Article by Gigamon A/NZ manager, George Tsoukas.
The devastating effects of ransomware have continued to grow over the past two decades, which have seen it shift from just being opportunistic ‘smash-and-grab’ style attacks to carefully orchestrated attacks.
So let’s consider a high-level assessment of what ransomware is and show how organisations can prevent attacks.
Ransomware describes malware used to digitally extort victims into paying a specific fee. Once the victim’s computer is locked or encrypted, ransomware actors will often attempt to extort money by displaying an on-screen alert. Victims are notified that access will not be restored unless a ransom is paid.
Ransomware actors have expanded the scope of their attacks from extorting individual users to disrupting entire businesses and critical infrastructure.
Ransomware is often spread through phishing emails containing malicious attachments or drive-by downloading. This occurs when a user unknowingly visits an infected website. Then malware is downloaded and installed without the user’s knowledge.
Ransomware developers have incorporated capabilities like worms into their malware so that it will spread automatically throughout corporate networks. This ensures their ransomware persists even if the initially accessed computer is remediated.
Cybercriminals have shifted their tactics from opportunistic, smash-and-grab attacks to more calculated, advanced persistent threat (APT)-style attacks.
This attack style allows cybercriminals to exfiltrate sensitive data before encrypting affected hosts, opening the doors to multi-level extortion. They will move beyond extorting organisations to decrypt the affected hosts to extorting organisations to prevent the release of sensitive data. This strategy has yielded them far greater profits.
All malware types have the common feature of demanding a ransom payment for removal, but there are various types. Here are some of the most common:
- Locker ransomware locks users out of their computers and demands some form of payment. This often requires a system wipe to remove. Unfortunately, paying the ransom doesn’t always save a victim, as some hackers have embedded password-stealing software even after the ransom has been paid.
- Crypto ransomware’s payment is demanded in the form of a cryptocurrency. Hackers often lock the users’ files and require payment through an anonymous cryptocurrency address.
- Leakware works by stealing information and threatening to release the data if the victim doesn’t pay up. It’s a successful tactic that causes the victim to panic and respond.
- Scareware usually poses as fake security software. Once downloaded, it will alert a victim to issues that cost extra money to fix. Sometimes targets will be flooded with so many alerts and pop-ups that their computer is unusable until they take action.
- Ransomware as a Service (RaaS) is a meta-malware type employed by career criminals. Hackers hire out their services, creating and distributing ransomware in exchange for a cut of the payment. This can be used by anyone wanting revenge and could target specific individuals.
How to prevent ransomware
The steps below are best practices for a mature security program. They ensure an organisation has the right policies, processes, and procedures to reduce the risk of a ransomware attack.
1. Maintain up-to-date systems. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
2. Employ a data backup and recovery plan for critical data. An organisation should perform and test regular backups to limit the impact of data or system loss and expedite the recovery process. Ransomware can also affect network-connected backups, so critical backups should be isolated from the network for optimum protection.
3. Develop an incident response plan. Create, maintain and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
4. Draft security policies and baselines. Consider developing policies and baselines around specific controls like firewalls, email scanning, application allow-listing and remote access.
5. Implement comprehensive network visibility. Today’s ransomware attackers are dwelling on victims’ networks to steal sensitive data and maximise the impact of their extortion. They maintain persistence, move laterally, leverage remote access tools, and escalate their privileges. All these actions generate network traffic that can be detected and remediated by a security team with network visibility.
6. Raise employee awareness. A person who knows what to look for will be more effective at countering potential phishing or social engineering attacks. Therefore, implement a security awareness and training program that teaches employees how to assess whether an attachment, link or email is trustworthy.
7. Protect devices with antivirus software. Good antivirus suites will alert users as soon as they locate a problem and can remove the infection easily. Some provide free ransomware decryption tools for malware with low-level encryption.
8. Implement a proactive threat-hunting capacity. Threat hunting is the practice of proactively searching for cyber threats lurking undetected in a network. It digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defences.
Threat hunting is complementary to the standard incident detection, response, and remediation process. As security technologies analyse the raw data to generate alerts, threat hunting works in parallel, using queries and automation to extract hunting leads from the same data.
Proactive hunting allows a security team to stop a potential threat before the attacker can deploy ransomware in an environment.
9. Implement a Zero Trust security posture. This places ransomware defence on user identity and access management, which is apt since human error is the root cause of most ransomware attacks.
Zero Trust helps reduce the attack surface significantly, as internal and external users have access only to limited resources, and all other resources are completely hidden away. In addition, Zero Trust provides monitoring, detection and threat inspection capabilities, which are necessary to prevent ransomware attacks and exfiltration of sensitive data.
Effective ransomware prevention requires comprehensive network visibility paired with effective threat detection and incident response capability.