Imagine yourself in the midst of compiling an important work report but suddenly you lose access to all the files. Or perhaps you get an error message asking you to send bitcoin to decrypt your computer. The scenarios are endless, but one commonality in all Ransomware attacks is that your attackers will always provide instructions on how to get your files back. You can eventually have your files back but of course, only after paying a hefty amount of “ransom” upfront. Our ‘Ultimate Guide To Ransomware’ explains what ransomware is, the different types of ransomware, solutions and the best ways to avoid and recover from an attack.
What is Ransomware?
Ransomware is a malicious attack that leaves your data locked or encrypted by an anonymous cybercriminal and the only way to regain access is by paying them money.
So let’s now move onto the next part of our Guide to Ransomware; ‘How Ransomware Works’.
How Does Ransomware Work?
Certain activities can lead up to a Ransomware attack. There are two main types of malicious tactics, known as Social Engineering and Lateral Movement.
In the realm of cybersecurity, Social Engineering is an act of using deceptive tactics to manipulate and convince someone to divulge personal information. In short, by pretending to be someone else, a threat actor can convince the victims to provide them with accesses that they normally would not have. These attacks are mainly carried out via phishing scams or email spoofing. The email headers are mostly forged, fooling the receiver in believing that the emails are from a legitimate source.
Lateral Movement is the next step forward for a cybercriminal after a successful Social Engineering attempt. For example, once the victim opens the spoofed email and carries out the requested actions (providing personal info or downloading attachments etc.), the sender then moves on to overtaking the victim’s computer by propagating malicious code into the victim’s computer or network.
In most cases, the ransom request for decrypting your data is in the form of invisible currency like bitcoins or gift cards, as a digital currency is mostly untraceable. Consequently, most well-crafted Ransomware attacks with stateless threat actors leave little to no choice for the victims – either they lose their data, or they pay for it.
Now, let us look at some Ransomware incidents that made big news recently.
Recent Ransomware Incidents in the News
In one of the most recent Ransomware attacks last month, the University of Utah became the unfortunate target of cybercriminals and ended up paying almost $500,000 in ransom. Payment occurred to protect student and employee privacy and data. As a result, the ransomware attack rendered the university’s servers inaccessible and the issue was finally resolved by a hefty Bitcoin payment of $457,059 to the hackers who then provided the code to unlock the data servers.
According to the latest statistics report from the Australian Information Commissioner (OAIC), Australia is also seeing a spike in Ransomware attacks and they have been one of the top causes of data breaches that have occurred so far in 2020.
As bleak as it sounds, the good news is that averting most of these attacks is possible.
The following section of our Guide To Ransomware outlines some proactive measures you can take.
Best Ways to Prevent Ransomware Attacks
Here are the best ways to mitigate ransomware attacks:
Provide Security Awareness and Training
All ransomware incidents are unknowingly initiated by human behavior, so implementing security awareness training should occur first and foremost. This training is imperative as it teaches users to distinguish real threats from legitimate data. It also teaches them how to look for threats within emails and what types of best security practices to follow. For starters, training all users on not clicking anything in their emails unless verified and how to keep their communications secure by employing the latest security updates.
Employ Scanning Tools for Ransomware
There are specific tools available on both paid and open source platforms that continuously scan your network for anything that resembles Ransomware. Most red flags are behavioral activities of a user like naming a file, deleting a file, or accessing data that is not normally accessed by that user. These tools detect patterns of unusual behavior and trigger alerts that need investigating and then remediation.
McAfee provides top of the line scanning tools and a Ransomware file decryptor if certain specific types of listed Ransomware infect your data. Cisco Cognitive Threat Analytics performs User Behavior Analytics (UBA) that identifies abnormal behavior from cyberattacks. Their software extracts metadata from an enterprise’s IT infrastructure and uses this information to map relationships among employees, data objects, content, and usage.
Employ Robust Endpoint Anti-Virus Security
Implementing a robust endpoint security system is crucial to mitigate these attacks. Certain antivirus engines can detect malicious malware and prevent it from getting downloaded. In addition, these tools can also provide the ability to view compromised devices and even send alert notifications when a user stumbles on a risky website. However, ransomware attacks are getting more complex as cybercriminals are coming up with innovative ways to get around the system. Therefore, more stringent security protocols need to be in place in conjunction with strong antivirus solutions.
McAfee, industry-leading antivirus software provides both business threat detection and protection from hackers and cyber-attacks including ransomware.
Fortinet, provides cybersecurity, threat protection, and endpoint management solutions.
Sophos Endpoint Detection and Response (EDR) uses synapse to correlate network, email, web, and endpoint event data to provide threat protection to endpoints. As incidents are detected, correlation with other incidents discovered on your network occur to show overall attack patterns and prioritize the most significant threats.
Users of Microsoft Office products like Word and Excel often use macros for automation of repetitive tasks like formatting spreadsheets. However, it is best to keep the macros disabled as many threat actors use these macros to run malicious scripts.
In 2015, cybercriminals carried out a macro-based malware attack known as Dridex P2P Malware, whereby cybercriminals netted more than $40 million from victims in both U.S and U.K. The cybercriminals used Phishing emails to fool the recipients into opening a Word file that contained a macro. Any time the recipients allowed the macro to run, malicious code downloaded. This code created HTML fields that required the inputting of personal information. Therefore, every time the recipients logged into their bank accounts, cybercriminals were gathering their credentials and stealing their money.
Email Security, Inside and Outside the Gateway
Emails are the most vulnerable to Ransomware, so it is imperative to ramp up email security. Secure email gateways ensure the filtering of all email communications, along with activation of URL defenses and attachment sandboxing. As a result, threats are detected proactively and prevents the transferring of them. Whilst preventing email phishing scams should occur, paying attention to post-delivery protection is also important. There are various technologies available that can display warning banners within emails to alert the end-users so they can avoid opening them.
