Understanding ransomware and how to build a strong defensive net to protect your data from cybercriminals
What is ransomware?
A ransomware attack is a financially motivated cybercrime that can be executed in multiple ways. The ransomware program itself is a kind of malware that allows cybercriminals to encrypt data on a target system during an attack. Once encrypted, the data can only be restored via a decryption key that the attacker controls. Impacted organisations are then forced to pay a ransom amount to the attacker to obtain the decryption key.
Over the past few years, criminals have added a number of variations to ransomware attacks to make them more effective.
Exfiltration
In most attacks these days, attackers exfiltrate a copy of the data before encrypting it and threaten to leak this data online if the victim fails to pay the ransom. The fear of having their confidential data published online increases the chances of organisations paying the ransom, even if they have sufficient data backups.
Double encryption
Another variation is the use of double encryption, which can work in two ways – (a) using two layers of encryption and two different ransomware programs on the same original dataset, or (b) spitting the data into two sets and using a different program to encrypt each of these. Double encryption, whether the attacker uses the first or the second method, forces organisations to negotiate for two decryption keys.
Ransomware Denial of Service (RDoS)
Increasingly, attackers are combining ransomware with Denial-of-Service (DoS) attacks to bring companies to the negotiating table. Faced with a DoS attack and the prospect of indefinite downtime, even organisations that are otherwise reluctant to pay end up negotiating with criminals to keep operations running. Additionally, DoS attacks are used as a distraction tactic to keep security teams busy while cybercriminals execute bigger ransomware attacks and exfiltrate data in the background.
Ransomware as a Service (RaaS)
Ransomware-as-a-Service (RaaS) is an affiliate-based model used by cybercriminals to deploy ransomware. Criminals with minimal or no technical knowledge can get affiliated with RaaS providers and rent or buy advanced ransomware strains to use against targeted organisations. If the affiliates can execute attacks successfully, they pay a percentage of their profits to the RaaS provider.
Recent ransomware numbers
- In the first six months of 2021, a total of 304.7 million ransomware attacks were attempted worldwide (SonicWall).
- In the same period, one of the largest insurance companies in the US paid a ransom of $40 million to hackers to regain control of its network. This was the highest ransom amount paid by an organisation to be disclosed publicly.
- The average ransom amount paid by organisations to ransomware actors increased from $312,493 in 2020 to $570,000 in the first half of 2021.
- According to a ransomware survey conducted in early 2021, "the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US$1.85 million”.
Ransomware prevention and mitigation
Given the current threat landscape, these numbers are not going to go down anytime soon, but while the ransomware problem is worrying and complicated, it is not impossible to solve. With the right preventive, detective and response controls in place, organisations can protect their data and significantly limit damage if attacked.
In its guide on ransomware attacks and what organisations can do to strengthen defence, CERT NZ says, "no single tool or control can prevent a ransomware attack on its own" and recommends employing a multi-layered approach to create a "strong defensive net to detect, prevent and respond to any potential ransomware attack".
Multi-layered security
A ransomware attack consists of multiple stages. Before encrypting and exfiltrating data, an attacker needs to get initial access to a network, establish remote command & control, move laterally through the network, and escalate privileges. This means that placing prevention and detection controls at multiple points in your network can help break the attack chain and catch attackers BEFORE they can execute the final attack stage & reach your crown jewels.
Our high-level recommendations for effective defence against ransomware fall under four main categories:
- Basic preventive measures
- Network and device protection
- Mitigation and recovery
- Best practices for backups
Basic preventive measures
- Strong passwords & Multi-Factor Authentication (MFA) – Strong authentication controls provide a solid layer of defence against initial stages of attacks. Basic cyber hygiene like changing default passwords, and using strong, unique passwords for all accounts can thwart password guessing, password spraying and credential stuffing attacks. Multi-factor authentication or using more than one method to authenticate users must also be enabled across services and accounts to prevent initial access.
- Safe browsing – Following safe web browsing practices like checking for the padlock icon and “https” in website URLs, not clicking on unknown links, restricting popups, switching to secure browser settings and not saving passwords can help block a wide range of attacks.
- Least privilege access – Least privilege access is a well-known security principle that involves limiting access to sensitive or protected data to only those individuals who really need the data to do their jobs.
