Familiar Threat, Evolving Attacks, Greater Impact
While ransomware attacks are not a new phenomenon, recent attacks have made news headlines and solidified the fact that cybercrime poses a real threat to our way of life. More than just attempts to extort money from businesses, recent ransomware attacks have impacted underlying critical infrastructure and healthcare systems.
Ransomware attacks have evolved since the first known attack in 1989 targeting the healthcare industry. The traditional ransomware attack involved the encryption of files through malicious code; a ransom was demanded to gain access to the decryption program for regaining access to the files. Since then, more sophisticated and aggressive techniques have been adopted:
Double Extortion. Attackers exfiltrate the victim’s data in addition to encrypting it, threatening to sell or post the exfiltrated data online if the ransom is not paid.
Double Extortion with Double Encryption. The attacker encrypts the victim’s data twice using different encryption algorithms or keys. The victim will pay the ransom and decrypt their data only to find the data is stilled encrypted and unusable. Another ransom is demanded to decrypt the data a second time.
Most recently, Colonial Pipeline became the victim of a ransomware attack affecting a main petroleum artery supplying the East Coast. Colonial’s pipeline network covers roughly 5500 miles, servicing seven airports and 14 US states. This incident caused a major gas shortage along the eastern seaboard, impacting millions of Americans.
Another recent ransomware attack was conducted against Ireland’s Department of Health, locking many hospitals and clinics out of their computer systems and disrupting access to patient records.
Many publicized ransomware attacks conducted against systems supporting critical infrastructure highlight the need for better separation between IT (Information Technology) and OT (Operational Technology) systems. While IT systems manage data, OT systems control the operation of physical machinery such as voltage regulators that control the flow of electricity into the power distribution grid or valves that control the flow of petroleum within a pipeline.
OT systems should be almost entirely isolated from IT systems as well as the Internet and where access is needed, and it should be tightly controlled with restrictive rules and thoroughly monitored. The lack of separation of OT systems from IT systems, or overly permissive controls between these environments have allowed attackers to pivot from IT systems to OT systems and disrupt or disable physical equipment that control critical infrastructure services.
Cyber criminals have become increasingly organized and effective in achieving their objectives, using monetary gains from cyber theft, fraud, and ransomware extortion payments to fund ever-growing criminal enterprises comprised of tactics and techniques, infrastructure, and people.
The Ransomware as a service (RaaS) business model has emerged out of the historical success of ransomware attacks. RaaS enables attackers (affiliates) access to suites of ransomware tools and delivery mechanisms. The affiliates earn a percentage of paid ransoms. This model has enabled participation in the ransomware business from non-skilled and inexperienced individuals wishing to profit from cybercrime.
Sophos conducted an independent study of ransomware in 2020 involving interviews with 5,000 IT managers across 26 countries (https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-ransomware-2020-wp.pdf). Their findings were staggering:
51% of surveyed businesses were impacted by ransomware
Only 26% of victims whose data was encrypted got it back by paying the ransom. 56% reported data was restored via backups rather than paying the ransom
59% of ransomware attacks involved data in the public cloud
The global average cost to remediate a ransomware attack is $761,106
Based on this study, paying the ransom doubles the cost of dealing with and remediating a ransomware attack
One critical challenge in combating this threat is that most organizations are not exclusively in the business of securing technology resources; they must focus on delivering their products and services, profitably, in a competitive business landscape.
How Do We Respond?
Some organizations take the position that if they are impacted by ransomware, they will pay the ransom. This is a risky strategy to adopt for several reasons:
There is no guarantee you will get your data back after paying. Remember, no matter how sophisticated or professional they seem, you will be dealing with criminals.
Attackers will commonly retarget you. Even if you pay the ransom and regain access to your data, attackers will commonly retarget you due to familiarity with your environment and its gaps in security.
It is cheaper to protect yourself. Considering all the costs of a ransomware incident, including people costs, downtime and loss of productivity, ransom payments, and increase in insurance premiums, it is cheaper and more cost-effective to implement protective measures against ransomware attackers.
There are strategies and controls to collectively answer these attacks and let cyber criminals know that we place a high value on our way of life, the health of our organizations, and our dependency on technology to provide a higher quality of life. These strategies must be adopted as a community, including participation from citizens, organizations in government, private, and non-profit sectors, and organizations supporting critical infrastructure.
A Different Approach
At Pillar Tech, our philosophy has always been “Protect First.” In Information Security, the best outcome is when an incident is prevented. With growing budgetary constraints within many organizations, preventative controls can be an effective investment for an organization that is unsure where to apply resources to information security.
The following preventative controls can be effective in combating ransomware and other security incidents:
Keep computer systems up to date with the latest security patches. Ransomware and other forms of malware typically target system vulnerabilities on unpatched systems. There are numerous built-in and 3rd party solutions to help manage system patching.
