Ransomware mitigation: Where do we go from here?
Ransomware has rapidly become one of the biggest global threats our businesses and institutions face today. These attacks—which infiltrate our networks, lock up critical data, and demand a substantial ransom in cryptocurrency to restore vital information—have reached crisis proportions, especially in areas like healthcare and government.
There are even criminal “help desks” that collect a fee for helping victims manage the ransomware process
Even as ransomware attacks become ubiquitous, they evolve into more sophisticated and targeted threats. Ransomware-as-a-Service, for example, uses an “affiliate model” that features a network of bad actors and has become a profitable business for organized cyber criminals.
Ransomware software from these criminal cyber gangs (such as Darkside) enables cybercriminals to target victims and deploy their malware. When they collect a ransom from their victims, the cyber criminals give a percentage back to the ransomware software creators. There are even criminal “help desks” that collect a fee for helping victims manage the ransomware process to get their information back using cryptocurrencies, and sometimes even offer a demo to prove they can decrypt the data.
Here’s how it works:
Source: Ransomware on the Rise
Our best strategy for mitigating the devastating impacts of ransomware is to gain a better understanding of the perpetrator’s techniques and to implement ransomware mitigation programs that directly reduce our risks.
Why should preventing and mitigating ransomware be a top priority?
Research performed by Delinea confirms that having strategies for mitigating ransomware threats and an incident response plan that is incident-ready must be a top priority for every organization. In fact, Delinea’s latest State of Ransomware Survey & Report reveals two out of three companies surveyed were victims of a cyberattack in the last 12 months—and more than 80% felt they had no choice but to pay the ransom demands.
Such numbers are shocking and a massive warning to the rest of us that ransomware is here to stay until we become resilient, resulting in fewer ransomware payments. We must recognize a ransomware attack is not a matter of “if” but “when.” How we are prepared to respond to the challenge has far-reaching consequences.
What are the risks that come with ransomware attacks?
Initially, ransomware attacks focused on locking up or encrypting an organization's data and demanding money in exchange for providing a decryption key to unlock the victim’s information. As more companies than ever have been paying the ransom, usually with cryptocurrencies (which are difficult to trace), the amounts demanded have increased as well.
The message to attackers is clear. Restoring a victim’s information is good for business since many companies feel they have no choice but to pay up; they also expect to get their information back, and attackers are obliging. It’s a self-reinforcing vicious cycle that feeds on every successful attack. Recent major incidents highlighted that the success of the decryption process was poor, indicating that even if you do pay the ransom, it could take a long time before your business is back online. It is very likely that the ransomware gangs are going to improve this in future variants.
Exfiltration of critical data
More recently, ransomware attackers use a breach to explore and traverse a network undetected to locate and exfiltrate or steal information before deploying the ransomware payload.
I have observed many ransomware cases that specifically target privileged access. Compromising a user account provides an initial foothold into the network, giving attackers a foot in the door to roam around and eventually gain privileged access. Overprivileged users, such as local administrators, are a favorite target, providing the attackers an easy way to elevate privileges to Domain Administrator accounts.
6-in-1 Toolkit for Ransomware Defense
Once attained, privileged access through service accounts, local admin, or domain administrator accounts enables attackers to cause as much damage as possible. They can discover where your backups and most sensitive data are located. Taking over these types of accounts allows attackers to turn security off, create back-door access, and elevate their privileges to domain administrator status. This is especially dangerous as we are now getting to a point where many users should be considered privileged users because of the access they possess—which can be exploited by an attacker.
Compliance and regulatory concerns
Ransomware attacks can also impact regulations and compliance, triggering regulatory reporting requirements from the CCPA or GDPR. So, you must not only deal with unavailable data and systems but also personal information loss of employee or customer data, posing liability, or legal issues stemming from compliance violations.
One thing I’ve seen more frequently is ransomware attackers announcing the encryption of your data on Twitter feeds. In some cases, attackers may actually be communicating with your customers directly by tagging your organization or by mentioning it in their own feeds. Thus, organizations must recognize the potential damage to their business reputation and plan for a response accordingly.
What techniques do ransomware attackers use to lock up our information?
In the past, ransomware attacks typically targeted a single computer or limited network. When an employee clicked on a link, they unknowingly downloaded malware, which would then encrypt the computer or server. A backup restore could usually help fix the problem if one was available.
Today, attackers focus on compromising user credentials and passwords to gain an entry point from which they can exploit our vast connected networks. Once inside the network, undetected, the cybercriminals seek to elevate credential privileges, traverse the network, locate sensitive data, and plan how to exfiltrate and encrypt the data.
