By Monique Magalhaes
Ransomware continues to be a significant risk — it has become difficult to stop as it is an effective attack vector against most defenses. And it’s getting worse for businesses because ransomware is becoming more targeted and tends to use a combination of attack vectors. Ransomware uses vulnerabilities that are not patched in combination with malvertising, phishing, social engineering, and other targeted vectors.
It has become so sophisticated that the attackers even know what level of cyber-insurance the targeted company has and sometimes work with insiders to deliver the payloads. The Dark Web is even being used to purchase ransomware-as-a-service. Taking the above into account, attackers can now deploy a network of lucrative attacks without any programming knowledge.
Therefore, as attacks facilitated by ransomware continue to escalate, a combination of defense mechanisms should be considered to assist with reducing the risk.
Ransomware defense mechanisms
- Have a restorable offline backup
The most important and easiest way to ensure defenses against ransomware is through the availability of a restorable backup that can be utilized to restore from entirely. An obvious point that is often not taken very seriously is that a backup is only effective if it can be used to restore from. A backup is pointless if it can’t be used to restore from. Therefore, testing the backup frequently is essential.
Moreover, the backup should not be digitally reachable, meaning that it needs to be air-gapped from the digitally connected environment once the backup is made. Doing this ensures that it will not be reachable by insiders and outsiders, which safeguards the backup being modified at any time and ensures that it is only accessible when required. Unfortunately, far too often, when responding to incidents, backups have been deleted before the ransomware payload has been delivered through the attacker’s established remote access.
So, a priority ransomware defense should first and foremost ensure that a restorable, non-reachable backup is available and functional for when required. Once this has been achieved, other defense options can be considered for combined ransomware defense. Don’t fall into the trap, where at the time of an incident, the realization is made that the backup which was believed to be functional is not restorable or is vulnerable. A testing regime is key to ensuring that this does not happen.
- Ensure the endpoints and servers are isolated
If you have a flat network, which means that all machines can talk to each other, the likelihood is that lateral movement from machine to a device is possible. To limit the damage that this configuration could present, a “firebreak” should be created. A firebreak is a network segment that keeps each machine in a separate network. This network is controlled by a set of rules that determines the allowable travel of traffic. Thereby the lateral movement of traffic, not only users but also malware like ransomware, can be controlled.
This strategy works on many types of networks, including on local on-premises networks, home networks for remote workers, and cloud networks, and helps organizations detect malware and ransomware.
Wireless networks are particularly challenging to defend, and by using this technique, you’ll find that you have an effective way to manage the lateral movement within all of your networks.
- Scan your email
The majority of ransomware infections enter an organization through email vectors. Many businesses use Microsoft 365, but its email scanning is ineffective in stopping ransomware. Thus, many companies using Microsoft 365 still get infected and remain vulnerable to the attack. An improved solution that will limit the execution of any link emailed to the users is necessary to reduce the threat. Several systems are available to remove links from emails and only allow whitelisted links to obtain access. These types of systems also install an agent on the machine that can sandbox the links. When every link is potentially a compromise, and every attachment could deliver a payload, you might think this is an impossible mission, but there is hope. Presently, most ransomware can’t break out of the sandbox easily (yet) and can be detected and neutralized with the help of decent scanning products. Any mainstream technology is more ineffective as attackers looking to harm get access to them too. Solutions like Microsoft 365 are rudimentary and, at this time, if not used in conjunction with a defender or more advanced anti-malware, will leave organizations vulnerable. The technique of rewriting links and whitelisting the URLs users can visit and robust attachment scanning is an effective ransomware defense option.
- Clean your web traffic
When users receive a targeted email and click the link, they are directed to a web page that either downloads the malware or persuades the users to do the same. Allowing unvetted access to the whole internet is like allowing a child to run around a city alone at night. It’s best to guide the users by whitelisting the business-related sites and only allowing access to these sites once they have been vetted. If this is not possible, then a solution like HP Sure Click Enterprise is an excellent solution to consider. This solution creates a sandbox to click anything; the sandboxes are like a new laptop every time the machined is rebooted. It would be challenging for the ransomware to exit this sandbox, and using this is a good deterrent as long as easier targets exist, attackers will choose to target those. Therefore, ensure that you or your organization are not the easy targets!
- Admin accounts
In cybersecurity, it’s always a good idea to remove all admin privileges and use computers with the lowest privilege possible. This is one more barrier in the fight against ransomware and delays the activity and helps detect the incidents.
- Patch everything you can quickly
One of the most common ways for ransomware to spread is for a worm to exploit a vulnerability. Most of the worms are exploiting old vulnerabilities. Often, as a result of patches not being routinely deployed. As a result of attackers having development frameworks as good as commercial software companies, attackers can move quickly. Therefore, as soon as they identify a vulnerability, they can adapt their code to exploit the latest vulnerability at a pace. This was evident with the Hafnium Exchange Server hack.
Most companies are very slow at patching and take days, if not weeks, to patch. But by not patching, companies present hackers with a major attack route. The attackers are constantly sweeping to find a gap, and when they do, they get a foothold that they can use when they are ready to deliver the payload. Alternatively, they trade the access on the Dark Web for crypto or “sit on it” until they have identified the best way to compromise the target, with the target none the wiser.
Ransomware is a lucrative business
It’s estimated that ransomware is now a more than half-billion-dollar industry; it’s an easy option for the attackers and very lucrative for them. Through its growing success, larger groups are developing robust attack suites that people can subscribe to or are being sold as a service.
The rise of cryptocurrencies also makes it easier to get paid for the “work” and more challenging to trace (as a result, the attackers don’t often get caught). So, there are many professional attackers within the growing ransomware market.
The industry is creating a task force to fight this growing problem. However, it’s a bit like a game of “cat and mouse,” and unfortunately, organizations continue to fill the shoes of the mouse.
Monique Magalhaes covers compliance, regulations, and security for TechGenix. She is a DP executive and facilitator of data protection and information governance at Galaxkey, a company specializing in data protection and security solutions. Monique is a researcher, writer, and author focusing on technology and security.