on these systems. For example, the algorithms will simulate users logging in, saving files to storage, using applications, submitting database queries, and more.
When combined with micro-segmentation (see below) to hide the real infrastructure from the attackers, these dummy systems provide a dual benefit. Firstly, they fool the attackers into thinking they have discovered systems to attack. Secondly, they allow cybersecurity professionals to monitor what the attackers are doing and study their attack methods. They can use this information to ensure that production systems are not vulnerable to these particular attack methods.
Update Network Perimeter Protection
Perimeter defense via firewalls, intrusion detection systems, security-enhanced load balancers, and other network infrastructure devices (physical and virtual) have provided the foundation layer for cybersecurity for years. They are still vital and must be part of any comprehensive cybersecurity strategy. It is essential that all perimeter network devices are up to date with the latest operating systems and security patches. If any items are out of support and not getting updates, then a plan to replace them should be drawn up and implemented as soon as practicable.
Firewalls can prevent unauthorized outward data flows to any unknown IP addresses on the Internet — a common practice in modern ransomware attacks. Of course, firewalls are still vital to block unwanted inward connection requests too. Web Application Firewalls (WAFs) should also be deployed, on LoadMaster for example, as they provide additional traffic analysis and defense options at multiple layers of the network stack.
Micro-segmentation of corporate networks can limit the spread of ransomware and other malware that evades perimeter security. Micro-segmentation splits the network into numerous small parts and prevents the discovery of devices and nodes on different segments. It also stops any access to services on a segment beyond those devices explicitly given access. Doing this makes the network opaque, limiting the typical network discovery that ransomware and cybercriminals do when they gain a foothold.
Have Agreed and Understood Policies & Procedures
Defending against ransomware attacks and cybersecurity defense, in general, is a task that involves everyone in an organization. It is essential to ensure that everyone knows how to spot risks and what procedures to follow if they think something is suspicious. Quickly understood and relevant policies and procedures are essential. They should lay out precisely what to do in all foreseeable scenarios, but also when something just doesn’t seem right. There should be different procedures for different teams. For example, end-user procedures will be different from those that the IT and security teams follow.
Do Frequent Staff Awareness Training
In addition to defined policies and procedures, there should be frequent and easily digestible staff awareness training on cybersecurity. The data shows that most successful ransomware attacks result from a tricked human in the security chain following a link, opening a file, or providing information they shouldn’t. Advanced cybersecurity awareness training solutions are available that build a picture of each user’s skills over time and then deliver bite-sized training covering their weaknesses. Targeting topics that they don’t already know and the bite-sized nature of the awareness training helps prevent boredom and overload, which often causes people to switch off and increases the risk of a successful attack.
Attackers often use social engineering techniques to trick people into mistakes via Phishing emails or on social media. The goal is to get them to divulge information or trick them into downloading a file that kicks off a ransomware infection. Organizations should include these non-technical aspects in cybersecurity awareness training.
Some modern cybersecurity awareness training solutions can perform safe, simulated Phishing and other attacks against users. To see who is tricked and clicks on dummy links. Without any risk to the organization, as the links are harmless and just used to gather data on who needs additional training.
How to avoid a ransomware attack
Use Strong Multi-Factor Authentication
Identity and Access Management (IAM) should be used with strong password policies in place. In many organizations, the core IAM comes via Active Directory or another directory service. Given the hybrid nature of many application deployments across the cloud and on-premise data centers, there will likely be some form of authentication federation in place to allow logins across hybrid systems. Irrespective of how a user is connecting: to a cloud-hosted app, remotely via VPN, or on the local network, there should be strong authentication in place.
Modern authentication systems should include:
Enforce unique passwords – unique passwords should be mandatory for all systems. Reusing passwords on more than one system should be blocked. Passwords should also be complex and impossible to guess or brute force in any reasonable timescale. People are terrible at implementing these requirements. Which leads to weak passwords, shared passwords, and attempts to use the same or similar passwords across systems. Password management tools can address this problem. They can generate strong and unique passwords for each system a user needs to access. They can also auto-enter the login credentials into systems so that the users don’t even have to remember any passwords beyond the single one they need to unlock the password manager. This master password can be strong and memorable to each user.
Use multi-factor authentication – strong passwords are not enough on their own. Multi-factor authentication should also be enabled for all systems that support it. This requires users to enter another piece of information or time-limited code that only they will have. These can be tokens generated by a dedicated code device, a smartphone app, a login tied to a specific hardware device, or biometrics like fingerprints or face scans. The password management systems discussed above have built-in support for multi-factor authentication and can generate and enter codes and other supplemental information.
There should also be management processes to authorize the creation of new accounts, what permissions and access they get, and their removal or freezing when no longer needed. The latter reduces the account attack service that criminals can use when trying to access other systems. On a related note, nobody should use admin accounts for any general computing tasks.