This dwell time—the time from the point of entry until the actual launch of ransomware and detection of the attack—enables attackers to understand the network and find and exfiltrate critical data. They will then leave crypto-locking malware on your systems to launch when they are ready. Typically, once an attacker gains access to Domain Administrator privileges, it is usually only a matter of hours before the ransomware is deployed and business comes to a halt.
In many cases, organizations see the only realistic way to get their network back up and running is to pay an exorbitant ransom demand or risk devastating damage to their operations and reputation.
The illustration here demonstrates the pathway that many ransomware attackers use to breach an organization’s defenses and then exploit and elevate privileges before launching the actual ransomware attack.
A popular ransomware variant called Cryakl (now called Crylock 2.0) has had numerous updates in the past 18 months and now exhibits a much-improved encryption capability that can be especially devastating. CryLock has evolved and moved into an affiliate program model where its creators share the Cryptor with other ransomware gangs. Criminal gangs can scan your environment in order to gain initial access, compromising credentials to capture user passwords. They sell that information to other criminals, who will then execute a ransomware attack, collect the ransom, and share royalties with the ransomware creators.
Learn more from my RSA Conference talk, where I describe a real-world ransomware attack:
How to mitigate ransomware attacks
There are several basic ransomware mitigation strategies you must implement.
According to our recent ransomware survey, most organizations are taking the proper steps to establish basic cybersecurity hygiene and prevent ransomware attacks.
- Backing up critical data (57%)
- Regularly updating systems and software (56%)
- Enforcing password best practices (50%).
These are great first steps toward mitigating ransomware attacks, but you should also:
- Use multi-factor authentication on Internet-facing systems for all users to prevent a relatively easy takeover of their credentials.
- Develop and deploy a zero-trust strategy that enables you to enforce the principle of least privilege access across applications, cloud platforms, systems, and databases. This goes a long way to preventing attackers from escalating privileges and roaming your network undetected.
- Protect and isolate your backup and restore capabilities as ransomware attackers will likely try to deploy the ransomware on your backup systems.
What’s the best way to prepare for and deal with a ransomware attack?
Have an incident response plan tested and in place. It’s critical for managing any cybersecurity incident, especially for a ransomware attack when the perpetrators may still be active on your network.
Having an Incident Response plan is a good start, but the goal is to be incident-ready
When you’re dealing with ransomware, you tend to have a limited amount of time to respond making it essential that you act as quickly as possible. Obviously, the more time attackers have at their disposal the more damage they can cause, the more systems they can encrypt, and the bigger effort it will take to recover and get back to an operational state.
Part of your incident response plan must include an incident response checklist. It will clarify the type of assets at risk as well as assign roles and capabilities you have internally to deal with the attack at various stages. I recommend incident checklists with designated owners and responsibilities. You need people responsible for physically going and gathering evidence from systems. You need staff to prepare and execute the recovery operations and capabilities, identifying what systems have been affected with an asset inventory assessment.
You must act as fast as possible to stop the initial breach from escalating. You can then try to find out how they got in and ultimately secure that access so the organization can get back to business and recover.
Your incident response must do the forensics and answer key questions in order to understand how to remediate fully.
- How did the attackers gain access and how did they do it?
- Did they have domain administrator access?
- Did they get access to the domain controller?
- Did they get access to servers, desktops, laptops, and applications?
- Did they impact just the on-premise devices or were they able to move to cloud environments?
What can we do to stop ransomware attackers from accessing our critical data and mitigate risk?
How do we make life more difficult for ransomware attackers? In my experience, forcing the attackers to take higher risks helps you detect and prevent ransomware attacks faster. The more risks the attacker has to take, the better chance you have of catching them before they can deploy the ransomware.
Forcing attackers to take greater risks means they’ll make more noise on your networks, increasing the probability you’ll detect them sooner
Privileged Access Management (PAM) security controls provide effective tools that can make it much more difficult for attackers to steal passwords and abuse privileges. Password randomization, rotation, and ongoing management are also effective in limiting an attacker’s ability to explore your network and escalate privileges. Using a PAM solution forces attackers to take greater risks, increasing your ability to detect an intruder before they cause more damage.
Ransomware attacks are one of the most urgent threats to organizations today. As more ransoms are paid to restore data, cybercriminals are further incentivized to step up their efforts to compromise your networks. While companies are increasing their spending on cybersecurity solutions to mitigate ransomware and other attacks, it is essential they also protect all users as if they were privileged users.
By safeguarding privileged access with PAM solutions (to reduce or eliminate attacker dwell time) and implementing a robust incident response plan, organizations can minimize the risk from a ransomware threat that will only increase for the foreseeable future.