Today, one of the most significant cybersecurity risks has been ransomware. It has become challenging to defend against it, as it has grown even more targeted, using a combination of unpatched vulnerabilities in conjunction with malvertising, phishing, social engineering and other effective targeted vectors.
The level of ransomware sophistication has risen to the point where attackers can access extremely sensitive information, even what level of insurance the targeted company has in place. Additionally, they even work with insiders to gain access to a computer or network to deliver a payload or malicious outcome.
The hardest part of deploying a ransomware attack is gaining access to a secure system. The harmful software itself is very easy to obtain. It’s even possible to buy ready-made ransomware-as-a-service on the dark web. In fact, without any programming knowledge, these criminals can deploy a network of lucrative attacks with only a few clicks and much tenacity.
The following combination of defence mechanisms will reduce the risk of ransomware.
Have a restorable offline backup
The most crucial line of defence against ransomware — and also the easiest — is to have a verified, restorable backup. The frequent testing of this backup is essential since having one that you can’t restore from would be pointless. Moreover, the backup should not be digitally reachable, meaning that once it has been made, it needs to be air-gapped from the digitally connected environment so that it’s not reachable by either insiders or outsiders. This zero-trust approach ensures that the backup cannot be modified at any time and that authentication for access will only be granted when required. Unfortunately, when we respond to incidents, in far too many cases, we find backups deleted before the ransomware payload is delivered through the attackers’ remote access.
Once you are confident that you have a restorable, verified, non-reachable backup, you can take the next steps. But a good, reliable backup — one that will be available in the event of a ransomware attack but remains inaccessible to attackers — is the first step in ransomware defence. Without it, chances of a graceful recovery are slim when an incident occurs.
Ensure that your endpoints and servers are isolated
If you have a flat network, meaning that all machines can talk to each other, there is a likelihood that lateral movement from machine to device can occur. To limit the damage, you need to create a firebreak – a network segment that confines each machine to its own little network. This network is controlled by a set of rules that governs allowable traffic and routing. In turn, this allows the control of lateral movement not only of user data but also malware like ransomware. This strategy works on many types of networks, including local on-premises networks, home networks for remote workers, and cloud networks, and helps organisations detect malware and ransomware.
It is of particular benefit for the defence of wireless networks, which are particularly challenging to protect. Take a look at Airgap.io – this team has developed an effective methodology to manage lateral movement.
Scan all your emails
Over 50% of ransomware attacks enter an organisation through email vectors. At the time of this writing, Office 365 email scanning is ineffective in stopping ransomware., resulting in infection regardless of the perceived protection.
Organisations need a better solution that will limit the execution of any malicious link emailed to users. There are several systems available that remove links from emails, allowing only whitelisted ones to remain. These systems also install an agent on the machine that sandboxes these malicious links.
When every link could potentially compromise security, and every attachment could deliver a payload, you might think of this as mission impossible, but there is hope.
Most ransomware cannot easily break out of the sandbox yet and can be detected and neutralised if scanned with effective tools. Mainstream technology is often ineffective since perpetrators have access to it.
Security solutions such as O365 email are rudimentary at best and presently will leave your organisation vulnerable if not used in conjunction with a more advanced anti-malware solution. Re-writing links and whitelisting the URLs users can click on, along with robust attachment scanning, are acknowledged threat protection approaches.
Secure your web traffic
A user receives a targeted email, clicks a link, and is directed to a web page that automatically downloads the malware or persuades the user to do so. Allowing unrestricted access to the internet is like allowing a child to run around New York alone at night.
A better approach is to whitelist only business-related sites and only allow access to these sites once they have been vetted. The best alternative solution is HP Sure Click Enterprise that creates a sandbox environment to open links in. This shields the device and the network from malware infection – it is like opening a new laptop every time you reboot.
Ransomware has not yet been able to exit this sandbox, and it’s going to be a while before hackers figure this out as there are many easier targets.
Limit admin account access
Administrator accounts allow unrestricted access to your system. Therefore, limiting or even removing administrator privileges is an effective strategy in restricting access to the system. Using computers with the lowest privileges possible delays activity and makes incidents easier to detect.
Quickly patch all that you can
One of the most common ways for ransomware to spread is for a worm to exploit a vulnerability. Ironically, most of these vulnerabilities are well known.
Due to hackers having development frameworks on par with commercial software companies, they quickly adapt their code to exploit the latest vulnerability. We saw this with the Hafnium threat actor group leveraging Exchange server zero-days earlier this year.
Therefore, vulnerabilities are exploited before they are patched since many companies are very slow at deploying patches, often taking days or weeks.
Cybercriminals are always “sweeping to find a hole”, and when they do, they establish a strong foothold and then come back when they are ready to deliver the payload. Often, the access is traded on the dark web for crypto or just parked until they have found the most cunning way to take down the target.
This isn’t a game – it’s a business
It’s estimated that ransomware has grown into a $500-million industry, netting large sums of money with every attack. Due to its lucrative nature, malware groups are now developing robust attack suites sold as a service.
The rise of cryptocurrency makes it easier to get paid, and payments are harder to trace, making it difficult for law enforcement agencies to catch and prosecute cybercriminals. It’s a cat-and-mouse game, with business being the mouse.
Look out for our next article on building a robust incident response plan that, together with these steps, will help you to respond to a cyber-incident quickly and effectively.
