With phishing sites growing 640% in 2019, 65% of ransomware delivered via phishing and 90% of corporate data breaches caused by human error, the ransomware threat hangs over every IT professional. The average cost of a breach ranges from $5.11 million for large organizations to $2.65 million for smaller ones. The 2020 global cost to victims of ransomware was estimated at $20 billion.
Ransomware is a specific type of malware designed to encrypt a computer’s content until the user pays to get the recovery key. This effectively halts productivity, impacting business revenue. However, IT professionals can take decisive action to minimize both the threat and the impact of ransomware.
Here are steps you can take to protect your enterprise against ransomware, limit the impact of a breach, understand where an attack can be stopped, and act fast if a hacker succeeds in gaining access.
Step 1: Protect the Enterprise
Develop a ransomware plan so you will be prepared to respond rapidly. Follow best practices such as strong vulnerability management and patching policies, regular system backups, multifactor authentication (MFA), restrictions of local administrator rights and privileges. Encourage, train, and periodically retrain users to never click on links or open attachments in unsolicited emails; back up data on a regular basis, keep it on a separate device and store it offline; and follow safe practices when browsing the internet, including Good Security Habits.
It is also important to employ security tools that provide link filtering, domain name system (DNS) blocking/filtering, malware detection, and intrusion detection and prevention. Adopt zero trust/least privilege to restrict users’ ability to install and run software, and apply the principle of least privilege to all systems and services. Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
Lastly, arrange for rapid access to new servers or endpoints in case the ransomware infects the BIOS of your current systems. And consider anti-encryption technologies such as endpoint detection and response (EDR) solutions that restrict a system’s ability to encrypt locally.
Step 2: Minimize the Impact
Take action to minimize the impact of a breach. This is critical since all systems are capable of being breached if bad actors have sufficient time and resources to carry out their objectives. This includes, but is not limited to, backing up and restoring files, or conducting periodic exercises to recover and restore files.
Security leaders should also establish a solid incident response (IR) program, and practice it periodically. Review your IR policies, engage in tabletop exercises, and use operational benchmarking to improve your ability to respond.
Lastly, implement microsegmentation and dynamic isolation, the former of which partitions networks to prevent attacks from spreading via east-west proliferation, significantly reducing the damage that can be done to your environment. Conversely, dynamic isoliation allows you to isolate a device or user at the first sign of compromise. For example, if a system begins scanning an environment, the device can be isolated immediately until the situation can be reviewed.
Step 3: Break the Cyber Kill Chain
To better understand how to protect your enterprise, consider the Cyber Kill Chain, which outlines the steps a threat actor will take to infect a host and spread malware.
Attackers usually start with reconnaissance. Based on that information, they select the appropriate vehicle to weaponize with malware. Reconnaissance can also involve an attacker with access to the environment who is running network scanning and other tools to build an asset/vulnerability inventory. With this inventory, it is much easier to launch a pre-configured exploit against known vulnerabilities.
The attacker then decides how to distribute the payload. This is often done through phishing, spear phishing, or whaling emails because people are susceptible to deception. The attacker will send a user a cleverly crafted email with a link to click or a weaponized document to open.
You can break the Cyber Kill Chain with:
- Link filtering
- DNS blocking/filtering
- Malware detection
- Monitoring malicious behavior to block known malicious email addresses
Once attackers penetrate the target, they don’t necessarily release the malware promptly. Instead, they dwell there to maximize their impact, roaming the network undetected, corrupting additional devices and discovering and perhaps exfiltrating data.
You can break the Cyber Kill Chain at this point by:
- Educating users about phishing and other forms of social engineering
- Providing a simple and effective process for employees to report suspicious emails
- Using intrusion detection systems (IDS) and intrusion prevention systems (IPS), including EDR and anti-ransomware solutions
Once the user downloads the malicious file and it is executed, the attacker gains control and takes action to achieve their objectives.
You can break the Cyber Kill Chain in these cases by isolating the machine through:
- Sandboxing
- Network-based isolation/microsegmentation
- Host-based isolation, e.g., EDR
- Physically unplugging affected devices
Step 4: Respond to an Attack
Hackers are increasingly sophisticated, so it is likely that a ransomware attack will breach your system(s) at some point. When that occurs, do the following to minimize the impact and recover your data.
Execute your ransomware plan. This will expedite your recovery from an attack, minimizing downtime. This plan should determine your company’s policy on paying a ransom. Experts recommend against paying ransom because there is no guarantee that you will get your data back after paying; you might be in violation of a recent warning from the U.S. Treasury’s Organization of Foreign Assets Control and subject to severe penalties; and paying only encourages more ransomware payment demands.
Identify the nature of the attack. By spending a few minutes figuring out what has happened, you can learn important information such as what variant of ransomware infected your network, what files it normally encrypts, and what options you have for decryption.
Then, isolate infected devices. Ensure that the infected devices are removed from the network. If they have a physical network connection, unplug it. If they are on a wireless network, turn off the wireless hub/router. Unplug any directly attached storage to try to save the data on those devices.
Now, recover and restore. In general, the easiest and safest method of recovery is to wipe the infected systems and rebuild them from a known good backup. Once rebuilt, ensure that no traces remain of the ransomware that led to the encryption. Determine if the ransomware has affected the BIOS on your current systems; if so, deploy your plan for accessing new servers or endpoints. Immediately ensure that any users impacted update their credentials. Finally, once ransomware has been remediated, restore the last known good backup files.
Once you recover from the ransomware, review any gaps or inefficiencies encountered and develop a plan to ameliorate them. After your environment is rebuilt, the real work begins. Do a full environmental review to determine how the infection began and what steps you need to take to reduce the potential of another breach.