What is Ransomware, and How Do I Prevent It?

What is Ransomware?

Ransomware is a type of malware (Malicious Software) that aims to bypass network security protections, gain a foothold on endpoint devices or servers, discover and spread to other nodes on the network, then at some point encrypt the data on devices and servers so that the cybercriminals behind the attack can demand a ransom from the affected organization in exchange for a decryption tool. The encryption and ransom demand often comes after a period when the attacker has dwelled on the network. During that time before discovery, the attacker is likely copying data to be used for further attacks and sold on the dark web.

The ransom demands usually ask for Bitcoin, although increasingly other cryptocurrencies like Monero are requested as they make it harder for law enforcement to trace who received the payments. The discussion on whether an organization should pay the ransom if their systems are infected and encrypted is ongoing. There are passionate proponents for the arguments on either side. Paying the ransom is sometimes futile, as decryption can be slow and incomplete. Studies show 40% of organizations that pay a ransom never get a decryption tool that allows them to decrypt their data, and 73% of those who do pay get hit again in follow-up attacks.

Getting robust data to study ransomware attacks can be tricky as many organizations hit by ransomware don't publicly acknowledge it. That may change soon, as governments and multi-national bodies like the EU begin to regulate responses to ransomware attacks. Some are making a case to force mandatory reporting of ransomware attacks across all business sectors, as it currently is for US Healthcare. Studies using the data available show that

The impact on an organization of a ransomware attack can be devastating on multiple fronts. The reputational damage to the organization can be severe. This is especially true for businesses that provide IT services that then allow ransomware to infect their clients. The July 2021 Kaseya supply chain attack is a topical example. Kaseya provides Managed Service Providers with tools to manage their client's IT systems. At the time of writing (July 6th, 2021), thousands of organizations have been infected with REVil ransomware and had their data encrypted via the Kaseya attack. The criminals behind the attack are demanding a payment of $70M to release a general decrypt tool to reverse the encryption.

This last point highlights another impact of a successful ransomware attack - financial. While the $70M demand in the Kaseya attack is extreme, the average cost of an attack, according to Sophos's State of Ransomware Report 2021, rose from $761,106 in 2020 to $1.85 million in 2021. That includes all the costs associated with recovery from the attack - the ransom, downtime, staff overtime, impacted operations, and more. The average ransom paid in 2021 was $170,404.

Another impact can be on operations as IT systems stop working. This can range from critical in healthcare providers to loss of production in manufacturing. In some cases, if there is no way to recover from a devastating ransomware attack quickly, the organization may not survive.

The number of ransomware threats has exploded in the last few years. This is due to the financial return that the cybercriminals achieve and the change in the attack surface available to them due to the sudden change in working practices in early 2020. The 2017 WannaCry ransomware attack is no longer the worst example we have. The types of ransomware that are being used and detected are also changing. The new strains are getting smarter as they now use multiple ways to infect organizations. There are new variants designed to defeat endpoint security or dwell in memory to evade anti-ransomware pattern matching protections. Modern strains of ransomware, such as WastedLocker and Maze, are memory resident. They do all their work in memory and don't write out files that traditional signature scanners can detect. They also hide their activities in various ways to operate without being seen, only being detected when it's too late and data has been stolen and encrypted.

But, all is not lost. There are steps that organizations can take to prevent ransomware attacks and to recover if defenses get breached.

Ransomware Protection

The cybersecurity protections that will help prevent ransomware attacks are pretty much the complete set of defenses against all types of malware and other cyberattack threats. In the sections below, we discuss areas where cybersecurity best practices can provide mitigation from ransomware risk. Implementing best practices in these areas will provide a solid base. Cybersecurity threat protection is not a one-off task. The threat landscape is always changing, and protections need to be constantly reviewed and adapted as the threats change.

Staying up to date in this area is a full-time task. Cybersecurity protection is a complicated topic that needs to be the full-time focus for a person or persons in an organization. Many organizations will struggle to recruit or retain staff with the relevant skills. Cybersecurity is an area that is ideal for getting external help from dedicated cybersecurity protection companies such as Critical Insight. We have highly skilled and focused cybersecurity professionals who can work with your existing IT teams to ensure robust protections are in place. We also have a dedicated Security Operations Center (SOC) to monitor your network to detect ransomware and other attacks in real-time.

The sections below outline areas to focus on to increase ransomware protection.

Do Frequent Backups

Backups are not a preventative measure that will stop a ransomware attack from taking hold of your IT systems. But they are the method of last resort if you have to recover from an attack. If an organization does not want to pay a ransom, or if they are one of the 40% who pays but doesn't get a valid decrypt mechanism from the criminals, then they can use recent backups of important files to restore data to a time before the ransomware encryption happened.

Everyone should do backups with a frequency to deliver the smallest possible amount of tolerable data loss in the event of an attack. Whether that's hours, days, or weeks will vary between organizations. One thing to consider with backups is to protect them from the ransomware that has rendered IT systems unusable. Many forms of ransomware will look for backup servers on the network and actively target them for encryption to put further pressure on organizations to pay the ransom.

