Defending Against Ransomware Attacks: 11 Best Practices for Success
If your organization hasn’t experienced ransomware yet, it’s probably just a matter of time. Attacks jumped in 2021 by almost 50% over the previous year. That’s on the heels of a 485% increase in 2020 and was directly related to expanded connectivity during the pandemic. Ransomware gangs brazenly breach networks, steal sensitive data, and ramp up extortion efforts with jaw-dropping demands.
No organization is immune. Schools, hospitals, city governments, law enforcement agencies, manufacturers, retailers, beermakers, insurance providers, and sports leagues are among a long list of recent victims. The attack on Colonial Pipeline— a company that operates one of the largest fuel pipelines in the U.S.—was a gripping media headline in early 2021. A relatively new ransomware group known as DarkSide perpetuated the attack and forced the shutdown of Colonial Pipeline’s operations. Colonial paid a $4.4 million ransom in bitcoin, which the FBI largely recovered. It is the worst attack on critical U.S. infrastructure to date, prompting the Biden administration to call for an “all-hands-on-deck” effort to avoid disruptions in the fuel supply.
High-profile attacks continued throughout 2021, with meat processor JBS Foods claiming the dubious honor of handing over one of the larger ransoms. They made a whopping $11 million payment in bitcoin to the REvil ransomware group, which also hit Acer, Quanta, and Kaseya last year. Mega-media owner Sinclair Broadcasting Group struggled to restore operations following an attack discovered in mid-October. Calculating the cost of this attack continues as the company reported more than $63 million in lost advertising revenue in year-end SEC filings.
While the rest of us were welcoming in a new year with the hope of better things to come, ransomware groups were busy starting 2022 with more of the same. The list of high-profile attacks so far includes Bridgestone Americas, Nvidia, Kronos Workforce Central, and the San Francisco 49s.
Ransomware has evolved from lone cybercriminals blasting out indiscriminate emails to gangs with specialized skill sets collaborating on elaborate attack campaigns. They publish press releases, provide chat support, and offer discounts for timely payments as they encrypt their victim’s data and lock them out. Geopolitical conflicts now often include cyber tactics that take warfare online.
The war in Ukraine has heightened interest in cybersecurity. Because the effects of the conflict could potentially spread to companies without a tie to Ukraine, companies should heed a recent CompTIA warning to prepare for disruptive attacks on their networks and those of customers, suppliers and partners.
Many of these groups are shifting from automated efforts to targeted attacks that include hands-on-keyboard hacking, sensitive data exfiltration, and the threat of exposure—increasing the threat landscape of potential damage. Making matters worse, they are gathering detailed intelligence about potential targets. Victims often find the attacker knows they have cyber insurance; sometimes they even know the policy limit for ransom reimbursement.
There are numerous sophisticated attackers, and—with the rise of ransomware as a service (RaaS)—even low-skilled cybercriminals can get in on the action with a pre-packaged ransomware subscription. RaaS kits are easy to find on the dark web, where they are advertised in the same way that goods are promoted on legitimate internet sites.
As ransom payments continue to rise, attackers reinvest the money they extort from victims to advance their capabilities and hunt lucrative targets, with little fear of repercussions.
What You Can Do
Because ransomware perpetrators generally operate outside of Western law enforcement’s reach in Russia and other safe havens, the most important tools for combating ransomware are strong cybersecurity measures.
Here are 11 best practices that can help protect your organization.
- Assume you are a target. No matter your size or industry, you are likely to be viewed as either a potential victim or a steppingstone to a larger organization.
- Enhance lateral movement and privilege escalation detection. Very rarely does an attacker go from zero (no access) to hero (domain admin) without having to move laterally and escalate privileges. Identifying this type of activity is instrumental in reducing the likelihood and impact of successful attacks. Focus on leveraging advanced endpoint security technologies and building key alerts and notifications. Security information and event management (SIEM) platforms and/or managed security service (MSS) providers can optimize the detection of lateral movement and privilege escalation attacks. And penetration testing and purple teaming are fantastic mechanisms for advancing your capabilities.
- Take data backups seriously. Thoroughly test your ability to recover systems and data in the event of an attack. Use a multitiered approach to data protection that includes offline cold storage. Your backups are less vulnerable to attack if they are not connected to the network.