Add Privileged Access Management
IAM is an excellent foundation to provide logon security. But taking the next step and deploying Privileged Access Management (PAM) for critical systems offers more protection, accountability, and easier recovery from changes. PAM adds additional restrictions and requirements on systems deemed critical. To access a PAM-protected system, a user must follow a workflow that involves multiple people who need to okay the request. This is analogous to a two-key missile launch system. If the PAM access request is approved, then all activities carried out during the session are logged in detail so that a later review can see what operations occurred. In many cases, the session activity gets recorded in a video file.
PAM systems often disable the ability to run destructive commands on systems. For example, no one can execute many command-line tools – a special login is needed to use these disabled utilities. PAM access sessions are one-off, and each access requires a new request and approval process. Many PAM solutions also time limit sessions to stop a single request from being used over long periods.
Encrypt Your Data
As mentioned above, ransomware attackers often extract a copy of an organization’s data before triggering the encryption phase of an attack. Organizations should encrypt the data on their servers and endpoint devices. If an attacker steals encrypted data, they won’t be able to use it to plan future attacks, sell to others on the Dark Web, or release it into the public domain. Encryption should be employed for data in transit over networks, as well as for data at rest.
Deploy Endpoint Protection Solutions
Cybercriminals often target endpoint devices used by staff. All these devices should have endpoint security tools deployed if they exist. This means Microsoft Windows and Apple macOS PCs & laptops, plus mobile devices running Android, should have anti-malware and anti-virus software installed. Apple iOS devices don’t have any third-party solutions in this area. Apple provides a built-in pattern-based threat detection and removal component in the operating system. They also sandbox applications on iPhone and iPad devices to prevent lateral movement of data between apps.
Endpoint devices should also not auto-run any executable code on external USB drives or other devices when plugged into a computer. Cyber attackers have dropped infected USB drives in the car park of a business they are attacking. They rely on anyone who picks one up to plug it into their PC. This practice should be discouraged in the awareness training!
Use SIEM & MDM Tools
The endpoint protections mentioned above should be part of wider Security Information and Event Management (SIEM) solutions. SIEM solutions give an overall view of the security of the whole IT landscape across endpoint devices, servers, network equipment, and applications deployed in the cloud. Most also include Mobile Device Management (MDM) to allow mobile device provisioning, management, and remote wipe if lost to prevent data loss.
Update all Systems and Network Components with the Latest Security Patches
New vulnerabilities in IT equipment and software systems surface regularly. Even in systems that have been in use for years. For those that are still supported, an update will usually appear to fix the vulnerability. For this reason, it is vital to use systems that are still supported (as mentioned previously) and to keep everything as up-to-date as possible. Not all vulnerabilities get discovered before they are known to cybercriminals. When these so-called zero-day exploits appear, there is a scramble to patch software and fix them.
All operating systems should have the latest updates deployed and any security patches that are released. The same is true for security software like anti-malware and anti-virus software updates. They all need to be deployed to production systems as quickly as possible.
IT teams are often understandably nervous about deploying updates to production systems. Having close analog Test systems that mimic the production IT to test updates is a good best practice. This is much easier now with virtual systems and the cloud. Another best practice is to roll out these updates from test to production systems using a slow percentage-based deployment. This is good for catching any issues that come to light that testers did not find before the updates reach all systems.
Whatever the procedures in place, it is imperative to get updates deployed as quickly as possible. As soon as updates are publicly released, the bad actors will be scanning for unpatched systems to exploit them.
Secure Wireless Networks
Wireless networks are often not very secure. This is especially true for home networks, which have seen extensive use as people work from home. Make sure that all Wi-Fi networks in use by staff have the maximum level of security they support turned on and configured. Wi-Fi networks of any kind should not advertise their network name. Anyone who needs to use them should have their devices configured with the correct settings directly.
If any Wi-Fi systems do not support strong security, consider replacing them with new wireless access points or mobile cellular access on 4G or 5G.
Conclusion
Ransomware protection and recovery planning is something that all organizations need to do as part of their standard business operations. As the incidents that have made headlines in 2021 alone show, this is a current and rampant threat. So much so that it is now a focus for Governments and law enforcement agencies like the FBI to protect national assets from state-backed and other international cyber threats. The Biden Administration held a summit on cybersecurity in August 2021.
The topics discussed in this article are a good foundation for protecting organizations from a ransomware attack or help recovery if such an attack occurs. The threat landscape for ransomware and other cyber attacks is constantly changing. Organizations must stay up to date with this changing threat landscape. Engaging with external security solution vendors and security-focused Managed Service Providers can help with this ongoing task.
