5 Steps to Deliver A Deadly Counterpunch to Ransomware
March 21, 2023 / Unisys Corporation
Short on time? Read the key takeaways:
- The cost, downtime and reputational damage caused by ransomware is staggering.
- The primary sources of infiltration for ransomware are phishing, remote attacks on public-facing infrastructure, and unauthorized remote desktop connections.
- IT professionals can minimize ransomware threats by developing a ransomware plan, following best practices such as strong vulnerability management, regularly backing up data, and using security tools.
- In case of a breach, organizations can minimize impact by backing up and restoring files, implementing a solid Incident Response program, and using micro-segmentation and dynamic isolation.
Ransomware could cost its victims more than $265 billion annually by 2031, a Cybersecurity Ventures report predicts. Even now, the cost is still too high.
Gartner research suggests that the cost of recovery from a cyber attack, the resulting downtime in the aftermath of the event and the reputational damage can be 10 to 15 times more than the ransom.
How protected is your organization from these threats? Ransomware — a specific type of malware designed to encrypt a computer’s content until the user pays to get the recovery key — effectively halts productivity, impacting business revenue. Phishing, remote attacks on public-facing infrastructure and unauthorized remote desktop connections continue to be the primary sources of infiltration for ransomware. This has been exacerbated by the growth in remote work resulting from the COVID -19 pandemic.
Ransomware perpetrators are consistently refining their malware payloads and other nefarious capabilities. However, IT professionals can minimize these threats. Let’s explore preventative steps organizations can take to protect the enterprise from ransomware.
Protect the enterprise
The first line of defense is always a good offense. To prevent an attacker from establishing a foothold in your organization’s network, be sure to put in place the following:
- Develop a ransomware plan, so you will be prepared to respond rapidly.
- Follow best practices, such as strong vulnerability management and patching policies, regular system backups, multifactor authentication (MFA) and local administrator rights and privileges restrictions.
- Encourage, train and periodically retrain users to:
- Never click on links or open attachments in unsolicited emails.
- Back up data regularly, keep it on a separate device and store it offline.
- Follow safe practices when browsing the Internet, including good security habits.
- Employ security tools that provide link filtering, domain name system (DNS) blocking/filtering, malware detection and intrusion detection and prevention.
- Adopt Zero Trust/least privilege: Restrict users’ ability to install and run software as well as apply the principle of least privilege to all systems and services.
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Use application whitelisting to allow only approved programs to run on a network.
- Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound emails to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
- Arrange for rapid access to new servers or endpoints in case the ransomware infects your current system's basic input output system (BIOS).
Also, consider anti-encryption technologies such as endpoint detection and response (EDR) solutions that restrict a system’s ability to encrypt locally. Using such technologies will often prevent ransomware’s signature encryption chaos. But keep in mind that EDR solutions can be expensive and challenging to configure and manage.
Minimize the impact
In addition to defending systems against attack, act to minimize the impact of a breach. This is critical because all systems can be breached if an attacker or bad actor has sufficient time and resources to accomplish their objective. Follow this four-step process.
- Backup and restore the file structure. Then, conduct periodic (at least annual) exercises to recover and restore files.
- Put a solid Incident Response (IR) program in place and practice it periodically. Planning builds confidence in your IR capability. Review your IR policies, engage in tabletop exercises and use operational benchmarking to improve your ability to respond before an incident occurs.
- Implement micro-segmentation. These partition networks prevent attacks from spreading via east-west proliferation. If a system is compromised, the infection cannot spread out of the micro-segment it is on, significantly reducing the damage that can be done to your environment.
- Enable dynamic isolation. Dynamic isolation allows you to isolate a device or user at the first sign of compromise, stopping attacks in their tracks. For example, if a system begins scanning an environment, the device can be isolated immediately until the situation can be reviewed. Too many organizations ignore this concept when it is possible to prevent mass infection by focusing here.
Break the Cyber Kill Chain®
To better understand how to protect your enterprise, consider the Cyber Kill Chain — initially defined by Lockheed Martin. The Cyber Kill Chain outlines a threat actor’s steps to infect a host and spread malware. Here is a brief recap of the process and tools you can use to thwart an attacker.
Reconnaissance > Weaponization > Delivery > Exploitation > Installation > |
Reconnaissance and weaponization
The attacker usually starts with reconnaissance. They choose their target and collect publicly available information about it. Based on that information, they select the appropriate vehicle to weaponize with malware.
Reconnaissance can also involve an attacker with access to the environment running network scanning and other tools to build an asset/vulnerability inventory. This inventory makes it much easier to launch a pre-configured exploit against known vulnerabilities.
