Recognizing, defending against and recovering from Ransomware attacks
by Reese Kimmons, MS ISA
Since cyber criminals first began infecting targeted organizations’ systems with malware that denied access to critical data and demanding payment to restore that access, ransomware attacks have posed a serious and growing threat to both public and private sector entities.
The cost of recovery from a successful attack can be so high that, when combined with damage to reputation and loss of customer trust, some businesses do not survive.
Knowing how ransomware attacks are typically launched and having the appropriate controls in place to detect and stop them will significantly lower your organization’s risk level.
If criminals are able to gain access to internal resources, they will likely need the ability to move laterally within the network in order to identify and access critical data and systems. Limiting their ability to do so and restricting user privileges can prevent their attacks from being successful even if they do get inside.
Because social engineering tactics are among the top three attack vectors used by cyber criminals to deploy their ransomware, employee training is also critical.
And finally, if all else fails and an attack is successful, running regular backups and ensuring that they are stored in a location separate from the compromised network along with having a tested incident response plan in place will help you to recover as quickly and inexpensively as possible.
Ransomware examples and the size of the Ransomware problem
The scope and impacts of ransomware attacks are significant. In 2019, Cybercrime Magazine reported that a ransomware attack occurred, on average, every 11 seconds. Since the onset of the COVID pandemic in 2020, the number of attacks has increased by 600%.
Research conducted by cybersecurity provider Sophos in 2021 indicated that 37% of survey respondents’ organizations had been impacted in some way by a ransomware threat or attack within the previous year.
Phishing is a preferred ransomware delivery method. According to a 2020 report by Fortinet Security Solutions, one in every 6,000 emails examined included malicious links, many of which led to sites used to deliver ransomware. Attackers also frequently leverage software and Remote Desktop Protocol (RDP) vulnerabilities to deliver their malware.
With the transition to remote and hybrid work models, the 65% of employers participating in a 2020 survey by Bitglass who were allowing their employees to access internal resources using personal, unmanaged devices were introducing even more vulnerabilities that could lead to ransomware infection.
Organizations hit by ransomware require, on average, three weeks of downtime to recover (Coveware study, 2021).
- In the most costly ransomware event on record, an insurance company (CNA Financial, one of the largest insurance companies in the US) out $40 million to its attacker to regain control of its network. A considerable amount of company data was stolen by the hackers during the attack.
- In 2021, bad actors targeted Kaseya, a provider of security as a service (SaaS), exploiting a vulnerability in its VSA remote management software to deliver ransomware to Kaseya’s clients. This attack impacted hundreds of organizations, many being small to mid-sized companies, in multiple nations.
Per the results of a Cybereason 2021 survey of 1263 companies, 60% of those impacted by ransomware attacks lost revenue and 53% reported that their brands were damaged as well.
Of the surveyed companies that paid ransoms, 80% suffered another attack shortly thereafter. Only 46% regained access to their data even after making payment and most of that data was corrupted.
What industries are most at risk?
Any business with stored data is at risk of falling victim to a ransomware attack, but some industries are targeted more often than others.
Healthcare providers typically only spend about 6% of their budgets on cybersecurity (Fierce Healthcare study, 2020) despite the fact that they are highly-favored targets. In the U. S. in 2020, ransomware resulted in half of all reported healthcare data breaches (U. S. Dept. of Health and Human Services, 2021). Between 2016 and 2020, ransomware attacks cost U. S. healthcare companies more than $157 million.
Colleges and universities are among the favorite targets for ransomware attacks, as are public school systems. Banks, credit unions, and other financial institutions are also frequently attacked, with risks to smaller institutions on the rise as of late. Governmental bodies are experiencing an increase in the number of attacks as well.
Ransomware attacks on supply chains have become more prevalent and can do substantial damage to industrial infrastructure leading to product shortages and increased prices of consumer goods.
Preventing ransomware attacks: Addressing the phishing threat
Phishing, or malicious email, consistently ranks among the top three ransomware attack vectors. Bad actors craft messages intended to deceive their recipients and cause them to click on a link or open an attachment that leads to delivery of the malware payload. Implementing a combination of technical controls and user training will significantly improve your chances of preventing ransomware attacks.
No technical control is 100% effective, but current AI-enhanced email filter applications will prevent the vast majority of malicious messages from reaching their targets.
The AI component allows the filter to identify and begin blocking emails based on criteria like wording used in emerging threats and the domain from which the emails originate. Unfortunately, domains are easy to come by and, when a cyber criminal discovers that messages from a certain domain are being filtered, he or she simply obtains a new one.
Bad actors have also developed tricks to circumvent filters, like intentionally making very minor spelling errors to disguise words filters typically check for. With this in mind, training employees and internet users to recognize suspicious messages is essential.
User training programs are most effective when they are ongoing, inclusive, engaging, and continuously evaluated and improved. The best results in phishing recognition training are obtained through simulation.
Users are targeted with emails that closely resemble current and emerging threats seen in the wild. Their responses are monitored to determine whether they need remedial training.
Did the user report the email in accordance with applicable security policies? Was a link clicked or an attachment opened?
Simulation techniques are especially effective because they raise the recipient’s stress level. Is this a real attack or a simulation? Good simulation training programs measure individual and overall progress, providing security personnel with metrics they can use to evaluate the training material and make changes as needed.
If you are running Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5, you already have a built-in capability to run phishing simulations. If not and if you need assistance in ransomware simulation exercises, there are a number of quality third-party providers of training as a service that can help.
Preventing ransomware attacks: Hardening your environment
In addition to implementing an effective AI-enhanced email filter, ensuring that you’ve incorporated other technical controls into your environment will also help to prevent ransomware attacks and detect any suspicious activity that may indicate that an attack is in progress.
