888.437.3646
FREE HIPAA Compliance eBook
FREE HIPAA Compliance eBook

Roadmap for Ransomware Protection  

General guidelines that would help your organization to prepare, prevent, and protect from potential ransomware incidents.

Intro 

Ransomware is a recently accelerated criminal industry that not only affects individuals’ data security but also threatens national security and critical infrastructure. Businesses, hospitals, educational establishments, and other institutions are regularly targeted and disrupted by ransomware actors. The problem has steadily grown worse in recent years when ransomware has become an instrument of geopolitical standoff while the perpetrators reinvent more sophisticated methods for criminal activities. The recent attack on Colonial Pipeline showed how disruptive ransomware could be for the nation’s critical infrastructure and business efficiency.  Thus, businesses and government agencies recognize the importance of preventing and addressing the ransomware threat. They also know that emergency preparedness demands a comprehensive approach and cyber discipline. Responding to business interests and analyzing the recent cybersecurity trends, Planet 9 has prepared the roadmap for ransomware protection. 

Understanding Ransomware 

According to the U.S. Government interagency technical guidance, ransomware is a form of malware that seeks to deny users access to data and IT systems by encrypting the files and systems—thus locking out users. To decrypt the system, criminals usually extort their victims for a payment, typically in cryptocurrency. Recently, ransomware attacks have been accompanied by data breaches in which perpetrators also steal victims’ data. In addition to locking computer systems, the hackers notify victims that they have copies of their data and will release sensitive information unless a ransom is paid, extorting them twice (p.2).

Ransomware Delivery Vectors

Ransomware proliferates in diverse ways, ranging from exploiting network vulnerabilities to using social engineering tactics, such as “phishing” emails. CISA detects the following common ransomware infection vectors

  • phishing;
  • network vulnerabilities and misconfigurations;
  • malicious or compromised websites;
  • precursor malware infection;
  • third parties and managed service providers;
  • drive-by downloads; 
  • malvertising.

The majority of ransomware penetrates organizations’ systems through user-initiated actions such as clicking on a malicious link in an email. Sometimes, however, ransomware dissemination occurs without user engagement (malvertising and drive-by downloads). Most ransomware attacks are believed to be opportunistic, but the recent trends display the changing nature of the attacks when hackers specifically target a victim. Among the primary triggers for targeting specific victims are the entity’s system vulnerability or precursor malware infection. Notably, such instances are often referred to as extortion rather than ransomware because the ransom amount is exceptionally high, coinciding with strategic targeting.  Regardless of the delivery vector and nature of the attacks, their central aim is to disrupt the organization’s system by encrypting and/or exfiltrating critical data and getting a ransom payment. 

A Common Ransomware Infection Scenario

According to Microsoft Ransomware Response Playbook, ransomware is the most frequently delivered through malicious emails and drive-by downloads. A ubiquitous infection algorithm used by perpetrators unfolds as follows:

  • First, an employee receives an email from a spoofed address (a bank or an insurance provider) with a .zip attachment. The email appears trustworthy due to a familiar text and a known address.
  • The text encourages a victim to open the attachment and extract the archive content which typically includes.docm, .js, .vbs, .lnk or .swf files. 
  • Next, extracting the contents, the user downloads and runs a malicious program that compromises the network. 
  • Fourth, the victims are then prompted with a screen informing them that their data has been encrypted. Instilling fear and panic, hackers demand to click on a link or pay a ransom. Ransomware displays intimidating messages similar to those below:

“Your computer has been infected with a virus. Click here to resolve the issue.”

“You only have 24 hours to submit the payment. If you do not send money, all your files will be permanently encrypted, and no one will be able to recover them.” 

  • Following the link often leads to an additional malware infection, allowing criminals to demand the “double extortion.”

Ransomware Disclosure Tools

Fortunately, there are ways to recognize and block ransomware attempts once it manages to penetrate the organization’s network. The most common methods for ransomware disclosure are:

  • antispam and other email filters; 
  • endpoint antimalware detection; 
  • end-users reports;
  • Advanced Threat Protection (ATP)

All these tools may provide good protection, especially when applying them in parallel. Hence, email filters and endpoint antimalware may be considered as the first layer of ransomware protection. However, when they are no longer up to the task and ransomware manages to penetrate the organization’s network, organizations should rely on end-users reports and ATP alerts. ATP is more reliable because employees might hesitate to report a ransomware attack or delay reporting while the threat leaves the network vulnerable. The modern ATPs detect most of the known threats and can detect suspicious activity. They also automatically raise alerts to help ensure that the organization is aware of the attack. 