- Phishing detection training – Phishing awareness and training can help users spot signs of fraud and malicious emails early. Regular phishing simulation exercises and a cyber-aware culture, in general, have been proven to increase vigilance among employees.
Network and device protection
- Update operating systems & software regularly – New vulnerabilities in applications and operating systems are discovered every day. The only way to make sure these aren’t exploited by criminals is to regularly update your systems and software, apply patches early, and enable automatic updates wherever possible.
- Reliable firewall & antivirus solutions – It is not enough to simple use security tools like firewalls and anti-virus software but to ensure that these are current, running in their latest versions, and replaced by next generation network and endpoint protection solutions if they can no longer protect you against modern threats.
- Network segmentation – Network segmentation is an important security architecture feature that, by dividing enterprise networks into smaller segments with carefully controlled access policies, ensures that attackers cannot move laterally across the company network even if they can access a part of it.
- 24/7 network monitoring – Round-the-clock network monitoring is essential to protecting your company environment from threats. Cyberattacks can hit you at any time of the day, and letting your guard down after work hours is like an invitation to criminals to launch an attack. Most companies these days engage the services of managed security providers for 24/7 cyber vigilance.
Mitigation and recovery
- Encrypt all sensitive data – Identifying your sensitive data and encrypting it using a strong encryption algorithm can help protect it during the later stages of a ransomware attack. This is especially useful against exfiltration and data leak/exposure threats.
- Strong detection & response tools – A modern security tool-stack with machine learning and behaviour-based detection capabilities can find advanced threats quickly and minimise their impact by leveraging playbooks for rapid, streamlined response.
- Incident response and business continuity plans – Organisations today can effectively defend themselves against cybercrime only by taking an assume-breach approach and preparing for incidents in advance. A big part of good attack preparedness is a well-thought-through incident response plan, which includes clearly laid out disaster recovery and business continuity plans.
Best practices for backups
- Why backups are important – Data backups, in addition to encryption, are critical to the success of any ransomware mitigation plan. Knowing that you have copies of your critical data can be reassuring when an attack hits. Backup data is an essential component of business continuity and keeping systems and operations running even when an incident is ongoing.
- Schedule regular backups and enable auto backups - Make sure your enable automatic backups of business-critical data wherever that is an option. When this isn’t possible, schedule regular backups.
- Store backups offline or on the cloud – Store your data backups offline and in a location that can’t be accessed directly through your enterprise network. You could also consider using a secure and properly vetted cloud storage solution to store backups.
- Training in restoring files from backups – Having backups in place is of no use if employees don’t know how to access or restore data from these backups. Backups must be periodically tested, and employees must receive training in using and restoring files from backups so that when an incident occurs, business operations can continue without disruption.
How LinearStack can help
LinearStack provides 24/7 incident response and threat handling services to businesses in New Zealand and Australia. If you have been hit by a ransomware attack and need help, contact us 0800 008 795.
Our security experts can also help you build and implement a strong, effective cyber security strategy to defend your data and IT infrastructure against cyberattacks.
While ransomware is a growing and serious cause for concern, it can be dealt with and its impact minimised by using the appropriate safeguards. We can guide you through the process of setting up multiple layers of defence across your network and endpoints to prevent successful attacks and quickly catch and block the advanced threats that make it past your perimeter controls.
LinearStack’s Managed Detection and Response (MDR) service
Our 24/7 Managed Detection and Response (MDR) service is delivered by a team of skilled security practitioners with decades of combined industry experience.
Proactive threat hunting, quick detection and rapid response make up the core of our MDR service. We can help you catch an advanced ransomware actor (even one who is already in your environment) BEFORE the final stage of the attack, limiting impact and preventing serious damage.
Based on our service agreement, we can also take you through the entire incident response cycle, leaving your systems in a sanitised state.
- We run 40+ research-based threat hunts and handle more than 2300 incidents each month.
- Our MDR team tracks 1000+ ransomware families and applies over 4000 use cases to threat detection.
Call us at 0800 008 795 or email us at info@linearstack.co.nz to know more about our MDR service inclusions. Our website is www.linearstack.co.nz