Ransomware Defense Resources for IT Security Pros
Introduction
One of the most dangerous threats faced by organizations and the average user every day is ransomware. Once it strikes it can spread like wild-fire and its potential impact is catastrophic.
In this article I will provide an overview of it, best-practices for defense, some suggestions for tools, and some resources for further reading.
Note, this site is vendor agnostic and avoids making any recommendations. Any vendors mentioned are simply examples and the reader should perform due diligence to understand their offerings.
Ransomware Explained
Ransomware is a specific style of malware that is designed for optimal damage by encrypting data on a system, and may have the ability to worm through a network and infect additional systems. It may even contain, or be deployed alongside, exfiltration capabilities to steal data.
The intention of the attacker is to control their victims data, and demand payment for a decryption key, or for the data’s return. It will often leave behind a note from the attacker with details on how to contact them, and the consequences of failing to contact them or meet their demands.
It is often deployed through successful phishing campaigns, but may also be caused by drive-by downloads. Its perpetrators are often advanced adversaries (aka APTs), and the deployment may be accompanied by methods for recon, persistence, exfiltration and Command and Control (C2C or CnC).
The best defense is to be prepared, and to implement layered controls for prevention, identification, response, and recovery.
Ransomware Defense
Basic Cyber Hygiene
Start with Basic Cyber Hygiene. Having a solid security foundation will help reduce the likelihood of accidental infection. Make sure staff are trained well to identify threats and avoid dangerous online behaviors.
Back that Data Up
Back up critical data and keep updated copies off the network, whether it is in the cloud, offline, or off-site. Make sure it is segregated in such a way that a ransomware infection cannot spread to it, and to the greatest extent possible ensure that corrupted data is not also backed up. Develop backup and restoration procedures. Run regular tests to validate the procedures and the integrity of the data. Ensure the backup system offers immutability - a write once, read many (WORM) state in which backup data cannot be modified or deleted once it is created.
Here are some options for immutable backup storage:
Always Be Prepared
Develop, maintain and test an Incident Response Plan (IRP), Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP). The IRP helps the organization respond to an outbreak, the BCP helps the organization continue to operate if the incident reaches disastrous levels, while the DRP helps the organization recover effectively.
Deploy Next-Gen Solutions
Deploy advanced tools designed to combat ransomware. A good Endpoint Detection and Response (EDR) system goes beyond traditional AV and will not only help to identify and stop an attack, but may also provide rollback options to return devices to a known good state prior to infection. It should also provide quick options for quarantining devices, which severs all network communication while maintaining only a connection between the EDR agent and its management system.
Acronis Cyber Protect Cloud
CrowdStrike Falcon
Microsoft Defender for Endpoint
SentinelOne Singularity Platform
Sophos Intercept X
Secure the Perimeters
Always take a defense in depth approach. Having well-trained staff and advanced AV systems should be complimented by strong outer and inner walls. Conduct regular assessments on any externally facing such as network devices and web servers to identify weaknesses. Keep any publicly accessible systems updated with the latest security patches, and utilize well-controlled segregation such as the deployment of a “DMZ”, VLANs, ACLS, and firewalls.
Ransomware Demands: To Pay, or Not to Pay?
In the event that data is unrecoverable, a decision might need to be made about whether or not to pay for decryption keys. Another situation might arise in which the adversary claims to have successfully obtained critical data and will demand ransom for its return, or else the data will be sold or disclosed. Here are some considerations.
Trends have indicated that payments have decreased, while attacks have increased. This could be due to a number of factors, such as better preparedness, lack of confidence in ransomware actors’ promises, global response efforts to disrupt ransomware activities, and the fact that most attacks simply are not reported.
Though companies are still paying, the general consensus is to hold out. That is also the US government and its affiliated agency’s official stance. Every payment made is a win for the attacker, emboldening them and granting them additional funds to continue their efforts.
In the end, this is a business decision. However, there may be consequences to paying, beyond strengthening attackers. In some instances an organization may be in violation of US law if the ransomware actor is on a sanctions list.
Conclusion
The best forms of prevention are a well-trained staff, a hardened external footprint, and advanced EDR and backup tools with ransomware protection and response capabilities. Having these controls in place will reduce the likelihood of infection. However, prevention is not guaranteed, so it is important to have thoughtful and thoroughly tested plans in place for response and recovery.
With this information in hand, a defender should be fully prepared to protect themself and their organization from one of the greatest dangers out there, and hopefully change this statement from a silly pun:
What happened to the attackers? They ransomware.
into a truthful statement:
What happened to the attackers? They ran somewhere.
Resources
#StopRansowmare
https://www.cisa.gov/stopransomware/
https://www.cisa.gov/resources-tools/resources/stopransomware-guide
https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3403814/stopransomware-guide-released-by-nsa-and-partners/
https://StopRansomware.gov
Federal Bureau of Investigation (FBI) - Ransomware Resources
https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/ransomware
Checkpoint - Complete Ransomware Protection Across All Attack Surfaces
https://www.checkpoint.com/resources/white-paper-9e9b/white-paper--complete-ransomware-protection-across-all-attack-surfaces
DXC Technologies - Ransomware Survival and Defense Guides
https://dxc.com/us/en/insights/perspectives/paper/ransomware-survival-guide-recover-from-an-attack
https://dxc.com/us/en/insights/perspectives/paper/ransomware-defense-guide-prepare-for-an-attack
Egnyte - The Ultimate Guide to Ransomware
https://www.egnyte.com/sites/default/files/2021-01/Egnyte_Ransomeware_White%20Paper_Ultimate_Guide_1.pdf
Federal Trade Commission (FTC) - Ransomware Guidance
https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/ransomware
IBM - What is Ransomware?
https://www.ibm.com/think/topics/ransomware
National Association of State Credit Union Supervisors (NASCUS) - Ransomware Guidance and Resources
https://www.nascus.org/regulatory-resources/ransomware-guidance-and-resources
National Cyber Security Center UK - Mitigating Malware and Ransomware Attacks
https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
Zone Alarm - Ransomware: A Comprehensive Guide to History, Types, and Statistics
https://www.zonealarm.com/resources/complete-list-of-ransomware
Daily Cuppa
Today’s up of tea is a refreshing Organic Early Grey provided by Equal Exchange. It’s a delicious burst of bergamot in a mug.
If you found this article interesting, or enjoy the site in general, you can buy the author a cup of tea to show support. The author is also available for employment.