Ransomware’s first documented attack was relatively rudimentary. It was delivered via floppy disk containing a malware program in 1989 that told its victims to pay $189 in ransom to a P.O. Box in Panama.
Today ransomware criminals are significantly more sophisticated, thanks to advances in cyber methods and cryptocurrencies. Not all ransomware is created equally. Like all malware, malicious codes vary in sophistication and modularity. As such, not all ransomware codes are made the same. While some are ordinary and even obtained freely on open-source platforms and forums, others are highly sophisticated and operated exclusively by elite cybercrime syndicates.
How Do We Prepare for a Ransomware Incident?
Overcoming a ransomware incident is all about preparation while responding with uncertainty identifies the lack of an effective plan. Today’s media coverage is mainly focused on how ransomware affects people. Unless you are in the cybersecurity profession or aspiring to be, you may be unaware that ransomware is no different than other malicious software.
The same cybersecurity tools and processes to protect systems from trivial malware like crypto miners are the same for ransomware. The media is not covering stories about malicious software performing cryptocurrency mining operations as an end-user because the only thing stolen by malicious crypto mining software is processor time.
Align to a model, describe, and communicate
A good plan must be easy to communicate and measure, and there are several organizations that offer helpful frameworks and recommendations, such as NIST and CISA. As you analyze what is best for your organization, consider the ever-changing threat landscape and how you plan to adjust.
The following model offers an agile approach to reducing the risk of a ransomware incident:
- Assess. Identify gaps including people, process, and technology (where are we today?).
- Plan. Take action to address gaps (enable measurement).
- Practice. Test people, process, and technology (phishing, social engineering).
- Measure. How are we doing? identify remaining gaps
- Adjust. Close remaining gaps.
Testing is a critical to step to confirming technology, people, and process work cohesively, yet is often overlooked. As you establish your plan, emphasize testing and measurements to ensure the desired outcomes are being obtained. Communicate with key stakeholders and align to promote a culture of awareness.
The Elephant in the Room: To Pay or Not to Pay:
All businesses need to be prepared for “if, not when.” Cyber criminals exploit vulnerabilities, not always a specific business. The average time to dwell is closing in on 300 days. Once exploited, a malicious actor can work their way to financial information. If financial information is known, the ransom is set at our below an expected threshold. This is critical for small and medium businesses due to limited resources and ownership having extreme emotional ties to the firm.
Malicious actors strike on the emotional vulnerability and negotiate payment based on known financials. Establishing a plan is critical to reducing the risk of emotion driving the decision to pay.
Paying a ransom is a business financial decision, like converting cash to crypto on your balance sheet. It can also be considered illegal and not an option as you effectively support terrorism.
Outside of legal issues, something to consider:
- How much data entry must be inputted to offset from the last backup? Is this possible/feasible? Often this amount exceeds the ransom demand.
- What assurances do you have that your data can be decrypted?
- Is this still a breach per state / federal guidelines? Was the data posted to the dark web for sale? How do you prove or disprove this?
Statistics show over 50% of victims are reinfected within 6-18 months. Paying the ransom doesn’t prevent the root cause of exploitation.
Recent threat actors are not allowing for the use of third-party negotiation. Data is automatically leaked to the world if involved, and threat actors move on to the next victim.
Importance of Security Orchestration and Backup
Modern ransomware protection requires an integrated security architecture that can stretch from endpoints to network and the cloud to detect, correlate and remediate attacks. Your remediation options are essentially either recovering from backups or paying a ransom. The challenge is, just “restoring from backup” oversimplifies the process and causes many organizations to make assumptions about their backup and recovery capabilities, and this often leads to data loss.
To avoid the worst-case scenario, having a plan in place that includes verified, tested and secure backups that can be restored quickly is key to surviving modern attacks like ransomware. It’s important to always remember that your backup infrastructure is part of your overall cybersecurity defense plan and can be the final option for getting back to, or staying in, business.
Options to Proactively Protect Your Attack Surface
Security awareness training
Your organization can have all the best technology at its disposal to prevent threats, but if your employees are not careful about the emails they open or the links they click, the technology won’t help you.
Your employees are the weakest link in the cybersecurity chain — that includes everyone — from the C-suite to the boardroom to all stakeholders. Corporate cultures that place greater importance on cybersecurity typically put those organizations in a better position to prevent ransomware.
Zero trust mindset and micro segmentation
In many ransomware cases, hackers gain access to one segment of a network and then freely move laterally to other network segments to obtain the “crown jewels.” But what if the hackers are unable to move within your network and get stuck in one small, data-free segment? That’s the concept of micro segmentation, in which only certain users can access critical applications and networks. By default, access requests from additional users or applications are blocked.
A zero trust architecture improves upon the micro segmentation strategy by incorporating authentication and identity management, encryption, vulnerability and patch management, and comprehensive monitoring of devices, traffic and applications.
While zero trust should be your ultimate goal, adopting the architecture requires significant planning. Deploying micro segmentation should be the bare minimum in efforts to reduce lateral movement.
Endpoint protection
In the fight against ransomware, endpoint protection is a tool that prevents the ransomware program from even installing and running on the infected device. Taking endpoint protection a step further, endpoint protection and response (EDR) can detect the threat, analyze its nature, and alert your team about the how, what and where of the attack. EDR solutions essentially contain the threat and prevent it from spreading
Incident response plan and practice
If your organization falls victim to ransomware, the damage extends well beyond the financial costs. With a ransomware attack, timing is everything. Responding to a ransomware attack is an integral part of your incident management program. But in too many cases, resources for IT teams are stretched thin.
Working with a managed incident response team, you get the experience and expertise of cyber defense consultants to either lead the investigation or supplement your internal IT or cybersecurity team.
A Quick Glance at Best Practices
Consider options for having an incident response retainer to:
- Quickly respond to attacks and mitigate impact
- Minimize impacts of a potential breach
- Quickly analyze and recover from the breach
- Mitigate security risk
- Improve incident response
- Leverage an “all hands-on deck” approach, which includes in-depth digital forensic analysis, breach, support, and compromise detection
It is also important to conduct periodic vulnerability assessments to find and patch potential security weaknesses. In the end, the best way to protect against ransomware is to work with experts to protect against the attacks. Even the best and most security-aware employees may one day fall for a sophisticated phishing email, leading to ransomware. If an attack occurs, knowing you can rely on experts to conduct the forensic investigation to mitigate the risk can make all the difference.
Co-author Bindu Sundaresan is a director for AT&T Cybersecurity, and co-author Nick Simmons is AVP, Cybersecurity. Read more AT&T Cybersecurity blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.