HOW THE ATTACKS WORK

Malicious software is used to deny access to data or systems until or unless the attacker’s ransom demands are met. Methods for delivering the malware payload vary, with the three of the most common being phishing emails, exploitation of application vulnerabilities, and delivery via remote desktop protocol (RDP). The use of phishing emails as an attack vector is currently on the rise.

Once successfully delivered, the malware propagates across data storage environments and/or vulnerable systems, rendering systems and data inaccessible. Attackers then demand ransoms in exchange for restoring access. If the demands are not met, and sometimes even if they are, access to systems may remain blocked. Your data could be deleted or remain unavailable as a result of having been encrypted using the attackers’ algorithms.

HARDENING THE ENVIRONMENT

Following are recommended strategies to thwart ransomware attacks:

• Back up your data. It’s critical to protect your encrypted data frequently. Use an offline repository, or air-gapped, storage system so that even if your backup is compromised, the hacked data is useless. Be sure to retain multiple sequential version backups so that pre-attack files will be available for restoration. Another solution that is becoming more popular is to use a secure cloud storage service for your backups. Typically, cloud storage providers offer data encryption and system redundancy to ensure that you are able to quickly and efficiently restore your files in the event of a successful attack. Verify that your cloud backup provider has versioning capabilities that would allow files to be restored to their pre-attack state even if post-attack cloud backups are performed.
• Create and regularly maintain golden images of your critical systems so that, if the attackers deprive you of access to those systems, they can be rebuilt as quickly as possible. Create and maintain templates with operating systems that are pre-configured to expedite the process of reloading systems. Have copies of your application software on hand as well. Also, make sure to have vendor support contact information readily available for all hardware and software.
• Regularly install patches and security updates. Create a policy that establishes requirements and schedules for doing so, and ensure that your system administrators are familiar with and adhere to these requirements.
• Limit administrative permissions among users and restrict the installation of unapproved applications within your environment. Ransomware may initially be installed locally when a user clicks a link in a phishing email or connects to an infected system via RDP, then propagate across the network.
• Perform analyses, make plans, and test your plans regularly. Some of your systems may be more critical than others. Perform business impact analyses to identify and prioritize these and ensure they receive prompt attention should an attack occur. Use this information, along with input from your key personnel and any lessons learned from previous incidents, to develop incident response and business continuity plans. Include 24/7 contact information for members of your response team. If you need guidelines to get started, organizations like the National Institute of Standards and Technology (NIST) and its Canadian counterpart (which can be found here: NIST Launch Page) provide sample plans and best practices. Once you’ve put your procedures in place, test them periodically. Continuously improve them based on lessons learned through your testing and actual incidents.
• Train your employees regularly and ensure new hires receive security training. Technical controls cannot prevent all attacks. Your staff should be trained to identify potentially malicious emails, to avoid clicking links in suspicious messages, and to refrain from providing certain types of sensitive information about your organization via written or oral communications. They should also be prohibited from installing unauthorized applications (if, based on their job requirements, their privileges to do so cannot be restricted) and from remotely connecting to external systems without authorization. Providing an ongoing training program that educates your employees regarding current attack vectors and threats is essential. Your employees are your last line of defence.

RESPONDING TO A SUCCESSFUL RANSOMWARE ATTACK

If your organization is successfully attacked, execute your incident response and business continuity plans immediately to begin the process of restoring your data and/or system access, thereby minimizing the attack’s impact. As soon as possible, report the incident to your local law enforcement office or, in the United States, via the FBI’s online cybercrime reporting site at tips.fbi.gov/.

Before paying any ransom, consider the following:

• The experts at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) do not encourage organizations to pay ransoms.
• Paying the ransom does not guarantee that your access will be restored. Remember, you are dealing with a criminal. Some organizations that have given in to attackers’ demands have never had their system access restored or been given the keys to unencrypt their data.
• Attackers sometimes demand additional payments after receiving the initial ransom.
• Some victimized organizations that did pay have been subsequently targeted in new attacks because they have exhibited a willingness to comply with attackers’ demands.

SUMMARY

Ransomware is a growing threat that utilizes multiple attack vectors. Unless your organization has prepared for an attack by securely backing up your data, hardening your systems, educating your employees, and developing response plans and continuity procedures, you may find that you are unable to resume normal operations for an extended period of time, if at all.

Giving in to an attacker’s demands does not guarantee that access to your systems and data will be restored. In fact, paying a ransom may only result in additional demands by the attacker, or in your company being targeted in future attacks. Taking the necessary steps to create a solid plan to help you prepare for and respond to a ransomware attack could be key to your organization’s survival.