Threat of Ransomware
Ransomware attacks are frequent in today’s news and are not a discussion anymore of “if” but “when”. Ransomware is a form of malware designed to deny access to data by encrypting it and then demanding a ransom in exchange for the decryption key. Ransomware is a considerable threat to organisations and affects almost every industry vertical including education, financial, healthcare, government, retail, industrial and manufacturing, and information technology.
Notable ransomware variants include WannaCry, Petya, Ryuk, Soninokibi, RobbinHood, Maze, and Cerber.
Ransomware Attack Vectors
Ransomware infections come from either human or machine attack vectors. Human attack vectors are phishing (email), smishing (text), vishing (voice), and attacks via social media platforms. Machine attack vectors are system vulnerabilities, malvertising (malicious ads), via network (open RDP ports or vulnerable web servers), and shared service propagation (peer to peer).
The following are typical ransomware attack steps:
1. Penetration: Attackers often gain entry through phishing emails containing malicious links or attachments and through infected applications. The ransomware then installs itself on the endpoint and on any network device it can access.
2. Secure Key Exchange: After installation, the ransomware will contact the command-and-control (CnC, C2) server operated by the bad actors and generate cryptographic keys to be used on the local system to encrypt the data.
3. Encryption: Next, the ransomware begins to encrypt local files (based on the ransomware variant) such as system files, non-system files, or both. All local files may become encrypted as well as any mounted shares and drives and throughout the local network.
4. Extortion: Once files are encrypted, the ransomware will likely display a message on the compromised host and provide instructions for the providing the ransom payment. The message may include or be followed by a message of urgency implying destruction of encrypted data if payment is not made within the provided timeframe, or a message threatening the release of data.
5. Decryption: Organizations experiencing a ransomware attack have two choices. First, negotiate with the attacker and pay the ransom (trusting that the bad actor will provide the decryption key or decrypt the infected files). Or second, decline to pay, accepting the risk and responsibility for recovery efforts and removing any infected files and systems from the network and restoring data from previous backups. Studies have shown that 42% of organizations who paid the bad actors’ ransomware demand did not get access to their encrypted files and data in return.
Ransomware Prevention Best Practices
- Secure Email – Scan all inbound emails for malware, ensuring that malicious email is quarantined or deleted, and potential attachment threats are eliminated. Ensure employees do not share sensitive information via unencrypted emails or via unsolicited phone calls and text messages.
- Use Edge & Endpoint Protection – Harden the edge and the endpoints using a next-generation firewall (NGFW) and deploying central antivirus or endpoint detection & response (EDR) software reducing the infection potential.
- Use Strong Passwords, MFA, and VPN – Use strong passwords and enable multi-factor authentication in all applications that will allow it. Require the use of virtual private networks (VPNs) by employees connecting to public networks or those considered insecure.
- Look to Harden – Ensure employees’ internet browsers are secured through blocking pop-ups and by implementing ad blocking extensions. Whitelist applications regularly utilized by users.
- Backup Your Data – Have a working backup process in place, test your backups and save the backups in diverse locations and regions. Test your restoration procedures and backups frequently. Do not wait for a ransomware event to realize that your backups are corrupt.
- Perform a Risk Analysis – Identify and assess the risks to your organization and your industries’ vertical through a risk analysis activity. Focus on ransomware; know where potential security “gaps” are and adopt a cybersecurity framework.
- Vulnerability Management and Penetration Testing – Patch vulnerabilities quickly, preferably as soon as they are identified, reducing the attack surface. Perform regular penetration tests to validate your defenses and patch management efforts.
- Train Your Team – Provide ransomware attack training for your Security, IT, and Incident Response (IR) team members. Provide ransomware awareness training that includes real-world examples and scenarios for all employees.
- Get Cyber Insurance – Ensure you have contracted with a cyber insurance provider. If in place, ensure you fully understand ransomware payment options and that you have adequate coverage for business liabilities (if sensitive data is breached).