Updated: Nov 21, 2019
Ransomware is back in the news, but really, it never left. It has been revisiting again, again, and again. This is a cyclic attack that evolves to create peaks and valleys in breaches (and news – see links at the end of this post). As a business leader, cybersecurity professional, or individual using computers, ransomware should remain on your "hot" list. This post is the first in our series on ransomware.
Ransomware has been a very effective and profitable attack with benefits for hackers because they don't need to ex-filtrate and store the data or look for a buyer; it's you. Given that ransomware attacks are profitable and able to be accomplished with low investments, limited hacking skills, or significant targeting, this threat will undoubtedly persist. There are frameworks that allow almost anyone to cast a ransomware net and see who/what is caught. It is rarely an explicitly targeted attack and does not discriminate based on business or your ability to pay the ransom. The payment and recovery are handled later with the attacker being able to change the "rules" once they get a read on your situation. In the end, the sophistication of the framework and attacker determine attack effectiveness and costs to your business. Unfortunately, this may also determine whether you will ever get your systems and data recovered and back online. A botched attack can mean that even if you pay the ransom, your assets can be corrupted or otherwise unrecoverable.
"Trending" right now with attackers is revisiting old vulnerabilities, looking for better or more clever ways to deliver the malware, and advancements in monetizing. Staying current with the ransomware threat landscape requires diligence and investments to protect, detect, and respond.
Most of the defenses and responses you can employ reside within IT and operations; there is very little that can be done in the application software. Below are some basic steps to help you not be a ransomware victim or limit an attack's impact and recovery time:
Implement regular backups of data and configurations. Keep the backups logically and physically separated from their source (e.g. offsite or on a store that is taken offline after the backup operation). As with any backup, frequency and cost depends on the amount of data and what you are prepared and able to recreate. A public cloud like Microsoft Azure or Amazon AWS is a great option for this and other aspects below.
Create and regularly test business continuity and disaster recovery plans (BC/DR). This is an important capability for any business, but critical in ransomware attacks. When a ransomware attack is executed, you must make a very rapid transition from cybersecurity to BC/DR and (maybe) disclosure.
Employ education and protections for Phishing or any spoofing of authenticated users or services (e.g. brute forcing or simple guessing of passwords). Leveraging a compromised, but authenticated and authorized entity, is the primary means for the ransomware or malware to enter your environment. Once a foothold is established, the attack can be executed without outside access. Implementing multi-factor authentication (MFA) or hardware keys for all users or those with elevated privileges (e.g. admins) is an excellent defense for spoofing.
Reduce your attack surface by disabling (e.g. RDP) or carefully controlling and monitoring any access to your environments. This includes regular auditing and scrubbing of endpoints, ports, and users. If something doesn't need to be directly connected to the internet (e.g., stores, admin portals, etc.), don't connect it, connect it only when it is needed, or put it in a DMZ or behind some other jump-point.
Employ active endpoint protection and anti-virus/anti-malware (AV/AM) tools at near your endpoints and on each device in your network. Keep these tools current on their threat signatures and use them to monitor for and block/quarantine any malware or any "un-trusted" code running in your environments. When implemented properly, there are processes, practices, and tools that are very effective at keeping your environments "clean" and providing the necessary agility. In parallel, you can be working toward "Zero Trust".
Develop backup services and infrastructure, or alternate means to access your data and capabilities leveraging mobile, cloud, or even more rudimentary methods. This will be an advantage in the context of any BC/DR event.
Given the effectiveness, ease, and profitability of ransomware, we expect hackers to make normal updates, but also evolve – here are our predictions on the attack evolution:
Advancements in the ransomware code to make it more sophisticated through adaptive algorithms and "AI" allowing it to more easily get a foothold in your environment, be viral once it has a foothold, and rely less on command and control for execution and ransoming.
More precise targeting of business types or locales that are more able and willing to pay the ransom.
Changes to the encryption approach from directly encrypting the data to going after the keys and credentials for the encryption that is already in place. The attacker's encryption relies on sophisticated malware to be delivered, takes time to accomplish, and can be broken. Attacks that merely take or change your keys or credentials will increase.
Adding attack targets beyond the databases. Authentication and authorization stores, networking infrastructure, configurations, and devices are all potential targets. This will likely include additional targeting of individuals and/or specific transactions.
Preventing or responding to ransomware attacks requires a team effort with diligence and agility from all of us as potential targets. Cylidify can help starting with information, guidance, or a low-cost initial assessment of your ransomware risk and preparedness.
A few links though a quick Google search will give you the latest scoop:
See part two of this series with more details on response and recovery.