Several recent high-profile ransomware attacks have caused organizations to take a closer look at their ability to deal with such an incident. The stakes could scarcely be higher, as ransomware attacks executed by human operators are targeted to bring down global production lines and deny access to business systems – while stealing and then encrypting sensitive data.
The impact of this can be vast – literally shutting down the business – while also exposing the organization to a costly leak of personal data unless the ransom is paid.
Human-driven ransomware is very different to automated attacks that might execute from a malicious email or infected website. These are typically containable and often more limited in terms of impact. Instead, a human-driven ransomware attack will seek to gain a foothold in the organization and then escalate privileges until domain admin is gained. At this point, the attacker has the ability to deploy ransomware at scale across the organization in order to inflict maximum damage and chaos. Furthermore, once they have access, attackers may bide their time, waiting until a sensitive business event (such as before a quarterly earnings call in the case of Garmin) to add additional pressure and increase their chances of the ransom being paid. It is proving to be a very successful business model, and a number of criminal groups have now pivoted to include it in their arsenal.
The questions many firms are asking themselves are ‘are we ready?’, ‘could we do more?’, and ‘how would we respond’? In order to address these, we have put together a nine-point plan and questions to consider that addresses defensive measures across multiple IT and business domains.
9 Points to Ransomware Defense
How and what is backed-up? Is it detached? What is the retention? Is raw data backed up as well as system images (which may become infected)
2. Test your backups
A backup policy is just a policy unless it is regularly tested. Can you actually restore the business within your recovery point objective and operational time-frame? Are all backups – particularly of critical assets – tested?
With the initial foothold and the lateral movement of ransomware often taking advantage of known vulnerabilities, ensuring a mature patch process is a key front-line defense. Ensure End-of-Life operating systems are replaced, or defended-in-depth if an upgrade cannot be performed.
The effectiveness of segmentation depends on how far you go with it. For instance, you can close SMB which has been used to spread by ransomware in the past. However, more powerful defensive controls may include micro-segmentation or zero-trust models, which may mitigate more advanced and newer ransomware spreading by alternative channels.
5. Have an Incident Response plan
When was the last table top which covered a ransomware scenario held? Do you also hold tactical drills to test the Business Continuity and response related to similar scenarios? Test all aspects of the business who would be affected in the event of a ransomware attack. If the worst happens, are you willing to negotiate with threat actors, and are you willing to pay a ransom? If so, do you know how to acquire bitcoin or other cryptocurrency?
6, Deploy an EDR tool
EDRs (Endpoint Detection and Response) can be effective in identifying and terminating ransomware based on the malware’s behavior and not only their signature, meaning that ransomware process will be blocked even if the payload was tailored and unique. Not all EDRs are equal in this regard – so testing is key.
7. Assess your Incident Response Team
What experience do they have with ransomware incidents? Are you planning to use external help in such incident? If so, do you know who? Is that engagement planned/contracted?
8. Cloud is not Immune
Organizations can feel they are protected from ransomware with their critical information in the cloud. However, if employees use synchronization or offline features for collaboration, this can be a risk exposure.
9. Monitoring and Detection Capabilities
The growing trend of sophisticated, human-driven ransomware attacks start with infiltration, the establishment of command and control and then an internal search for critical assets and lucrative data. This all takes place before deploying the ransomware, which is only the last step (at which point the threat actor is of course detected). For this reason, monitoring and detection are very important – with quick and early detection of the threat actor in the early stages, the deployment of ransomware can often be avoided altogether.
Only the Beginning
This is a high-level starting point to help organizations start to assess their readiness for a human-driven ransomware event. Even scratching the surface, it becomes clear that effective mitigation starts with governance and asset management, and then works down through every IT security domain. As such, ransomware readiness is a complex, team effort requiring co-ordination and planning, and can’t be merely ‘ticked off the list’ by implementing a single policy or tool.
Want to learn more?
For an initial assessment, an expanded view on any of these points, or for a more in-depth view of hardening or response techniques, please do get in touch – we’d be happy to help. You can reach us on our Contact Us page or via our social channels as well and we will get in touch.