To counter this, it is vital that recent backups get stored in a way that is not reachable on the network. There are many ways to do this, such as removable hard drives, tapes, network micro-segmentation, and more. Also, do frequent test restores from these backups to make sure you can get the data back if required. Untested backups are no backups at all! Discuss this with your IT teams and managed service providers to ensure that you have frequent backups offline and safe from ransomware.

Document Policies and Procedures

Everyone in an organization is part of the cybersecurity defense. It is vital that everyone knows how to spot risks and what to do during an ongoing attack. So that everyone knows what to do, it is essential to have easily understandable policies and procedures that spell out precisely what to do if there is anything suspicious that occurs, or when a discovered breach or attack happens. They should cover what the IT team and others should do to protect IT systems.

Critical Insight can help you draft suitable policies and procedures for your staff to follow. These can integrate into and build on our SOC monitoring and response services.

Train Staff on Cybersecurity

Besides the policies and procedures is the need for frequent staff training on cybersecurity. Many successful ransomware attacks get past technical security protections by using social engineering methods to trick people. Training for staff so that they can spot phishing emails, messages, or spoof websites should be done. Not as a one-off, but frequently to reinforce the message and to update them as attack techniques change. Bite-sized training that happens regularly at people's desks is often an excellent way to deliver this.

The policies and procedures documents should include details on how cybersecurity awareness training is planned, delivered, updated, and how attendance is tracked. Getting staff to identify and report suspicious activity is a core part of preventing ransomware attacks.

Use Proactive Defense

Proactive defense that gets out in front of attackers as they plan can be important in mitigating risk. There are also indicators of compromise that you can detect on breached networks before ransomware encryption happens.

Critical Insight's SOC monitoring can detect anomalous behaviors on networks. Organizations can then take actions to eliminate any cybercriminals dwelling on the network and mitigate future risk after analysis to determine how they got in, something Critical Insight can usually do relatively quickly.

Implement Strong Authentication

Secure Identity and Access Management (IAM) should be in use for all systems. In many organizations, this will use a directory service such a Microsoft Active Directory (or another directory service). In the modern hybrid Cloud-based application deployment model, there will likely be federation in place to link accounts across on-premise and Cloud-based IT systems. Strong authentication should apply for all logins across offices, via VPN, or when using Cloud-based applications. Premium security tools should be location agnostic.

Whatever the system in use, it should use:

Strong, unique passwords - unique passwords should be mandatory for all separate systems. No user should be able to use the same password across systems. The passwords should be strong and almost impossible to guess or to brute force in a short time. Unfortunately, these two stipulations are the sort of things that people find hard to follow, which is why we see people reusing passwords or having them written down on notes at their desks. Password management tools exist to fix this issue. They can generate strong and unique passwords for each system a user accesses and then auto-enter the user's passwords. Users don't even need to know what their password is for many systems. All they need to remember is a single strong password to access their password manager.

Multi-Factor Authentication - strong passwords are great, but they are not enough. In addition to passwords, IT systems should require multi-factor authentication when anyone logs on. Multi-factor authentication requires users to input additional information that only they have. Methods such as tokens generated by a dedicated device or smartphone, specific device requirements, or biometrics all provide ways to implement multi-factor authentication.

Good IAM implementation also has processes to manage the creation of new accounts and their removal when not needed. This reduces the attack surface of user accounts that criminals can use. It's also good practice to limit the number of Admin accounts in use. And nobody should use any Admin accounts for day-to-day tasks.

Use Privileged Access Management

While IAM is fundamental to providing secure authentication, implementing Privileged Access Management (PAM) for critical systems is also recommended. PAM adds additional restrictions on designated systems. In order to log on to a PAM-protected system, a user has to request authorization via a prearranged workflow. This workflow will involve multiple people (usually managers) who have to review reasons for the access request and okay or reject it. Very often, a 'two key' authorization process is required. If a PAM logon is granted, all actions performed by the user are logged in detail and often recorded for video playback if needed. PAM solutions also frequently disable dangerous commands from being run at all during a session (for example, command prompt programs that can erase data). PAM login and password combinations are one use only. Each access requires another request and workflow to authorize it. Also, PAM sessions are time-limited to prevent a single login from being used for long periods.

Update Network Protections

Network protection via firewalls, intrusion detection systems, and other physical and virtual network equipment has been the first line of defense for years. These are still important, but they must be kept up to date. Either by replacing them with modern versions if out of support or installing the latest security patches if still in support.

Strong border firewalls at the edge of the network to limit incoming and outgoing traffic onto the Internet are as important as ever. Firewalls can prevent outflows of data to unknown IP addresses to prevent data copying by ransomware. This is often a step undertaken before encryption is triggered. In addition to traditional firewalls, the deployment of Web Application Firewalls (WAF) should also occur. These work at multiple layers of the network stack to provide additional protections for application servers.

