Cyber Playbook: Ransomware 101

July 20, 2021

 

Contributed By: David Mundhenk, Principal Consultant, Consulting Services

We’ve all seen and heard about the most recent surge in ransomware attacks on business and government entities. “Ransomware” is a weaponized type of malware and viruses specially crafted by cybercriminals that uses encryption to lock up an organization’s critical information assets and sensitive data. The cybercriminals then hold the critical, encrypted files hostage until some form of ransom is paid.

Victims often pay the ransom (usually in untraceable digital currency) in hopes that the perpetrators will provide the necessary cryptographic decryption key to recover and gain access to the sequestered data assets. However, there is no guarantee that the information assets being held by the ransomware attackers can or will be recovered after rendering payment. After all, how much ‘honor’ can there really be among cyber thieves? 

Why Ransomware has Increased

Ransomware is often delivered and ultimately triggered through social engineering attacks; using email and text message-based phishing tactics to deliver the malicious payload and/or attack vector to the victim's network.

The human element is still generally the most vulnerable component of the cybersecurity program, particularly when it comes to ransomware. This is often due to a lack of awareness, training, and a security-driven business culture as HG’s Founder and CEO, Robert Herjavec, recently discussed. All it takes is one single errant mouse click on a hyperlink within a cleverly disguised email and within seconds, a malware code launches, attacks the host system, and begins spreading throughout the host network looking for critical data to take ransom.  

What has further amplified the effectiveness of ransomware attacks is that many governments and businesses lack critical infrastructure and organizational security maturity. This leaves many victims unable to absorb, fend off, and quickly recover from a ransomware infection. Many are deficient in regularly installing critical vendor security patches and updates, and even if they do, they fail to realize that such patching is ‘reactive’ in nature. They may provide little to no protection for “0-day” or yet unreported deficiencies in software and systems that could lead to a ransomware attack. 

While some teams are proactive enough to obtain and deploy state-of-the-art malware prevention software and systems, many may fail to ‘complete the last mile’ in this process; their malware prevention systems may not be configured to automatically update malware prevention profiles or immediately provide malware attack alerting. Even if they do, these organizations may also have insufficient Incident Response policies plans, and programs in place to face a ransomware attack. 

Finally, many organizations are not ensuring that critical systems and information assets are being regularly backed up and securely archived, leaving them much more vulnerable to ransomware. Without the capability to restore such resources quickly and efficiently following an attack, many business and government entities have little choice but to pay the ransom, regardless of how heinous it may be. 

How to Prevent and Respond to a Ransomware Attack

So, what to do? Here is a series of recommendations that can significantly enhance security organizational maturity and capabilities in the face of ransomware attacks:

Keep Malware and Ransomware Prevention Systems up to Date

Ensure that malware systems and their signature policy files are current, configured to automatically update, and provide alerts to a SIEM and operational support personnel.

Make Sure Your Incident Response Strategy Covers Ransomware

Check that Incident Response policies, processes, and procedures include ransomware and malware detection and response capabilities.

Prioritize Post-Incident Review and Continuous Improvement

Incorporate a post-attack evaluation after any ransomware or general malware outbreak and ensure that lessons learned are incorporated into existing capabilities.

Prepare for the Worst by Backing Up

Regularly back up all critical systems and data to a secure archive. Take inventory and test all system backups on a regular basis to ensure their viability to aid in recoveries in light of a ransomware attack. Also, keep in mind that some of those system backups may also become infected with malware during a breach. Be sure to enhance capabilities to validate backup integrity.

Ensure Your Whole Team Knows How to Detect and Report Potential Ransomware

Enhance security awareness training for personnel and ensure a primary focus is on how to detect and report possible “phishing” attacks that could deliver different forms of malware including ransomware. 

Employ regular, simulated phishing attack exercises across an organization. Score the results and provide additional training for those who get ‘tricked’ into doing something that would have been disastrous in a real-world scenario.

Segment and Isolate Your Crown Jewels

Review network configurations and controls, then look to provide enhanced network segmentation and isolation for critical information assets, sensitive data, and the systems they run on. Enhanced network segmentation controls can aid in slowing, or even stopping many forms of malware outbreaks including ransomware. Even slowing an outbreak can provide precious time to limit potential damage. 

Make Sure Detection and Response Tools will Cover Ransomware

Review and enhance network firewall and IDS/IPS capabilities to detect, alert and respond to suspected malware-induced network traffic.

Prepare with the All Necessary Parties

Consult with corporate legal counsel and business risk insurance companies on how best to respond to a possible malware outbreak before one occurs. Keep in mind that many insurance companies are starting to refuse payoffs for malware claims.

During the pandemic, we have learned that enhanced prevention measures such as social distancing, mask-wearing, enhanced personal hygiene, and even vaccines have slowed biological outbreaks and improved recovery. So too in the digital world, enhanced malware prevention and recovery measures can significantly increase the capability to defend against ransomware attacks and facilitate a speedy, qualitative recovery.