Bad actors often leverage unpatched vulnerabilities to gain access and deliver their malicious payloads. It is critically important that you implement and maintain an effective patch management program to ensure that known vulnerabilities are eliminated as soon as possible.
Patching vulnerabilities requires visibility into the network and the ability to detect and manage any devices connecting thereto. This would include user-owned devices.
Since the transition to remote and hybrid work environments, security managers have been tasked with addressing and mitigating vulnerabilities within their users’ homes, which have essentially become remote offices on a wide area network (WAN) that are beyond the direct control of security personnel.
“Bring your own device” (BYOD) policies and access controls need to be implemented to ensure that administrators can see and manage the devices that are connecting to critical resources. Remote work security policies also need to be developed and implemented.
When the remote work transition occurred, Remote Desktop Protocol (RDP) was the only resource many companies had readily available that could be used by staffers working from home to connect to internal resources. Unfortunately, RDP comes with its own set of well-known vulnerabilities.
If your remote personnel are connecting via RDP (aka Remote Desktop Services – RDS), it is important that you ensure your servers are not running older, unsupported versions of Windows. If they are, you may want to research the BlueKeep and DejaBlue attack vectors that allowed hackers to leverage RDP vulnerabilities to gain access to some older Windows systems and deploy malware without the need for valid user credentials.
Because criminals who do have valid user credentials can often easily access exposed and unprotected servers via RDP, ensuring that your servers are behind firewalls and not publicly visible or accessible will reduce risks associated with RDP usage. Disabling RDP access where it is not needed is recommended as well.
Implementing policies that require complex passwords that must be changed periodically will narrow the window of opportunity for a hacker with valid credentials to gain access and reduce the likelihood that brute force attacks will be successful.
RDP session hijacking, whereby an attacker takes over and re-initiates a disconnected RDP session, is also a possibility. These attacks can be prevented through policy that will instantaneously log users off when they disconnect their RDP sessions.
Obviously, the use of an effective antivirus/anti-malware solution is also necessary, not just to mitigate risks associated with ransomware but other threats as well. Since ransomware is often delivered via malicious sites, controlling what sites your users are allowed to visit is a good idea.
Consider whitelisting, whereby an approved list of IP addresses and/or domains is created and, if an address or domain is not on that list, access to your domain will be denied.
User access management (UAM) and ransomware detection
Disgruntled former employees can do a tremendous amount of damage if their access is not disabled immediately upon termination.
Having a policy in place that either automates this process or implementing measures that ensure effective communication between HR and information security personnel reduces the risk that a vindictive former employee will wreak havoc upon your environment, possibly including working with a bad actor to deliver ransomware.
User access management (UAM) systems can not only automate the process of removing the access of terminated employees but can also manage user access privileges. If an attacker obtains the credentials of an employee with elevated access privileges, he or she will have the ability to move laterally about your network looking for prime targets and critical data.
A quality UAM system will help you to assign and manage privileges and monitor the activities of your users. The right UAM will also “learn” what is normal within your environment and alert you to anomalies that may indicate that an attack is in progress, thereby giving you some time to stop it before significant damage is done.
Ransomware attackers are now directly contacting employees and promising them hefty slices of the ransom if they will install the malware on their employers’ systems. These criminals are using sites like LinkedIn to identify their targets and obtain their contact and employment information.
This is another reason to limit employee access to only those resources they need in order to perform their duties. This is also why you should consider working with the HR department and organizational management to come up with policies and procedures by which disgruntled employees or those having financial problems might be identified and brought to the attention of personnel who have a need to know about such things.
Training employees to recognize the signs that a coworker is unhappy and could pose a danger to the company, then providing them with a process by which they can confidentially report their observations can reduce the risks of insider attack.
Even if an employee is not disgruntled but is having serious monetary issues, he or she may be amenable to a proposition from a cyber criminal if the potential reward for cooperation is substantial. Identifying those employees and offering them some assistance may reduce the likelihood that your organization will fall victim to a ransomware attack.
The idea behind ransomware is that, if the attacker can prevent the victim from accessing critical data, the victim will pay the ransom demanded.
If the victim has established a backup plan that regularly backs up critical systems and data to a storage location that is isolated from the network compromised by the attacker, the effected data can be restored and recovered in the event of an attack. There will be some downtime, but not nearly as much as there would have been if there were no backups or if the backups were stored on the compromised network and were also impacted by the attack.
Administrative credentials used to access backup systems should differ from any used elsewhere. If an attacker has obtained account credentials with elevated permissions for access within the compromised network, those same credentials should not grant access to backup systems.
Ransomware recovery: Incident response planning
Even if your organization implements all of the recommendations we have discussed, there is always a possibility that a ransomware attack could be successful.
If that happens, you should have a response team prepared to act. This means you need an incident response plan.
A response team should be assembled with each member’s role described in the plan. The plan should be periodically tested, evaluated, and continuously improved.
Every member of your incident response team should know his or her role should an incident occur. Creating and reviewing after-action reports will help you to update and improve your plan based on lessons learned.
While organizations within certain business sectors are more likely to be preyed upon by ransomware attackers than others, any business that maintains operationally-critical data could become a target.
Given the recent dramatic increase in the number and frequency of attacks as well as the associated recovery expense and downtime, now is certainly the time to take the steps necessary to get your employees trained and implement the technical controls, policies, and practices necessary to harden your organization’s ransomware defenses.
Cyber criminals are looking for easy money. As they search for new targets, bad actors who encounter organizations well-positioned to defend against their attacks will most likely move on to try and find other, less prepared, entities to victimize.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese also earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.
- 12 Tips to Manage Your Online Privacy and Protect Your Identity in 2022 - January 7, 2022
- Ransomware Attacks – What you need to know & how to deal with them - December 29, 2021