Increasingly micro-segmentation of internal networks is being used to limit the spread of ransomware and other malware if it gets past the edge protections. Micro-segmentation limits the discoverability and addressability of nodes on the network. Ransomware often uses standard network protocols to search for other systems to jump to and infect. Micro-segmentation helps make the network opaque and slows down or prevents ransomware spread. Many network equipment suppliers have micro-segmentation solutions.

Another step beyond micro-segmentation is to implement deception technologies. These are dummy systems placed on the network to fool attackers into thinking they are real systems. The actual systems are hidden using micro-segmentation and other methods, but the attackers see the dummy systems and think they have discovered everything. Deception technologies often use AI automation and Machine Learning based techniques to simulate typical usage patterns on these dummy systems so that they look normal (such as users logging in, data writing to storage, and applications in use). Deception systems also have the benefit of being honey traps where cybersecurity professionals can watch the activities of attackers to see what methods they are using and then make sure the real hidden systems are adequately protected.

Encrypt Your Data

It might seem strange to recommend encrypting your data as part of a data protection strategy to protect it from ransomware and encryption. But if you have encryption in place and are compromised, then the attackers will not be able to use your data to plan further attacks or sell it for others to use on the dark web. Encryption should be in place for data at rest on storage and when in transit over a network.

Install Endpoint Protection

End-users and their endpoint devices are frequent targets for cybercriminals looking to deploy ransomware. All endpoint devices such as PCs, laptops, and mobile devices capable of running it should have endpoint protection like anti-malware and anti-virus software installed. Typically this will be PC devices running Windows, Mac devices, and Android operating system tablets & smartphones. At present, Apple doesn't allow installing endpoint protection on iPhone and iPad devices running iOS. They have built-in application sandboxing and protections that Apple updates.

Preventing ransomware attacks is better than dealing with their aftermath. Endpoint protection software can help with this prevention, and malware protection more generally.

Some other devices, like most internet-of-things (IoT) devices cannot take an endpoint. That is why you need detection capabilities like Critical Insight that can use endpoints but do not depend on endpoints.

Use SIEM & MDM Solutions

Endpoint protection systems are often part of broader IT Security Information and Event Management (SIEM) solutions. SIEM security solutions provide an overall view of the security of the whole IT infrastructure. Including endpoints, servers, and also applications deployed in the Cloud. They often also incorporate Mobile Device Management (MDM) capabilities to allow mobile devices to be provisioned and managed remotely, and wiped if lost or stolen so that cybercriminals can't get access to systems using the mobile device.

Keep Systems Up to Date

Security and protections on IT systems are only as good as the software versions they are running. New vulnerabilities are discovered frequently in systems across the IT landscape. In ideal cases, these vulnerabilities are found and fixed before cybercriminals can actively exploit them. However, this is not always the case, and there are many zero-day exploits seen in the wild that hardware and software companies have to scramble to patch.

It is therefore vital that all systems are kept up to date with the latest operating system and security fixes. This applies to anti-ransomware protection software and other anti-malware solutions as well. Make sure that updates get deployed as soon as possible after their release. If required, have test systems that are close analogs of production IT systems to test updates on before deployment. And consider phased deployment of updates in production to catch any issues that might arise. If there are multiple servers behind load balancers, it's often possible to deploy updates to one server in the server group at a time to control rollout and mitigate adverse impacts. Getting updates deployed quickly is vital, as bad actors will target any known vulnerabilities that come to light.

If any systems in use are out of support and not getting security updates, management should plan to replace them as soon as possible.

Organizations should also manage configurations on devices to prevent common attack methods, for example, by disabling the autorunning of executables on USB drives. Attackers often drop physical USB thumb drives with malware installers on them for people to find. Which many people then plug into their PCs to see what's on them. Maybe train people not to do this as well!

Secure WiFi Networks

WiFi networks are notoriously insecure, especially those used by people working from home. All WiFi networks in use should have the maximum security settings enabled. They should not advertise their network names for people who don't need to use them. If home workers have WiFi systems that you cannot secure adequately, then consider supplying them with more secure units or mobile WiFi via your mobile phone network supplier for work data access.

Final Thoughts

Unfortunately, protecting against ransomware is something that all organizations must include in their standard operations and disaster recovery planning. Just the last few months have shown how rampant ransomware attacks now are, and how reckless the criminals behind them.

The steps outlined in this article are a good baseline for implementing protections. But they are not the final word. The cyber security threat landscape is constantly changing. Protections must be kept up to date to counter emerging threats.

Staying up to date with current cyber security threats is a full-time job. Critical Insight's cyber security professionals are focused on the threat landscape. These experts, combined with our SOC 24/7 monitoring teams, can deliver the cyber security expertise your organization needs while freeing your staff and resources to focus on your core business. In contrast, we'll focus on keeping you secure and operational.