Ransomware is here to stay. It is one of the most direct ways for criminals to monetize cyberattacks, and small and mid-sized enterprises (SMEs) across the spectrum have experienced a marked uptick in attacks. All organizations across every industry should assume an imminent attack and prepare accordingly, but how to do that with the limited resources and tight budgets typical of a smaller enterprise?
By understanding how ransomware works from a technical standpoint, security operators can implement prevention tips to minimize or prevent serious damage at each stage and achieve large enterprise-level detection and response with limited resources.
The security industry defines ransomware as a form of malware that will root itself into a system and encrypt files, making them completely inaccessible to users and administrators. Not only can it be very damaging, but it can also spread very quickly.
As with any malware, there are many different strains of ransomware. Ransomware will typically export a decryption key to the attacker, providing a means to unlock your files, and then display a ransom message to the user. And sometimes – they simply throw away the key, and you cannot access your data at all.
Many times, ransomware will be transferred through some form of phishing attack – something as simple as a single click in which a user, very quickly and quite unwittingly, hands over the keys to their system. Once the ransomware plants into a single system, it is all over. Usually, the steps are automated, but there may also be a kill switch.
Stages of An Attack
Understanding the stages of a ransomware attack can help credit unions prepare and mitigate potential losses. Prevention is a much better option than reaction, as attackers will typically search for either an easy or high value target, prioritizing the likelihood of success. The more prepared you are, the less appealing you become.
Stage 1 - Reconnaissance
Reconnaissance is just basic research about a target. Small and seemingly insignificant bits of information can have a serious impact on how an attacker approaches your network. For example, take what employees will share on social media. Employee badges are often posted online, and attackers can easily replicate those badges to gain physical access to your company. And photos taken within the office can provide information about what type of machines and routers and other such technology that you use.
Prevention Tip Performing regular scans and security audits across your organization can help prevent the creation of easy attack surfaces. Some organizations might not have staffing or capabilities to do this on a regular basis, so it may be easier to work with contractors or specialized security companies when audits are necessary.
Stage 2 – Attack Vectors
Ransomware can enter your system via different attack vectors. Social engineering, email phishing, and exploiting a vulnerability are all examples of effective attack vectors.
Treat Employees as Your First Line of Defense A lot of security organizations – and sometimes the security industry as a whole – tend to see employees as a weak link, but they do not have to be. Your strongest asset can also be your people. Train and educate all of your employees on important. security issues. Providing comprehensive phishing and social engineering awareness training can turn employees from potential victims into an extension of your security team.
Enforce Password Protection and Sanitation There are different ways that an attack can be delivered from one point to another. Compromised Remote Desktop Protocol (RDP) credentials are often used by attackers to access a network, so be sure to enforce password protection and sanitation with all employees across your organization.
Regularly change credentials, especially on logins for systems that have multiple users and/or elevated privileges. Use a password vault to automatically change passwords and push them to all employees with access. 1 Password or LastPass are both excellent solutions.
Implement Two-Factor Authentication Use Two-Factor Authentication (2FA) wherever possible. There have been some incidents where two-factor authentication has had some issues, but it is still your best bet. Maintain a policy of least privilege, meaning that you use as few privileges as possible per user. If someone doesn’t need access to something, don't give it to them. Otherwise, you set yourself up for another Target-style data breach.
Segment and Separate Your Networks The most secure networks are mostly disconnected. By maintaining network segmentation, you ensure that there are fewer connections between machines that could spread a ransomware strain. Use Virtual Local Area Networks VLANs, security appliances, and air gapping techniques between machines to slow the potential spread of malware.
Create Regular Offline Backups When all else fails, the most reliable resource you have available is the ability to start over from a checkpoint, and that's what a backup provides you. Regularly (and religiously!) create offline backups. If your network is hit by ransomware, then you can take your latest backup and push it out to restore operations quickly.
Stage 3 - Finding Foothold and Spreading
Sophisticated ransomware can gain a foothold in your system and spread quietly – slowly taking over nodes without being detected. Once it activates, the effect is far-reaching and pernicious.
Unfortunately, at this stage, the infection has probably reached the point of no return. It has already touched your network; therefore, you don't know exactly what it has accessed. This is an all-hands-on-deck situation, whether it be activating playbooks or incident handling calls, you need to begin communication about the event as quickly as possible.
Have a plan prepared and in place for prompt reporting to governing bodies and customers and clients alike. This action may be saved for a bit later if resources are not immediately available, but document as much as you can while it is still fresh.
Prevention Tip The best thing you can do to minimize damage is have your network segmentation in place – making sure your machines are separated and kept far apart. Be sure to air gap sensitive machines, and if you find an infected machine, take it away from the network by air gapping and disconnecting it.
Stage 4 – Encryption
To avoid detection, most ransomware operators will wait until the infection has completely spread before they trigger the encryption. Once that happens and machine functions are offline, a message appears on the infected machines informing the victim of their options: Pay a ransom or lose your data.
Attackers will resort to a variety of tactics to coerce victims into meeting their demands. They can work from public earning statements to find a payable amount, they can threaten to release sensitive data to the public, and they even contact clients to encourage shaming you into paying the ransom.
To Pay Or Not to Pay Victims of a ransomware attack have more options than they think. The first is draw from the backups discussed earlier. This will at least get you up and running. Organizations may be tempted to pay the ransom, but there are several reasons we recommend not doing so.
First, there is no guarantee that you will recover your data intact. The decryption keys may not work, and the data may be incomplete, damaged, or lost. And your data may still be leaked – after all, we’re not dealing with honorable folks here! But more importantly, once your organization has paid a ransom, you have made yourself an easy target for recurring attacks – not only by the same ransomware operators, but to all the others as well.
Another consideration is that your organization may face regulatory fines if you pay criminals the ransom they demand. The U.S. Treasury Department states that companies paying ransoms may face up to $20 million in fines depending on the classification of the ransomware operator.
Organizations governed by HIPAA can face massive fines for negligence. If proper precautions were not taken to protect data, ransomware can fall under this definition. These fines can range from $100 to $50,000 per breached record. Companies operating in the EU must also follow GDPR breach standards and notify a supervising authority within 72 hours of breach discovery or face sizable fines.
Data privacy laws require that companies disclose attacks, and a policy of open communication with governing bodies, as well as clients and customers, is a better long-term strategy.
Aftermath Data being held hostage or lost can cause operations to grind to a halt. And breaches have long lasting consequences that can reach years into the future as data is sold, customers and clients continue to experience identity theft, and organizations try to recover operationally, financially, and reputationally. Taking extraordinary steps to prepare for and prevent a ransomware attack will be worth it in the end.
If your organization is breached, and you refuse to pay the ransom, a proper response even when all else has failed can show effort, diligence, and displays good intentions. Report it to the proper authorities, notify the individuals impacted, and do everything you can to own up to the incident. Though information may be leaked, money that would have gone to pay a ransom can go towards implementing better security measures and handling public relations.
In closing, ransomware should be viewed like a traditional breach, and the more you can put prevention measures in place, and prepare, prepare, prepare – the better off you will be. Best case scenario, your organization becomes an unappealing target, and nothing happens. Worst case scenario, you get hit, but have a plan and process in place to get operations up and running with minimal damage to data, clients, and customers.
Want to learn more? Get a live demo of our AI- and automation- driven Managed Detection and Response service, or check out our webinars: