Ransomware seems to be an ever-present threat to our cybersecurity with new high-profile attacks occurring all too often. This leads everyone, from SMEs to large-scale corporations scratching their heads about how to prepare for not if, but when, they fall victim to a ransomware attempt.
Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.
To help you gauge how ready you are to deal with a ransomware attack, we’ll discuss the various threats and risks throughout the typical ransomware attack pipeline as well as countermeasures.
Despite the increased sophistication and complexity of ransomware attacks, many of the TTPs employed by cybercriminals remain the same. Statistics suggest that the human factor is still one of the top contributors to initial exploitations that lead to further cyberattacks.
For example, many ransomware are deployed through phishing emails or spoofed domains to the computers of unsuspecting victims. Once an individual device is infected, other techniques can be used to achieve persistence or lateral spread throughout the network.
Ransomware can also be introduced to your organization’s ecosystem through infected USBs or other temporary storage devices.
In this case, your best defense is to make use of extensive employee training and education. This will empower your employees to more effectively spot phishing/spoofing attempts and deal with them through the appropriate channels.
Of course, employees can be further supported and protected with solid email and endpoint security that either filters threats or quickly quarantines them if an employee is targeted.
Organizations also need to properly inventory all their internet-facing assets in order to have a clear picture of their security boundary and to identify likely entry points.
Lateral Spread and Privilege Escalation
Lateral spread and privilege escalation are used by cyberattackers to maximize the impact of their attacks. Both always them to access a wider variety and larger volume of data while privilege escalation might give them access to even more sensitive and well-protected data.
Limiting the spread of ransomware is particularly important. The amount of sensitive data that can be obtained from a single, ground-level employee’s workstation might be trivial if contained.
Due to the speed at which attackers evolve and adapt their techniques, manual monitoring is often needed to identify attempts at lateral movement. Trained cybersec experts can pinpoint patterns that may turn out to be remote access trojans (RATs) or hidden tunnels, for example.
If using automated security solutions, it’s crucial to work with updated and comprehensive intel feeds as even a single ransomware gang is likely to change up its patterns in between two or more attempts.
Other than that, organizations need to make a habit of good cyber hygiene across all their systems, such as using a zero-trust model and implementing rights management frameworks.
Ransomware, Data Exfiltration, and Public Disclosure
A recent trend among ransomware gangs to maximize bounties or damage is to not only hold stolen data hostage but to threaten to disclose it as well. To do this, attackers need to be able to exfiltrate data to host on private or dark web leak sites.
This type of data could be PII (personally identifiable information) or valuable IP (Intellectual Property) that could have huge financial ramifications for businesses if revealed publicly. For example, the REvil ransomware gang recently stole device blueprints from Apple. By not paying the ransom, Apple would not only risk losing critical information but may also surrender trade secrets to their competitors.
Simply preparing to pay all ransoms is also not a viable solution. There’s nothing forcing ransomware gangs to give your data back, delete it, or take it down once you pay them. Recently, gangs have also started to double encrypt data in order to extract two ransoms from a single attack.
The best way to limit the damage from a ransomware attack is to increase controls over what information is accessible. These controls can be implemented via account access, physically separating data, implementing increased security measures for business-critical data, etc. You also need to invest in quality anti-malware endpoint security and keep it updated. Finally, some form of monitoring your outgoing traffic for anomalous behavior may help you stop data exfiltration at an early stage.
Incident Response and Recovery
When it comes to limiting the damage and disruption caused by a ransomware attack, reliable backups are vital Regardless of what attackers decide to do with the already exfiltrated data, at least it means you won’t lose it all-together if you have backups in place.
The accessibility and speed with which you can restore backups are key to recovering as quickly as possible.
However, for this exact reason, ransomware gangs also attempt to target backups, leaving organizations with fewer recovery options.
Organizations can help protect the integrity and security of their backups by using models such as the 3-2-1 framework. This involves storing your backups on various types of storage (on-premises, remote, cloud-based).
Additional controls, such as a different set of access credentials, additional role management, and using immutable backup solutions for mostly static information should also form part of your backup handling practices.
As a final note, you should prepare for any eventualities by drafting and enacting a dedicated incident response plan. This will help you to lower your response times, improve efficacy, and limit the damage when dealing with ransomware occurrences by following a formalized procedure.