General guidelines that would help your organization to prepare, prevent, and protect from potential ransomware incidents.
Ransomware is a recently accelerated criminal industry that not only affects individuals’ data security but also threatens national security and critical infrastructure. Businesses, hospitals, educational establishments, and other institutions are regularly targeted and disrupted by ransomware actors. The problem has steadily grown worse in recent years when ransomware has become an instrument of geopolitical standoff while the perpetrators reinvent more sophisticated methods for criminal activities. The recent attack on Colonial Pipeline showed how disruptive ransomware could be for the nation’s critical infrastructure and business efficiency. Thus, businesses and government agencies recognize the importance of preventing and addressing the ransomware threat. They also know that emergency preparedness demands a comprehensive approach and cyber discipline. Responding to business interests and analyzing the recent cybersecurity trends, Planet 9 has prepared the roadmap for ransomware protection.
According to the U.S. Government interagency technical guidance, ransomware is a form of malware that seeks to deny users access to data and IT systems by encrypting the files and systems—thus locking out users. To decrypt the system, criminals usually extort their victims for a payment, typically in cryptocurrency. Recently, ransomware attacks have been accompanied by data breaches in which perpetrators also steal victims’ data. In addition to locking computer systems, the hackers notify victims that they have copies of their data and will release sensitive information unless a ransom is paid, extorting them twice (p.2).
Ransomware proliferates in diverse ways, ranging from exploiting network vulnerabilities to using social engineering tactics, such as “phishing” emails. CISA detects the following common ransomware infection vectors:
The majority of ransomware penetrates organizations’ systems through user-initiated actions such as clicking on a malicious link in an email. Sometimes, however, ransomware dissemination occurs without user engagement (malvertising and drive-by downloads). Most ransomware attacks are believed to be opportunistic, but the recent trends display the changing nature of the attacks when hackers specifically target a victim. Among the primary triggers for targeting specific victims are the entity’s system vulnerability or precursor malware infection. Notably, such instances are often referred to as extortion rather than ransomware because the ransom amount is exceptionally high, coinciding with strategic targeting. Regardless of the delivery vector and nature of the attacks, their central aim is to disrupt the organization’s system by encrypting and/or exfiltrating critical data and getting a ransom payment.
According to Microsoft Ransomware Response Playbook, ransomware is the most frequently delivered through malicious emails and drive-by downloads. A ubiquitous infection algorithm used by perpetrators unfolds as follows:
“Your computer has been infected with a virus. Click here to resolve the issue.”
“You only have 24 hours to submit the payment. If you do not send money, all your files will be permanently encrypted, and no one will be able to recover them.”
Fortunately, there are ways to recognize and block ransomware attempts once it manages to penetrate the organization’s network. The most common methods for ransomware disclosure are:
All these tools may provide good protection, especially when applying them in parallel. Hence, email filters and endpoint antimalware may be considered as the first layer of ransomware protection. However, when they are no longer up to the task and ransomware manages to penetrate the organization’s network, organizations should rely on end-users reports and ATP alerts. ATP is more reliable because employees might hesitate to report a ransomware attack or delay reporting while the threat leaves the network vulnerable. The modern ATPs detect most of the known threats and can detect suspicious activity. They also automatically raise alerts to help ensure that the organization is aware of the attack.
As soon as the presence of ransomware or any other threat is suspected, organizations are recommended to isolate the infected machines from the network. Although most ransomware is not known to move laterally, isolating machines help prevent ransomware from encrypting data on shared folders and mapped drives.
Organizations should understand, check, and constantly improve their security landscape to minimize the possibility and risk of any potential ransomware attack. Based on such reputable sources as CISA Ransomware Guide, NIST Cybersecurity Practice Guide, FBI factsheets as well as years of experience, the Planet 9 security specialists developed a roadmap for ransomware prevention and recovery. The general rules and guidelines below would help your organization to prepare, prevent, and address potential ransomware incidents.
The first and common rule that organizations should remember when trying to avoid the most harmful ransomware scenario is maintaining critical business data backups. Current backups substantially minimize the need to pay a ransom since all necessary data is readily accessible to your organization. More specifically, this practice involves the following recommendations:
Create, maintain, and exercise a cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident. Such a plan would coordinate employees’ actions in case of a ransomware incident.
It is commonly known that web browsers, browser plugins, document readers, and other kinds of software processing internet data may expose your system to multiple threats. To minimize chances for ransomware penetration, organizations are encouraged to monitor, detect, and respond to any internet-facing vulnerabilities. For this purpose, always do:
As phishing is among the common ransomware delivery vectors, one of the organization’s main tasks is increasing users’ awareness and reinforcing the importance of identifying potentially malicious emails. To eliminate the possibility of ransom delivery through phishing, organizations should:
Remember, ransomware deployment is just the last step in a network compromise. The ransomware attack may be evidence of previous unresolved network issues caused by existing malware infections (e.g. Dridex, or Emotet). Thus, to reduce the risk of the ransomware infection, always do:
The typical infection vectors for ransomware are managed service providers and other third-party businesses. Using network connections and spoofed email accounts, perpetrators may target MSPs to compromise their client organizations. To avoid such an unpleasant scenario, organizations are advised to:
Ransomware is the real cyber threat that attacks businesses, schools, hospitals, and other parts of the nation’s critical infrastructure and reinvents more and more intimidating scenarios of victims. However, good cyber hygiene and discipline on the national and business levels may eliminate the ransomware threat and make it predictable. For more detailed information about ransomware prevention, consult the Planet 9 team. We’ll be happy to assist: