As prolific as ransomware was in 2020, it is even worse in 2021. According to Check Point Research (“CPR”), ransomware attacks have increased 102% this year compared to 2020. The trend is also accelerating as the year progresses. In addition, CPR reported a 57% increase in the month of March compared to the start of the year. Since April, an average of 29 North American organizations are hit by a ransomware attack every week. Experts predict that ransomware will inflict damages of $6 trillion this year. To give you an idea of how much money that is, it would represent the world’s third-largest economy after the U.S. and China.
The scale of these attacks has reached a point now that it is affecting the economy. After witnessing attacks such as the Colonial Pipeline Attack in March, the world is realizing the supreme urgency of combatting the ransomware threat. Even the White House has taken great interest and recently released a memo to business leaders in order to stress the dire need for countermeasures and action.
Just weeks ago, The National Institute of Standards and Technology (NIST) released its preliminary draft outlining their recommended security measures to combat ransomware. NIST defines ransomware as a type of malicious attack in which attackers encrypt an organization’s data and demand payment to restore access. They also point out the recent trend of stealing the information prior to encrypting it in order to demand payment for not publicly disclosing it. In recognizing the exigency of the situation, NIST is taking an agile approach to their published recommendations in order to get information out as quickly as possible. The draft release is being followed by a public comment period.
The following steps are recommended by NIST to reduce the potential for successful ransomware attacks.
- Always use antivirus software and make sure that all emails and flash drives are automatically scanned for malicious code.
- Keep all computers and software fully patched. Timely patching removes the known “low hanging” vulnerabilities that provide external threat actors easy access to systems and applications.
- Enforce the Principle of Least Privilege and only use standard accounts. The SANS Institute refers to local admin accounts as the “keys to the kingdom” as they are used to embed and spread malicious code across workstations and servers within the network. When a user clicks on a link or attachment that initiates the downloading of a malware payload, the malicious code inherits the rights and privileges of that involved user account. If that user has local admin rights, so does the malware. While it is easy to simply allot blanket admin rights to all users, it is an poor practice that opens your devices to excessive risk. Evaluate user permissions based on role and determine the least amount of privilege needed per role.
- Block access to ransomware sites. This is best accomplished by implementing some type of web filtering solution that automatically blocks access to known ransomware sites. You can also enforce grey listing which blocks newly registered websites. New domain registrations often involve “temporary” websites that hackers use as malware repositories. Hackers then use phishing attacks to entice users to click on embedded links that download the malicious payload.
- Allow users to only use authorized apps. Even applications that seem legitimate can be trojans that encapsulate some sort of malware executable within. This recommendation works in tandem with the denial of local admin rights as some applications require admin privileges in order to install. Many applications don’t however, which is why a method to whitelist applications is helpful in the prevention of unwanted software execution. While application whitelisting management can prove cumbersome and time consuming, there are a number of desktop management solutions on the market today that have streamlined the process.
- Restrict the use of personally owned devices. While Bring Your Own Device (“BYOD”) programs do have their benefits, they open your network up to great risk. Those who feel that BYOD programs are a necessity should at least implement some type of mobile device management solution that analyzes and inspects outside devices before allowing them to connect to the network. Devices that do not meet the organization’s patching and security requirements are then quarantined until the user addresses the vulnerabilities.
- Backup and restore. Many an organization has been able to bring their data back from the ransomware grave by restoring their backups. You should airgap recent full backups for critical systems and ensure the backups are not continuously accessible on the network. Ransomware attacks seek out backup solutions to encrypt and disable them.
- Beware of unknown sources. Another way to say this is to stop users from clicking on things such as open files, executables, links or attached drives. This can be achieved using endpoint security solutions and allow lists.
- Create an incident recovery plan. The plan should define the roles and strategies that will be implemented in the event of a security incident. The plan should be reviewed and rehearsed on a periodic basis.
- Maintain a list of contacts in the event of an attack. The list should include internal and external contacts including third party security firms and local law enforcement. The contacts should also be included in the incident response plan.
Other Ransomware Resources
You can access the Preliminary Draft NISTIR 8374 here. If you want more information on guidance concerning ransomware and other data destructive events, we have assembled the following links below.
NIST Special Publication (SP) 1800-26, Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
NIST SP 1800-25, Data Integrity: Identifying and Protecting Assets Against 129 Ransomware and Other Destructive Events
NIST SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive 133 Events