In our last entry, we discussed the purpose of and past responses to banking ransomware. In this section, we’ll follow a timeline of the stages of infection through a common ransomware strain and the proper response at each stage. The example used will be a piece of malware seen in approximately one third of all modern ransomware attacks: the REvil ransomware strain.
Stage 1: Recon and Attack Preparation
Although some may not include this step in the consideration of an attack, the preparation work and research that goes into an attack can be the biggest factor into which attacks are made or broken. Attackers will typically search for either an easy or high value target, prioritizing success likelihood. At this point in the process, there are a few things that companies can do to prevent themselves from looking like a good target:
- Stay vigilant. Perform regular scans and security audits to prevent the creation of easy attack surfaces. Some organizations may not have the staffing or capabilities for this on a regular basis and may find it easier to work with contractors or a specialized security company when audits are necessary.
- Remember that your strongest asset is your people . Many companies make the mistake of believing that employees are their weakest link, but with the right training they are truly your strongest asset. A well-trained and educated employee can point out issues with security and possible phishing attempts before even the security team can find them, creating a sort of crowd-sourced security solution that is highly effective against future attacks. This has the added benefit of ‘spreading the word’, in that previous employees are likely to talk about strict security policy and put off possible attackers.
- Make yourself a less obvious target. If previously struck by ransomware, do not pay the ransom. Those who are unlikely to pay are not likely to be repeat targets.
Using the above tactics can combine to make for an unsavory target - one who is watchful, stubborn, and makes their intentions known.
Stage 2: Initial Attack Vector
Once a target has been identified and initial research has been performed, the ransomware operator will choose an attack vector. In the case of the REvil ransomware, their attack vectors vary wildly (from exploiting Oracle vulnerabilities to infected email attachments), with the most common being compromised RDP credentials. At this point in the infection timeline, a lot can still be done to prevent an unfavorable outcome:
- Keep good password sanitation. Ensure that a password policy is in place to regularly change credentials, especially on logins that are used by multiple people or have elevated privileges. Use a password vault to automatically change passwords and push them to all employees with access. Use 2-factor authentication where possible.
- Maintain a policy of least privilege. Only those who will be regularly using access should be given access. The fewer higher privileges given, the less likely that a ransomware strain can spread far.
- Maintain network segmentation. The most secure networks are surprisingly disconnected. That is, there are fewer connections between machines that could spread a nasty ransomware strain. Use VLANs, security appliances, and air-gapping techniques between machines to slow the potential spread of malware.
- Create regular offline backups. When all else fails, one the most reliable resources available is the ability to start over from a (hopefully recent) checkpoint. Backups of production systems and databases should be made frequently and regularly and kept offline to avoid infection. Organizational security policy should account for the time needed to pull and load the backup, necessary storage needed, who should have access, and how often backups are made. Remember that backups are necessary, but they still cost a lot of time and money to recover and should be considereda last resort.
If one or more of the above steps aren’t followed, the chances of infection increase. As REvil typically uses compromised RDP credentials, a series of brute-force attack attempts may be seen on network monitoring solutions prior to attack, though compromised credentials may also be gained through other means like previous leaks. Once compromised credentials are gained, the next stage begins,
Stage 3: Finding a Foothold and Spreading
It is at this point that all efforts against ransomware go from preventative to active. The initial entry into the environment has been made and the effects might already be seen after it started with a few machines and may be moving through the network. If the attack is caught early enough, there are a few things that can be done at this stage:
- Active segmentation. It’s not going to be quite as effective as segmenting the network ahead of time, but it may help prevent further infection. Infected machines can be quarantined and air-gapped away from the rest of the network, with critical and untouched machines possibly being moved off of their current configurations.
- All hands on deck to address the situation. Whether it be by playbook or through an incident handling call, it’s important to begin communication about the event sooner rather than later. Starting the process of an investigation now can mean less cleanup down the line.
