The world of technology as we’ve known it is being pushed to its limits by a threat like no other. The current threat landscape has evolved in such a way that hackers can hold an entire business hostage without ever stepping foot inside the company walls or even on US soil. The early days of ransomware attacks with ransoms ranging from $1,000-$2,500 are gone. We are now dealing with Bitcoin and Dash payouts in the hundreds of thousands. The cybercriminals of today are no longer singular highly skilled hackers, they are communities with publicly available sites that teach would-be hackers methods to execute a breach and even give them the tools to carry out these attacks fully. These networks and websites have evolved to the point where they provide the blueprints to conduct a breach and will even facilitate the ransom payouts for a percentage of the proceeds.
We are dealing with very sophisticated organizations that have eerie resemblances to what we see in terrorist organizations, some even speculate that some ransom payouts could actually be funding terrorist cells. In the past 15 years, we have seen the methods for attacks evolve from the likes of Archievus and GPCoder, that targeted specific files on user computers, to Sodinokibi which goes as far as targeting MSP’s and the PopCash ad network as a means to compromise users. Once attackers exploit identified vulnerabilities or abuse-stolen credentials to gain access to systems, they move around networks laying the groundwork for their ransomware to encrypt as many assets as possible for the maximum impact.
Experts predict that 2019 will be a record-setting year for ransomware attacks and it's critical for us all to be prepared. The latest statistics are daunting:
The biggest challenge in front of us all is getting people to take these threats seriously well before it happens to them.
1. Apply security patches when they are released.
Security patches are typically something we acknowledge then wait on others to apply them to avoid being the ones stuck working out any kinks brought on by applying them. This approach is something we should all eliminate from our thinking. Security patch releases are a significant source for hackers to gain intel on how to compromise those who have not yet applied the security patches. The hacker communities decompile security patches to identify what holes the patches cover. Once they identify these gaps, they then create malware to target them on systems where these patches have yet to be applied.
2. Secure your user and user devices.
With users still being the most prominent target for attackers, taking steps to educate and secure users is critical in your defense. We can no longer view user security as an annual or semi-annual checkbox for compliance. It’s essential that user security training transitions to ongoing educational platforms that make proactive attempts on users in a simulated fashion to educate businesses on weaknesses. The old interactive video simulations that made us all “Human Firewalls” are not enough to truly educate employees.
User protection should not stop with education or traditional desktop antivirus. Making the right investments in endpoint security to stop the malware at the point of entry is critical. Products like Cisco’s AMP and Palo Alto’s Traps take on detection and prevention in a way that focuses on IOC’s, real-time AI, and retrospection.
With the explosions of Cloud, BYOD, and IoT, the complexity of managing security access is becoming daunting. There is hope, with the introduction of products like Cisco SDA and its seamless integration with ISE we can now EASILY deploy fully dynamic access policies at the user level that allow you to be as granular as you wish before admitting users and devices to the network. We can also globally apply east/west IP based policies in minutes, not days, based on Windows AD group memberships.
3. Traditional backup techniques may not save you.
Traditional backup and business continuity techniques are still very relevant, but recovering from a ransomware attack can push these techniques to their limits. Backup strategies must now take full site restores into consideration, and traditional methods can take days to restore this amount of data. In this time, incorporating Snap Backup capable products will significantly speed up recovery times when dealing with restores covering a majority of your environment. Rubrik is an excellent example of a product suite that includes everything from On-prem to Cloud. They’ve even taken ransomware attacks into consideration with immutable backups built into the platform preventing ransomware from ever reaching your backups. Encrypting, and even, deleting backup files is a widespread technique in ransomware attacks.
4. Cyber Insurance could help you survive a breach.
Finally, with cyber insurance rates still being very reasonable, cyber insurance could be your best bet for an expedient ransom payout should you have the need. If you feel like you may be lacking in some of the areas covered and you don’t have cyber as part of your insurance policy, you may want to look into adding to your policy sooner than later.
1. Impact assessment: How deep does this rabbit hole go? It’s critical to determine how far reaching the breach has gone while making sure it doesn’t spread any further. Take systems offline to prevent further infection and determine what systems are impacted.
2. Take Inventory: What do you have? Backups, snapshots, capacity for restores? Do you know all of the devices attached to the network? What is the recovery priority of the systems?
3. Isolation: Isolate each system and remove malware. For the systems which haven’t been impacted, you might be best served by keeping them offline during the completion of the recovery.
4. Over-communicate to Leadership: Take a moment to set expectations – this could be a while. Recovery is a lengthy and tedious process which requires careful execution. See what help you can get; if you have a Cyber Insurance policy, contact the provider.
5. Forensics: Try to preserve everything possible in order to find the entry point.
6. Document your recovery: Keep track of progress during your recovery. It’s easy to get lost in the moment with so many individual activities happening in parallel.
This is topic may feel overwhelming to some but don’t allow that to discourage you from taking the necessary steps to prevent this from happening to you. You are not alone. At R2, we have helped numerous clients recover from ransomware attacks and have put preventative plans in place for many others.
There are resources available to the public to educate you about ransomware attack complexities. The best defense against cybercrime is prevention. Below is a directory of high-profile resource tools that can further your ransomware statistics education.
Many more resources exist. Adopt a mindset that ransomware is a lifelong learning pursuit. It is always changing, and the stakes continue to increase. It is safe to assume that ransomware will be around as long as the Internet is.