Sophos, a leading cybersecurity solution provider provides various email security and advanced threat protection options.
Employ Web Filtering and Isolation Technologies
DNS Web filtering solutions are very helpful in preventing malicious attacks as they stop users from visiting risky websites and downloading suspicious files. This greatly reduces the number of instances in which Ransomware and trojan horse viruses download.
Cisco provides a cloud-based DNS filtering tool that blocks threats at the domain level and provides detailed on-demand reports on threats and risk assessments.
Create a Data Backup and Recovery Plan
Without having a backup strategy, you risk losing all your data in the event of a compromise. All companies should have a disaster recovery plan. Backing up data in multiple locations is important and should be easily restored once the need arrives. Also, it’s very important to invest in a cloud data backup recovery to remediate against ransomware attacks.
All the above-mentioned ways help in mitigating Ransomware. However, this should be a two-pronged strategy. A blend of investing in robust tools and monitoring that will send triggers for these types of attacks. Along with, training the end-users so they can easily spot these types of attacks.
Now that we have investigated the different types of Ransomware attacks and learned how to mitigate them, our Guide to Ransomware talks through business and compliance standards,
The Business and Compliance Aspects of Ransomware
The International Standard Organization implements and recommends a guide known as ISO27001 for managing information security. Like other ISO management standards, getting certified on this platform is not obligatory. Many organizations only choose to implement the security standards set forth by this guide to benefit from the best practices while others also choose to get certified to gain customer’s trust. Incorporating ISO27001 standards partly means having risk assessments done. These assessments identify the loopholes in the organization that attackers can use to their benefit to carry out Ransomware. If done correctly, the process of preventing these malicious attacks becomes easier to perform.
Now let us peek into the eight essential strategies that the Australian Cyber Security Centre has set forth to assist with these types of malicious attacks.
Essential Eight Strategies to Mitigate Attacks
Per the ACSC (Australian Cyber Security Centre) website, “Strategies to Mitigate Cyber Security Incidents is a prioritized list of mitigation strategies to assist organizations in protecting their systems against a range of adversaries. An organisation can customise the mitigation strategies based on their risk profile and the adversaries they are most concerned about.”
Preventing cyber-attacks is a multi-faceted process that requires the coupling together of different strategies to mitigate risks. However, it is a strong recommendation that organizationsimplement eight essential prevention strategies, also popularly known as the Essential Eight. If placed proactively, these strategies can prove to be very cost-effective as they aid in preventing large-scale cybersecurity incidents.
The eight strategies and what they entail are listed below. Please note that they’re broken down into three sub-classifications:
Strategies to Prevent Malware Delivery and Execution:
Application Whitelisting is a proactive threat mitigation technique that allows pre-authorized programs or software to run whilst blocking all the others by default. Additionally, it helps in identifying illegal attempts to execute malicious code and aids in preventing unauthorized installations.
Patching any security flaw discovered should always occur quickly to prevent manipulation and abuse by hackers. It is the recommendation that patch release occurs promptly based on the severity of the flaws and within the following time-frames:
Extreme risk; 48 hours
High risk: two weeks
Moderate or low risk: one month
Configure Microsoft Office Macro Settings
As mentioned above, in the previous section, macros automate routine tasks but can be an easy target for transporting malicious code into a system or computer once enabled. As such, the best approach is to keep them disabled if possible or have them assessed and reviewed before using them.
User Application Hardening
Application Hardening is a way of shielding your applications and applying extra levels of security to protect them from exploitations and thefts. As a result, the implementation of application hardening to workstations reduces the chances of Ransomware attacks.Java applications are prone to security vulnerabilities. Therefore, threat actors can use them to gain access. As such, it is important to safeguard your network and devices by employing this methodology at the application level.
Strategies to Limit the Extent of Cyber-Security Incidents:
Restrict Administrative Privileges
Handing over administrative privileges should occur with a lot of care. The admin account has access to everything including changing configurations, updates, installing patches, or bypassing critical security settings. Therefore, putting stringent authentication policies in place and using the Principle of Least Privilege (PLOP) when granting any type of access is an important step towards ransomware prevention.
Patch Operating Systems
Just like patching applications, computers, and networks, patching devices with “extreme risk” vulnerabilities should occur within 48 hours. Also, using the latest version of an operating system should occur. Above all, always avoid unsupported versions.
In short, multi-Factor Authentication (MFA) adds an extra layer of security as it requires multiple authorized devices to log in to remote access solutions like online banking or any other privileged actions that require the use of sensitive information. The ACSC recommends implementing MFA for any users utilizing remote access solutions.
Strategies to Recover Data and System Availability:
As mentioned previously, data backups are an integral part of a disaster recovery plan. In the event of a data breach or a Ransomware attack, recovering and accessing backed up data can occur. You can always decrypt your original data that the hackers encrypted by restoring successful backups.
In conclusion, as set out in our Ultimate Guide To Ransomware, when it comes to ransomware and malicious attacks, no amount of prevention and mitigation is enough. Therefore, increasing prevalence of cybercrimes is pushing organizations to re-think their security strategies. The ISO27001 and the Essential Eight strategies provide a great outline and guidance for mitigating cyber-attacks.
While simple in concept, Ransomware is relentless and damaging. However, with due diligence and security best practices in places, you can pre-emptively protect your data and beat these malicious attacks right in their tracks.
DC Encompass provides a wide range of cyber security and compliance solutions for organisations. We partner with some of the biggest hardware and software names in cyber security, including Fortinet, McAfee, Qualys and Sophos. To find out more about how our cyber security services can help you and what we offer click here.