- Reporting. Unfortunately, at this stage the infection has probably reached the point of no return and it has already touched the network. Therefore, a plan for prompt reporting for governing bodies and customers alike should be prepared whenever appropriate. This step may be saved for a bit later if resources are not immediately available, but sooner is usually better than later for both company reputation and for customer/partner well-being.
This stage is always a dreaded one to reach and means all previous mitigations and efforts have failed. It is at this point that costs begin to skyrocket, and ransomware operators start to take special focus on the victim, possibly performing some manual actions to evade detection, find further attack vectors to increase spread, and perform last-minute research before the killing blow.
Stage 4: The Ransom
If it hasn’t happened already, the ransomware infection has completed its spread and has been triggered, causing widespread network encryption and knocking machine functions offline. Most ransomware operators will wait until the infection is present on machines before triggering encryption to avoid detection. A message will be displayed on infected machines informing the victim of their options: pay the ransom or lose their data. Victims may have more options than are laid out by attackers, though:
- Draw from backup. If a backup was made previously, this is the best option. It will be a costly effort and may take quite a bit of effort, but restoring a backup will save time and money. Remember that the stolen data has still been transferred to the attacker, so adequate reporting is still necessary.
- Pay the ransom. This approach is never recommended, as it only encourages future attacks and is never a guarantee that future payments won’t be sought (nor that information will not be leaked). Decryption keys may not work, data is still in the attacker’s hands, and paying the ransom is a bad look publicly. While payment is an option available to organizations, it is not a good one.
- Avoid payment and handle the aftermath. This is the best option when all else fails. Though information may be leaked, it allows the money that would have gone to a ransom to go towards better future security and handling the public relations of the incident. A proper response (even when all else has failed) can show the effort and care into which the victim organization places their work and displays good intentions.
The ransomware scenario is never a good one, but it can be handled well. Ransomware attackers have a variety of tactics to coerce their victims into paying up, including working from public earnings statements to find a payable amount, contacting the victim’s clients to encourage shaming, and auctioning stolen data. If a business manages to shoulder the pressure against them, they will be a less likely future target and will prevent future attacks through the rest of the industry.
No matter what mitigation option is chosen or how far the infection ultimately spread, there is still the aftermath of an attack to deal with. Some organizations wait much too long to release information about an incident, leading to distrust from the public and possible fines from regulatory agencies. Famously, the U.S. Treasury Department has warned that companies paying ransoms may pay up to $20 million in fines depending on the classification of the ransomware operator.
In addition to the U.S. treasury, there are other penalties to consider. Those governed by HIPAA face massive fines for negligence, under which ransomware can fall if proper precautions were not taken to protect data. These fines can be anywhere from $100 to $50,000 per breached record. Companies operating in the EU must also follow GDPR breach standards, notifying a supervising authority within 72 hours of breach discovery or facing massive fines.
Besides regulatory fines, there are more internal concerns. Organizations can face a deep loss of trust from partners, causing millions in lost revenue. Data being lost can cause operations to grind to a halt until recovered or rebuilt, also losing massive amounts of revenue and costing its weight in man hours. Breaches can have long lasting consequences that reach years into the future as data is sold, users continue to experience identity theft, or employees continue to rebuild.
In the Sophos State of Ransomware 2020 report, over half of the sampled 1700 organizations were affected by ransomware, with smaller and larger organizations being hit about the same amount. Just under half of the financial services organizations surveyed were hit by a ransomware attack.
Proper security can feel tedious and may not immediately show benefits. A common problem in the world of technology as a whole is the difficulty in measuring effectiveness, as automation solutions and security both show their worth in keeping incidents from occurring in the first place. Even so, the above phases of an attack show that prevention is a much better option than reaction, and the numbers don’t lie: companies that prepare for ransomware pay less than those that don’t, and in particular, ransomware attacks against financial services institutions are almost inevitable in the modern age.