- Strengthen patch management. Consistently monitor for vulnerabilities. Regularly update systems with the appropriate security patches to ensure cybercriminals can’t take advantage of known flaws. Run vulnerability scans to verify successful patching and evaluate technologies that can make patching processes more effective, leveraging automation whenever possible.
- Adopt multifactor authentication. Most ransomware gains access through the hijacking of static passwords. Enabling multifactor authentication on accounts across the network can help you thwart attackers by requiring additional information. A phishing attack may net them a user’s credentials, but it cannot provide biometric data or answer a personal security question.
- Implement least privilege. Reduce the risk of attackers gaining access to critical systems or sensitive data by giving users only the bare minimum rights needed to do their jobs. Identity and access management (IAM) controls can help you grant least privilege access based on who is requesting it, the context of the request, and the risk of the access environment.
- Advance endpoint security. Visibility is vital to ransomware defense. Endpoint detection and response (EDR) tools combine real-time continuous monitoring and collection of endpoint data with automated response and analysis. Emerging extended detection and response (XDR) solutions extend these capabilities to email, servers, cloud workloads, and networks to provide analysts with greater context.
- Ensure awareness. Users should receive continuous security awareness training that details the threat of ransomware and how it can be delivered. Take baseline measurements related to current phishing susceptibility and cybersecurity knowledge levels, and track progress over time with simulated phishing attacks.
- Consider a data risk assessment. Performing an assessment will help you locate your sensitive data, identify who has access to it, determine how much of it is stale/aged, and whether or not it should be archived and purged. This effectively reduces your data footprint and the risk associated with potential breaches and incidents that target data.
- Maintain incident response readiness. Prepare for the inevitable by specifically addressing the threat of ransomware in your IR program, policies and procedures. Organizations without in-house resources to optimize their maturity should leverage IR retainers to help them quickly recover, restore critical services, and minimize financial losses in the event of a compromise.
- Check your insurance. Confirm cyber extortion coverage entitles you to incident response assistance and reimburses you for any ransom payments. Keep in mind that underwriters are scrutinizing security practices, and they can — and will — refuse to cover incidents if effective controls are not in place to protect systems and data.
In an industry-first, Paris-based insurance giant AXA has announced its suspension of policies that reimburse ransom payments made by victims in an effort to cut off the flow of cash to cyber criminals. While this only applies to new policies in France, we could soon see insurers in other countries follow suit.
You Are Not Alone
A public-private task force that includes Amazon, FireEye, Palo Alto Networks, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.K.’s National Crime Agency (NCA) has released an action plan aimed at tackling ransomware. It details 48 recommendations ranging from providing support for victims to regulating Bitcoin and other cryptocurrencies used by attackers.
While minimizing the threat posed by ransomware actors will be an uphill battle, it is encouraging to see collaboration between cybersecurity firms, incident responders, nonprofits, government agencies, and academics.
Nearly $1.3B in ransomware payments have been made since 2020. Attackers’ threats to publish stolen data unless victims pay up are increasingly aggressive. Attacks will continue through 2022 and beyond as they continue to professionalize “big-game hunting” to pursue payouts.
Vendor-independent security assessments can kick-start your ransomware defense efforts by helping you identify weaknesses in your security program and prioritize the actions you can take to prevent, detect, contain and remediate attacks.
For more information about evaluating the impact a ransomware attack could have on your organization and strengthening your defenses, visit our Ransomware Resource Center.
- Bitdefender 2020 Consumer Threat Landscape Report
- Drivers Start Scrambling for gas as Pipeline Shutdown Continues
- NCC Group Annual Threat Monitor
- Cybersecurity Dive Brief
- Cybersecurity & Infrastructure Security Agency, Alert (AA21-2434)
- CrowdStrike 2022 Global Threat Report
- Drivers Start Scrambling for Gas as Pipeline Shutdown Continues
- Infosecurity Group Magazine
- The State of Ransomware 2021
- The 10 Biggest Ransomware Attacks of 2021
- Ransomware as a Service Explained
- AXA Pledges To Stop Reimbursing Ransom Payments for French Ransomware Victims
- Chainalysis 2021 Crypto Crime Report