Recent ransomware campaigns, such as REvil and Ryuk, have become “human-operated ransomware”, whereby the attack is controlled by an operator rather than spreading automatically. Such attacks often take advantage of well-known security weaknesses to gain access.
For example, a number of recent ransomware incidents are thought to have started with poorly configured or vulnerable remote desktop protocol (RDP) configurations or poor identity and access management (IAM) practices. Previously compromised credentials are also being used to gain access to systems. These can be obtained through initial access brokers or other dark web data dumps.
Once inside, the attacker will move around in the network, identify the valuable data, and assess the security controls used, often disabling endpoint protection tools and deleting backups. Then, when the data has been identified, it can be uploaded and later used for extortion (doxxing), and the ransomware will be launched to encrypt the data.
The median dwell time between the first evidence of malicious activity and the deployment of ransomware is five days. The goal is to maximise the likelihood of the ransom being paid, which often means the attack includes threats to make data public if the ransom isn’t paid quickly.
We know that bad actors are motivated by financial gains, and we are starting to see evidence where they are mining the exfiltrated data for additional sources of potential revenue.
For many years, the cyber security community has been saying it’s not a case of “if” you’ll be attacked, but “when”. That being the case, it is important to examine all these phases and make sure that adequate time and effort is allocated to preparing to defend against and prevent an incident, while also conducting the requisite detection, response and recovery activities.
IT security leaders should work under the assumption that a ransomware attack will be successful, and ensure that the organisation is prepared to detect it as early as possible and recover as quickly as possible. The ability to quickly detect and contain a ransomware attack will have the biggest impact on any outage or disruption that is caused. The first and most common question is: should the ransom be paid? Ultimately, this has to be a business decision.
It needs to be made at an executive or board level, with legal advice. Law enforcement agencies recommend not paying, because it encourages continued criminal activity. In some cases, paying the ransom could be seen as illegal, because it funds criminal activity. Regardless, the discussion needs to occur.
There are several examples of organisations that worked with law enforcement during a ransomware incident and made the decision to pay because it was the best option for their business. A recent survey found that 46% of companies ultimately pay the ransom.
Should payment be a consideration, it is important to establish a governance and legal process that includes the CEO, the board and key operational staff. It is not recommended for organisations to negotiate with the bad actors without guidance. This is typically done by a third-party negotiation service provider. In addition to being the primary negotiator, they also have the ability to facilitate payments and, in many cases, remove the requirement for the business to maintain cryptocurrency.
Backup and recovery
A good backup process and strategy is the primary line of defence for data recovery after ransomware. Ensure that the backup solution is resistant to ransomware attacks, and continuously monitor the status and integrity of backups. In particular, most backup suppliers provide a mechanism to create immutable secondary copies of backups or immutable snapshots.
Recovery goes beyond restoring the data. Ransomware will effectively lock a machine with the ransomware note, and restoring machines to a known good state can be more complex than restoring the data. Having the tools and processes in place to restore endpoints to a golden image can speed up the recovery time.
Some organisations resort to USB devices for remote and overseas locations. Gartner occasionally sees clients not even attempt to clean or restore a machine. Instead, the ransomware event is seen as a reason to refresh hardware. Whatever the process, it should be regularly simulated to uncover deficiencies.
Security hygiene is critical to protect against “human-operated” ransomware, and a holistic view of the entire organisation is required. Constantly educate users on the types of attack being seen, with regular alerts and security “newsletters” to reinforce the education. Create a simple set of security messages that are repeated regularly. An alert user will not only be less likely to fall for social engineering, but they can also act as an early warning.
Ensure users are regularly trained on how to identify malicious emails, in particular. Provide an easy mechanism for reporting suspicious emails and reinforce it with confirmation that the user has done the right thing. Consider email-focused security orchestration automation and response (SOAR) tools, such as M-SOAR or extended detection and response (XDR) that encompasses email security. This will help you to automate and improve the response to email attacks.
Inevitably, ransomware may get past your defences and the protections put in place. Then it becomes a matter of how quickly you are able to detect the incident. Many of the tools described for protection will also provide the data and telemetry for detection.
In particular, endpoint detection and response (EDR) and network detection and response (NDR) tools collect indicators of compromise (IOCs) and events that alert you to anomalous behaviours that could indicate that an attack “may” be under way. EDR can also help identify “burrowing”, where the attack remains quiet while further compromised accounts and privileges are gathered.
Understanding, interpreting and investigating these IOCs and events tends to require a higher level of expertise. Increasingly, this is being purchased as part of an EDR solution or as a wider managed detection response (MDR) solution. Using these services can be beneficial to organisations that don’t have the staff or skillsets to run their own security operations centres (SOCs). Protecting organisations against these attacks goes beyond endpoint protection and encompasses many different security tools and controls.
Once a ransomware attack has been detected, minimising the impact is essential. The most common technique is isolation. There are a variety of isolation techniques, and many EDR tools provide on-device isolation functionality to enable incident responders to isolate machines from the rest of the network while allowing remote access for remediation to be carried out.
Network-based isolation is more of a blunt instrument and requires banning suspected devices based on the hardware-level MAC address (hence the importance of mature asset management). This is applied to on-premise network switches, virtual private networks (VPNs), network access control (NAC) and the organisation’s Wi-Fi access points. Often, this becomes a process of frantically pulling out network cables. However, this can slow the recovery phase because it requires physical access to devices for remediation.
Secure email gateways (SEGs) and secure web gateways (SWGs) can provide added layers of protection. Technologies such as web isolation can also limit the impact. Gartner also recommends using penetration testing to find holes in vulnerable RDP ports to prevent lateral movement through the corporate network.
Security information event management (SIEM) and NDR can help provide early detection. Deception tools can also be effective. This can be as simple as setting up fake admin accounts that are never actually used, so that if an attempt is made to use it, an alert can be sent. Other types of lure, such as deception platforms and honeypots, can also be deployed as part of a ransomware defence strategy. Monitoring tools can identify when encryption of storage is triggered or when there are significant data exfiltration events.
Ransomware is unlike any other security incident, in that it puts affected organisations on a countdown timer. Any delay in the decision-making process introduces additional risk. Gartner recommends that organisations develop a ransomware playbook. Guidance on making a “pay/no-pay” decision should be included. Third-party services such as ransomware negotiation companies also need to be identified and requisite contact information made available. Also, a timekeeper role is needed to track the remaining response time according to the ransomware demand.
This article is based on an excerpt from Gartner’s report “How to prepare for ransomware attacks”. Paul Furtado is a vice-president analyst at Gartner. Furtado spoke at the recent Gartner Symposium in Barcelona about preparing for the changes in ransomware attacks.