How to mitigate Ransomware attacks
What is Ransomware and how it affects businesses?
Ransomware is a type of malware that encrypts a victim’s files or blocks access to a system until a sum of money (ransom) demanded by the attacker is paid. Your systems and data can be infected by Ransomware in a variety of ways, often through phishing emails (social engineering) or drive-by downloads (compromised website) tricking unsuspected users into clicking and installing malicious files onto their machines. In addition, newer methods of ransomware targeting vulnerable web servers have also been observed as a point of entry to an organization’s network.
The global pandemic has provided the perfect breeding ground for Ransomware as remote working and mass adoption of cloud services take hold. Researchers have seen a significant increase in Ryuk ransomware, accounting for one-third of all ransomware attacks since 2020 and affecting companies from healthcare providers (Universal Health Services), to law firms (Seyfarth Shaw) and online retailers (Steelcase). Ryuk is especially dangerous because hackers use a targeted approach and often leverage several types of malware including Emotet and TrickBot malware to compromise corporate networks.
Another noticeable ransomware, Maze, works to steal the victim’s files before encrypting them as in the Canon, LG Electronics, and Xerox attacks. Despite announcing the retirement of their operations in October 2020, their double extortion technique was quickly adapted and evolved by other ransomware operations such as REvil, Clop, and DoppelPaymer to continue the devastation.
Ransomware prevention is better than the cure
As the stakes of Ransomware continue to rise (now over $1 billion and counting), it’s all too easy to lay the blame on the victimized employees. The ugly truth is – the bad guys are just better at attacking than organizations are at defending, and the former will always have the advantage over the latter. The only way organizations can truly defend themselves against Ransomware is by preventing the infection from even entering in the first place. Instead of shiny new technologies, security leaders must refocus on bolstering their cyber hygiene to the highest standards possible, by providing their employees with the knowledge necessary to recognize and fend off phishing attacks, and the tools and processes to support proactive risk burn down.
Most successful ransomware data breaches stemmed from exploitation of known vulnerabilities (for example in third party software), or simple security failings (improper access controls, database misconfiguration, and default vendor accounts) rather than zero-days. It’s clear that preventative security measures are far more effective in nipping the root cause in the bud, which is the very reason why ‘identify’ is recommended as the starting point in the NIST Cyber Security Framework.
The best practice framework highlights the role of risk assessment – ‘identify’ before you can ‘protect and detect’. The pandemic paradigm shift has drastically expanded the security perimeter and attack surface. Yet many organizations simply reinforce their ‘protect & detect’ mechanism without re-assessing their risk exposure. By doing so, they spend time and resources on things that are not a risk in the first place, leaving actual risks un-protected. This is why it’s so important to start with ‘identify’ – gaining visibility of your evolving security posture and assessing where it’s weak so that it becomes the north star of your security program. You will then have the blueprint to make better decisions, whether for vulnerability prioritization, patching cadence, or new technology investment, to achieve your risk reduction goals. Of course, prevention alone cannot protect you 100% from ransomware, it’s still vital for organizations to back up their data that will allow them to recover in worse case scenarios. But in order to find the balance and increase resilience, you must start with risk assessment.
A three-step plan to level up security hygiene
Proactive cyber hygiene measures are simple to implement and will instantly help improve an organization’s readiness for potential attacks.
1. Increase security awareness
Businesses are having to shift their focus and embrace remote working. This has changed the security perimeter immeasurably from the safety of office firewalls to endpoints like employee laptops, increasing ransomware threats, and potential system infiltration if an at-home compromise happens.
With at-home security systems being less adept than those in the office environment, it’s never been more important to turn your staff into the first line of cybersecurity defense. Many prevalent Ransomware and phishing attacks thrive on social engineering tactics to trick un-guarded employees into clicking on malicious links, and if downloaded, hackers can take over the victim's computer and block access. Hence it’s essential to help employees better understand and spot these threats.
Beyond education and training, your cyber hygiene can be greatly bolstered through role-play and conducting simulated phishing attacks. Red teaming exercises like these are useful to help organizations measure the security awareness level of their employees, better understand the threats and impact posed by phishing and ransomware attacks, and adjust their security program to harden high-risk systems and close off previously unknown back doors.
Our red teaming service can help craft and orchestrate custom phishing campaigns to target employees and provide metrics on performance to ensure your business leaders have context on how a lack of security awareness can have a negative impact on your business both financially and reputationally.
2. Measure often and mitigate risks continuously
If you can’t measure it, you can’t improve it. With opportunistic hackers often basing their attacks on gaps in security defense, known vulnerabilities, and unsuspecting employees, having a continuous risk assessment process is a key part of prevention. Especially for enterprises that are prone to security weakness like shadow IT and poor asset visibility.
Regular vulnerability assessment and security monitoring are essential to spot potential threats and remediate before they could become a problem. But how you do it depends on the business criticality, security maturity, and technology component of your business:
- Annual testing vs continuous assessment. Not all business assets require continuous assessment, for example, if they are not business-critical and they do not open a path to business-critical assets. At the same time, annual pen tests are not enough to secure critical infrastructure or web applications. Knowing what is critical or not in your business environment will help determine the cadence required for security testing and monitoring.
- Risk vs Vulnerabilities. For more mature organizations, the sheer amount of new vulnerabilities discovered every day means the traditional ‘scan and patch’ approach does not work anymore. Security teams need to see beyond generic CVSS severity scores and leverage threat intelligence to prioritize patching efforts on the largest risks for the organization in order to reduce time to exposure with greater efficiency.
- Siloed vs full-stack security assessment. Security is often an afterthought when adopting new technology. Even when security controls are considered, they often miss the mark due to siloed implementation. Attackers can use any security exposure in your technology stack to gain a foothold and pivot across your systems. To prevent this, organizations must move beyond siloed assessments of devices, networks, applications, data, and users into ‘full-stack security’ assessment to get the most complete view of their attack surface.
3. Prepare for the worst
Building security awareness and a robust cyber hygiene process from the get-go will greatly minimize your risks, but as no business is totally safe from cyberattacks, how do you get your organization ready in the event of a Ransomware attack? Scenario-based attack simulation.
Once you have invested and implemented the tools and security processes to keep attackers out, it’s important to validate that they are running and working as they should for an additional layer of security assurance. Scenario-based testing, such as assumed breach attack simulation or digital footprinting will help you understand what might happen if a breach were to occur, and how far an attacker can get without being detected. It goes above and beyond narrowly-scoped pen tests to assess your preventive, detective, and responsive capabilities, and most importantly, it will reveal the hidden attack paths that are unknown to you, like where the threats could stem from your public-facing assets, and help improve security controls.
When nothing is certain it’s important to be ready. Our ethical hackers and Offensive Security team use advanced hacking techniques to help mature your security program through real-life attack scenarios. Supplementing vulnerability management with simulated attacks and advanced red teaming could make the difference between a costly data breach and keeping your reputation intact.