How to Prepare for Ransomware Attacks

Ransomware attacks continue to increase. Bad actors have changed tactics, and are using techniques that are more sophisticated and targeted. To help protect the organization from ransomware, security and risk management leaders need to look beyond just the endpoints.

Overview

Key Findings

• Phishing, remote attacks on public facing infrastructure, and unauthorized remote desktop connections continue to be the primary sources of infiltration for ransomware. This has been exacerbated by the growth in remote work resulting from the pandemic.
• Bad actors are mining exfiltrated data to identify other potential sources for revenue.
• The cost of recovery and resulting downtime in the aftermath of a ransomware attack, and the cost of the reputational damage, can amount to 10 times the amount of the ransom itself.

Recommendations

Security and risk management leaders responsible for endpoint and network security must focus on all three stages of a ransomware attack:

• Get ready for ransomware attacks by constructing a preincident prevention strategy that includes endpoint protection, data protection, immutable backup, asset management, end-user awareness training and strong identity and access management.

• Implement detection measures by deploying behavioral-anomaly-based detection technologies to identify ransomware attacks.
• Build postincident response procedures by training staff and scheduling regular training exercises. This should include development of a ransomware response playbook to augment existing incident response plans with the addition of recovery options (such as endpoint rollback, bare metal restore and decryption processes).

Introduction

Ransomware continues to pose a significant risk to organizations. Recent attacks have evolved from autospreading attacks, such as Maze and Ryuk, to more targeted human-operated campaigns,which attack organizations, rather than individual endpoints. This often results in double or triple extortion tactics. The impact that these attacks have on organizations has increased to the point where some organizations have gone out of business, and, in the case of healthcare, lives have been put at risk. Security and risk management (SRM) leaders need to adapt to these changes and look beyond just endpoint security controls to protect against ransomware.

Recent ransomware campaigns, such as REvil and Ryuk, have become “human-operated ransomware,” where the attack is controlled by an operator, rather than spreading automatically. Such attacks often take advantage of well-known security weaknesses to gain access. For example, a number of recent ransomware incidents are thought to have started with poorly configured or vulnerable remote desktop protocol (RDP) configurations or poor identity and access management (IAM) practices. Previously compromised credentials are also being used to gain access to systems. These can be obtained through initial access brokers or other dark web data dumps.

Once inside, the attacker will move around in the network, identify the valuable data, and assess the security controls used, often disabling endpoint protection tools and deleting backups. Then, when the data has been identified, it can be uploaded and later used for extortion (doxxing), and the ransomware will be launched to encrypt the data. The median dwell time between the first evidence of malicious activity and the deployment of ransomware is five days. The goal is to maximize the likelihood of the ransom being paid, which often means that the attack includes threats to make data public if the ransom isn’t paid quickly.

Analysis

Construct a Preincident Preparation Strategy

SRM leaders should work under the assumption that a ransomware attack will be successful, and ensure that the organization is prepared to detect as early as possible and recover as quickly as possible. Your ability to quickly detect and contain a ransomware attack will have the biggest impact on any outage or disruption that is caused.

The first and most common question is, “should the ransom be paid?”. Ultimately, this has to be a business decision. It needs to be made at an executive or board level, with legal advice. Law enforcement agencies recommend not paying, because it encourages continued criminal activity. In some cases, paying the ransom could be seen as illegal,because it provides funding for criminal activity. Regardless, the discussion needs to occur. There are several examples of organizations that worked with law enforcement during a ransomware incident and made the decision to pay because it was the best option for their business. A recent survey found that 46% of companies ultimately pay the ransom.

Should payment be a consideration, it is important to establish a governance and legal process that includes the CEO, the board and key operational staff. It is not recommended for organizations to take on the negotiation with the bad actors without guidance. This is typically done by a third-party negotiation service provider. In addition to being the primary negotiator, they also have the ability to facilitate payments and in many cases remove the requirement for the business to maintain cryptocurrency.

A word of caution — even if the ransom is paid, there is no guarantee that your data will be recovered. The encrypted files can be unrecoverable due to data corruption during the encryption process.

Build Peri-incident and Postincident Response Procedures by Training Staff and Scheduling Drills

SRM leaders must ultimately be prepared for a ransomware attack to be successful and have plans, processes and procedures in place. These plans need to include the IT aspects, and communication plans for both internal staff and partners and suppliers. It is important that SRM leaders quickly and clearly communicate the issue. Provide regular updates on status and when systems will be recovered to the point where systems are usable. Several cyber crisis simulation tools can help identify gaps in procedures, roles and responsibilities.

These plans will vary, based on the extent and success of a ransomware attack. It may only be a small part of an organization, and the impact could be minimal. For larger attacks, the impact may go beyond the organization to customers and partners. As part of the preparation, running regular fire drills or table-top exercises to rehearse a response can be beneficial. Ideally these exercises will cover both the business and technical response activities required.

Once recovery is in progress, collect enough information to understand the root cause of the attack and understand which controls failed or weren’t in place. Again, specialist digital forensics and incident response services play an important role in this analysis. Once systems are recovered, it is critical to implement the lessons learned and feed them back into the preparation phase.

Develop a Ransomware Playbook

Ransomware is unlike any other security incident. It puts affected organizations on a countdown timer. Any delay in the decision making process introduces additional risk.

During a ransomware event, business leaders will be forced to make big decisions with very little information.

Additional roles — such as a timekeeper — need to be assigned. The timekeeper is responsible for tracking the remaining response time according to the ransomware demand. Losing track of the time can result in public disclosure of data and an increase in the ransom amount.

Guidance on making a “pay/no-pay” decision should also be included. Third-party services such as ransomware negotiation companies need to be identified and requisite contact information made available. A ransomware playbook provides the prescriptive guidance to address a ransomware event.

Be honest with yourself and understand your organization’s limitations for monitoring, detecting and responding to security incidents. Many organizations will need assistance to help mitigate, detect and recover from an attack. Specialist incident response teams can play an important role, and having an incident response retainer in place can reduce the cost and speed of the response.

The tactical recovery steps will vary, depending on the organization and the extent of the ransomware, but will involve:

• Recovery of data from backups, including verifying the integrity of those backups and understanding what data, if any, has been lost.
• Once compromised, using EPPs and EDR, as well as MTD solutions, as part of the remediation response to remove and isolate the threat. Recovery goes beyond recovering the data. Infected machines may be “locked” and may require physical access. During the preparation phase, it’s important to understand and plan for how this would be achieved.
• Validation of the integrity of a device before it is allowed back onto the network.
• Updating or removing compromised credentials. Without this, the attacker will be able to gain entry again.

• Performing a thorough root cause analysis of what happened and how — including accounting for any data that has been exfiltrated (doxxing). Doxxing occurs when bad actors threaten to release stolen information. This is increasingly becoming a secondary method of extortion if a victim decides not to pay the ransom.

• Bringing in experts — you cannot do it alone.