As soon as the presence of ransomware or any other threat is suspected, organizations are recommended to isolate the infected machines from the network. Although most ransomware is not known to move laterally, isolating machines help prevent ransomware from encrypting data on shared folders and mapped drives.

Best Practices for Ransomware Prevention and Recovery

Organizations should understand, check, and constantly improve their security landscape to minimize the possibility and risk of any potential ransomware attack. Based on such reputable sources as CISA Ransomware Guide, NIST Cybersecurity Practice Guide, FBI factsheets as well as years of experience, the Planet 9 security specialists developed a roadmap for ransomware prevention and recovery. The general rules and guidelines below would help your organization to prepare, prevent, and address potential ransomware incidents. 

Maintain Data Backup

The first and common rule that organizations should remember when trying to avoid the most harmful ransomware scenario is maintaining critical business data backups. Current backups substantially minimize the need to pay a ransom since all necessary data is readily accessible to your organization. More specifically, this practice involves the following recommendations:

  • Backup critical data regularly. It is crucial to maintain offline, encrypted data backups because some ransomware variants may detect and delete any accessible backups. 
  • Alongside critical business data, maintain “gold images” of critical systems that include a preconfigured OS and associated software applications. In case of locking your computer with ransomware, it will be easy to deploy necessary information to rebuild a system. In addition to system images, storing applicable source codes and executables is also a good practice. 
  • Retain backups to rebuild systems and data when necessary. 

Create and Maintain a Cyber Incident Response Plan

Create, maintain, and exercise a cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. Such a plan would coordinate employees’ actions in case of a ransomware incident. 

Respond to Internet Facing Vulnerabilities and Misconfigurations 

It is commonly known that web browsers, browser plugins, document readers, and other kinds of software processing internet data may expose your system to multiple threats. To minimize chances for ransomware penetration, organizations are encouraged to monitor, detect, and respond to any internet-facing vulnerabilities. For this purpose, always do:

  • conduct regular vulnerability scanning and penetration tests to identify vulnerabilities and limit the attack surface;
  • regularly patch and update software and OSs to the latest available versions;
  • Ensure all devices are properly configured and that security features are enabled. Disable functions that are not being used for a business purpose.

Be Aware of Phishing 

As phishing is among the common ransomware delivery vectors, one of the organization’s main tasks is increasing users’ awareness and reinforcing the importance of identifying potentially malicious emails. To eliminate the possibility of ransom delivery through phishing, organizations should:

  • implement cybersecurity awareness programs and educate personnel to identify and report phishing or other suspicious activities; 
  • filter out emails with known malicious indicators and block suspicious IP addresses at the firewall;
  • implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to lower the chances of receiving spoofed or modified emails from valid domains.

Monitor Precursor Malware Infection

Remember, ransomware deployment is just the last step in a network compromise. The ransomware attack may be evidence of previous unresolved network issues caused by existing malware infections (e.g. Dridex, or Emotet). Thus, to reduce the risk of the ransomware infection, always do:

  • update antivirus and anti-malware software regularly. A good practice is using centrally managed antivirus solutions because those can detect both “precursor” malware and ransomware;
  • use the application directory allow listing (through Microsoft Software Restriction Policy or AppLocker) to block unauthorized software from executing;
  • consider implementing an intrusion detection system (IDS) to detect any potentially malicious network activity that usually occurs before ransomware deployment.

Consider Cyber Hygiene Practices of Third Parties

The typical infection vectors for ransomware are managed service providers and other third-party businesses. Using network connections and spoofed email accounts, perpetrators may target MSPs to compromise their client organizations. To avoid such an unpleasant scenario, organizations are advised to:

  • consider cyber hygiene practices of your MSPs and other third parties your organization relies on. Organizations are strongly recommended to use contract language to formalize security requirements and ensure following the applicable best practices;
  • be aware of adversaries that may exploit the trusted relationships your organization has with third parties and MSPs.

Conclusion

Ransomware is the real cyber threat that attacks businesses, schools, hospitals, and other parts of the nation’s critical infrastructure and reinvents more and more intimidating scenarios of victims. However, good cyber hygiene and discipline on the national and business levels may eliminate the ransomware threat and make it predictable. For more detailed information about ransomware prevention, consult the Planet 9 team. We’ll be happy to assist:

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646