Delivery
The attacker then decides how to distribute the payload. This is often done through phishing, spear phishing or whaling emails because people are susceptible to deception and easy to target. The attacker will send a user a cleverly-crafted email with a link to click or a weaponized document to open (e.g., PDF files, Word documents, Excel workbooks, etc.)
Ransomware can also be delivered directly through infected websites. In such a case, the site has malicious code embedded or contains weaponized files to be downloaded.
You can break the Cyber Kill Chain here through:
- Link filtering
- DNS blocking/filtering
- Malware detection
- Monitoring malicious behavior to block known malicious email addresses
Exploitation and Installation
Next, attackers penetrate the target but don’t necessarily release the malware promptly. Instead, they dwell there to maximize their impact, roaming the network undetected, corrupting additional devices and discovering and perhaps exfiltrating data.
Attackers often dwell before delivering their ransomware payloads. Once they deliver it, they wait for the user or employee to click on the link, visit the site or open a weaponized document. When that happens, the malware is installed and executed.
You can break the Cyber Kill Chain here by:
- Educating users about phishing and other forms of social engineering
- Providing a simple and effective process for employees to report suspicious emails
- Using intrusion detection systems (IDS) and intrusion prevention systems (IPS), including endpoint detection and response (EDR) and anti-ransomware solutions
Command and control and actions on objectives
Once the user downloads the malicious file and it is executed, the attacker gains control and acts to achieve their objectives.
You can break the Cyber Kill Chain here by isolating the machine through:
- Sandboxing
- Network-based isolation/micro-segmentation
- Host-based isolation, e.g., EDR
- Physically unplugging affected devices
Respond to an Attack
Hackers are increasingly sophisticated, so a ransomware attack will likely breach your system(s) at some point. When that occurs, take the following steps to minimize the impact and recover your data:
1. Execute your ransomware plan
A ransomware plan will expedite your recovery from an attack, minimizing downtime. This plan should determine your company’s decision-making procedures regarding paying a ransom in advance. Whether to pay or not will largely be driven by the particular circumstances, but you should keep in mind the following considerations:
- There is no guarantee that you will get your data back after paying. You might pay, only to have the attacker demand more money or return later with another attack.
- You might find yourself violating a recent warning from the U.S. Treasury’s Organization of Foreign Assets Control and subject yourself to severe penalties.
- Paying rewards bad actors and encourages more ransomware payment demands, exacerbating the already massive risk.
2. Identify the nature of the attack
Many will overlook this crucial step. It is highly recommended that you use a platform that can identify the nature of the attack.
By spending a few minutes figuring out what happened, you can learn important information, such as what type of ransomware infected your network, what files it normally encrypts and what options you have for decryption. You may also learn ways to defeat the ransomware without paying or restoring your systems from scratch.
3. Isolate infected devices
Ensure infected devices are removed from the network. If they have a physical network connection, unplug them. If they are on a wireless network, turn off the wireless hub/router. Unplug any directly attached storage to try to save the data on those devices.
The goal is to prevent the infection from spreading and affecting more of your environment. Use software-defined micro-segmentation to partition the network into smaller groups of workloads — managed with identity-driven security policies — to respond rapidly and prevent spreading.
4. Recover and restore
In general, there are three options to recover from a ransomware attack:
- Remove the ransomware: Depending on the type of ransomware involved, you might be able to remove it without requiring a full rebuild. This process, however, can be very time-consuming and is therefore not a preferred option. Immediately ensure that any impacted users update their credentials.
- Wipe and rebuild: The easiest and safest recovery method is to wipe the infected systems and rebuild them from a known good backup. Once rebuilt, you need to ensure no traces remain of the ransomware that led to the encryption. Some ransomware can impact the machine level, which is why identification is critical in determining if you can rebuild or need to replace the hardware. Determine if the ransomware has affected the BIOS on your current systems; if so, deploy your plan for accessing new servers or endpoints.
- Restore: Once ransomware has been remediated, restore the last known good backup files.
Review any gaps or inefficiencies
Once you recover from the ransomware, review any gaps or inefficiencies and develop a plan to alleviate them. Also, update your ransomware plan accordingly.
Once your environment is rebuilt, the real work begins. First, a full environmental review must take place to determine precisely how the infection began and what steps you need to take to reduce the potential of another breach.
Plan to keep your business on track
Your goal is to be prepared with a plan for a breach, so it does not become a newsworthy and costly incident. Additionally, by fending off the majority of attacks and dealing swiftly and smoothly with those who manage to penetrate your defenses, you will help keep your business on track, your customers and employees protected, and your reputation intact.
You can accomplish these goals by implementing sound preventative measures, including understanding the Cyber Kill Chain to lower your risk of infection and knowing how to respond to a breach to reduce the impact a breach if one occurs.