Deploy advanced endpoint protection software. Next-generation antivirus software can detect malicious activities through a combination of signature, behavior, and anomaly-based algorithms. Make sure the advanced endpoint agents stay updated with the latest signatures.
Implement Secure Email Gateway technologies. For many organizations, email serves as a means to communicate both internally and with the outside world. For the “bad guys”, it is the easiest way to gain access to your network and valuable data assets. Secure email gateways provide mechanisms to block attacks based on the email sender and contents of the email.
Implement Strong Authentication using multifactor authentication (MFA) and password complexity. Implement MFA on any Internet accessible applications and systems, and any internal systems containing sensitive data. Enforce account password requirements, including password length, age, history, and complexity requirements. Apply more restrictive authentication requirements on “VIP” accounts, such as IT administrator and executive user accounts.
Limit and tightly control Remote Access. Use strong authentication controls, limit access to the system from specific IP Addresses and locations, and disable RDP (Remote Desktop Protocol) where possible.
Implement network segmentation. Segment network resources, physically or logically, based on the purpose and criticality of the system resources. Implement network access control rules to limit network traffic between segments to business-specific requirements. This is especially critical in Operational Technology (OT) within Industrial Control Systems (ICS). These systems, often used in critical infrastructure like utilities, must be “air-gapped” from Information Technology (IT) systems and the Internet, with access tightly controlled and restricted.
Implement network-based Intrusion Prevention System (IPS). Enable IPS services between internal network segments and between internal segments and the Internet.
Perform vulnerability scanning. Conduct periodic internal and external vulnerability scanning. This process identifies system vulnerabilities and can validate the effectiveness of patching and configuration management processes. Remediation work plans can be developed based on the vulnerability findings and the criticality and exposure of the affected systems.
Conduct Security Awareness training. When an end-user clicks a malicious link in an email or visits a malicious website, this can circumvent preventative technical controls. Security Awareness training can strengthen the weakest link in the Information Security chain… people!
Detect and Contain
Based on research conducted by IBM, the average time to identify a breach in 2020 was 220 days. That’s sufficient time for malicious actors to gain a foothold and achieve their objectives. While preventative controls can minimize the likelihood of a ransomware incident, detection and containment capabilities along with ongoing vigilance are essential to reduce the impact of an incident.
The following strategies to detect and contain ransomware and other malicious attacks before extensive damage or loss occurs:
Enable audit logging on all network devices and endpoints. Enable full audit logging and retain as much data as your infrastructure can support. If possible, offload device audit log data to a central logging server for long-term retention and a single source for investigations.
Perform periodic audit log reviews. Periodic review of audit log data can uncover malicious activities and unauthorized access within the network. Look for anomalistic behavior such as uncommon login times, unexpected resource access, and login events from foreign locations. Make sure to review administrative account activities and any changes to administrative group membership and validate any findings.
Implement security information and event management (SIEM). A SIEM solution ingests log data streams from devices and services across the network and runs correlation rules against the datasets to look for known-bad behavior as well as anomalistic activity. A SIEM solution can greatly reduce the time to detection (TTD) of a security event.
Develop and test an incident response plan. A good incident response plan identifies valuable business and technology assets, asset owners, and their roles in incident response. It also outlines what procedures should be performed upon discovery of an incident. Like any plan, the incident response plan should be periodically tested and revised to ensure it supports the current technology and business environment.
Security incidents will happen even in well protected environments. Due to this, it is critical to have contingency plans and capabilities in place.
The following strategies can help ensure the business can recover and return to normal operations after a security event, such as a ransomware attack:
Backup critical systems and data regularly. Ensure all business-critical systems are regularly backed up to an off-host repository.
Store alternate copies of backups offsite. Store copies of system backups offsite at an alternate location, hosting provider, or cloud service. Ensure these backups cannot be easily accessed or manipulated from the source system of the backups.
Verify backup integrity periodically. Develop and implement procedures to periodically validate the system backups. This can include backup file hash validation as well as restoration of the backup data into a testing environment.
Develop and test a Disaster Recovery (DR) plan. A good DR plan will identify business and technology assets critical to business operations, owners of these assets, resources supporting these assets, and how to recover these critical assets in the event of a loss. Scheduling and executing “DR drills” ensures the plan continues to accurately reflect the business and technology environment.
Information security is not just an IT risk. It’s a significant business risk. Ransomware, specifically, is a primary security threat that has become more sophisticated and harder to defend.
Don’t be fooled by obsolete forms of defense. To develop an effective defense strategy, you must "Protect First", understand the growing sophistication, deploy new technologies and build a defense-in-depth architecture that will all work together to protect your organization.
Pillar Technology Partners is on the cutting edge of cybersecurity developments. We’re committed to helping security leaders simplify, understand, assess, remediate and operate their information security program with a unique focus on data protection. Our CISOs, Security Engineering Teams and Incident Response Teams understand how to help you simplify cyber security. Learn more about our commitment to the information security industry, visit: ptechcyber.com.