Party like its 1996
Welcome to the Party
Ransomware is a type of malicious software (malware) that restricts access to data or otherwise holds data until a ransom payment is made. Quite often encryption is the primary method of making data inaccessible to the owner, while the nefarious actor holds the key to decrypt. This notion of using encryption offensively was first discussed in 1996 by Young & Yung. They coined the malicious use of encryption as “cryptovirology”.
From then to now ransomware attacks are on the rise with an estimated global cost to global organizations estimated to be $20 billion this year. Ransomware attacks continue to become more elaborate and more targeted, the human factor, more often than not, is the key to defense. Yes, people are the avenue of attack, as they click on malicious links, and open malicious attachments, however, there is no replacement for good human judgement. Having an organization culture where everyone is in security -- looking for anomalies in their day-to-day processes, being aware of the request they are receiving in email, reviewing configurations before they go live – creates a formidable defense against threat actors. (See “Everyone is in Security” from December 2020).
The Party was never fun
Historically, we have been dealing with ransomware, that like most malware, is indiscriminate and opportunistic. Without question this “commodity” ransomware has been effective in its ability to disrupt its victims and extort money. But a new trend is emerging where ransomware is being deployed by threat actors in a “hands on fashion”.
Threat actors are specifically attacking organizations with the purpose of injecting ransomware. As they actively penetrate, they are leveraging information known and gathered, including configurations and harvested credentials to plant and execute ransomware. Effectively, giving the threat actor a diversified on-demand ransom capability. So unlike a traditional malware infection and execution that has typically identifiable footprint and path this attack methodology presents an unknown scope of infection and capability.
Shut the party down
There is no magic or silver bullet, security today is still about fundamentals. Consider these few, as you ask “Are we ransomware resilient?”
Ensure your anti-malware software is up to date – these packages monitor your files for unexpected behavior and excessive access
Filter emails before they reach your employees – using content and email filtering, should take care of many phishing and ransomware scams
Train employees to recognize suspicious emails – don’t open emails from unrecognized senders, don’t click on links you aren’t sure are legitimate and avoid opening attachments you aren’t sure about.
Apply Software patches to keep systems up to date – as painful and tedious as it is, this is vital to your security.
Change default passwords everywhere – don’t reuse passwords, make them complex (password vaults help) and use multi-factor authentication where every possible.
Make it harder for attackers to roam your networks – only give employees access to what they need to perform their duties, limit administrative accounts, and segment the networks where possible.
Understand what is happening on your network – baseline and monitor either internally or with a managed detection and response vendor
Inventory your assets – know what is connected to your network.
Know what data is most important – have a secure and up to date backup of all business-critical information, you must know your recovery point objectives (RPO), it will drive your backup strategy!
Durable backup – durable means: survivable; not just time and environment, but attack, think about your strategy and implementation -- Will you just end up backing up the encrypted data?
Have good change management – control your change, know your change
Have a plan to respond to a ransomware attack and test it. – should be part of business continuity and disaster recovery
Think long and hard before paying a ransom – there is no guarantee you will get your data back
OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments. Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.
Ask us about Propulsion, Deepwater, and the 8-point Dossier
www.octellient.com