The top 6 things you should do right now to prepare and defend against a ransomware attack.
So far in 2019, the number of reported Ransomware attacks are estimated to have risen by 65%. Many of the reported larger breaches this year have impacted hospitals, police departments and local governments resulting in lengthy outages and large ransomware payments. The attackers have increasingly targeted these areas because these are environments typically contain legacy systems, out of date protections, and general slow technical changes due to factors such as patient safety, budget concerns, and sometimes a lack of skilled resources to manage an IT infrastructure and identify security gaps. It is important to note that no industry is safe from these types of attacks.
HALOCK has also seen this uptick with Ransomware with our customers this year during our incident response and forensic investigations. Continually, there are repeating security areas that come up as a gap that could have identified and prevented an attack and allowed for a quicker recovery.
1. Keep systems up to date:
Rarely does a web application initially get deployed with known vulnerabilities. Over time though, due to lack of resources, skills, or perhaps the platform is challenging to upgrade, vulnerabilities in the existing applications are discovered and exploited by attackers to introduce ransomware into the network. Additionally, once the Ransomware is introduced to a network, often operating system vulnerabilities exist that are used to spread the ransomware rapidly throughout a network with little to no ability to detect and respond before it’s too late.
Recommendation: Ensure that patches and application versions are updated monthly to take away the low hanging fruit an attacker may use to breach systems and spread Ransomware.
2. Don’t allow remote desktop directly from the Internet:
There were several vulnerabilities identified in Microsoft Remote Desk Protocol (RDP) this year that were utilized to gain administrative access to systems exposed to the Internet. Once accessed, the system, if not segmented, can be utilized as a jumping point to access and spread ransomware to any system it can communicate with. It is not a good practice to allow remote administrative access directly to systems.
Recommendation: Utilize a VPN solution using multi-factor authentication to allow secure access to the company network from the Internet.
3. Use a web application firewall:
A good amount of successful attacks occur at web application servers. This can be achieved through vulnerabilities; as discussed in the first recommendation. Unfortunately, there are additional attack methods that patching alone will not address such as brute force password and credential stuffing, and web application attacks that are targeted against the application code base. Once these attacks are successful, typically an attacker will install a remote shell/backdoor access to the system that is difficult to identify and stop.
Recommendation: Deploy a web application firewall (WAF) in front of all web facing assets serving HTTP and HTTPS content. The solutions available today can be cloud based and require minimal setup and maintenance. A WAF will protect against the targeted web-based application and brute force attacks as well as provide protection from known vulnerabilities. This allows an IT staff longer windows to complete patching.
4. Use a Ransomware aware endpoint security solution:
Many of the anti-malware solutions are not effective at identifying a piece of malware that has not been seen before, uses normal windows binaries such as PowerShell, and other normal scripting tools present on operating systems. Increasingly, malware like ransomware will execute in system memory which thwarts many of the malware solutions protections. This makes Ransomware difficult to identify and stop from execution.
Recommendation: Deploy an endpoint solution that has anti-Ransomware capabilities that can identify encryption processes that occur on the system whether on the HDD/SSD or in memory. Once identified, the solution will stop the encryption process, roll back encryption that has occurred to date, and prevent the same attack method from occurring again. Another important item related to endpoint security is to periodically check on the health of your endpoint security solution to verify endpoints are regularly checking in to a central console, getting the latest protection updates, and are scanned on a regular basis.
5. Back up critical data and systems:
Ransomware is at a minimum annoying and may impair the business from operating effectively for a period. A ransomware infection becomes critical however when there is not an effective way to recover from it. Too often, backups have not been maintained and are non-operational or incomplete. Also common is the backup media has never been tested to ensure that restoring is possible resulting in longer downtime, manual rebuild of the infrastructure, or paying the ransom.
Recommendation: Validate or start backing up all critical data and systems. Periodically test the restoration of backups to ensure optimal recovery from a ransomware situation.
6. Deploy an email security solution that inspects email attachments and links:
An easy and increasingly effective method of introducing ransomware into the environment is through email. Typically, there is an attachment like a Word or Excel document that contains embedded macros with instructions for the user on how to “properly” open the documents by guiding the user on how to enable editing and content. Once enabled, the infection process will begin. Another common method is by providing a URL link to a location on the web within the email that will also kickoff the infection, usually in memory, without the user experiencing anything out of the ordinary until the infection is complete.
Recommendation: Deploy an email security solution that will perform advanced threat scanning and blocking capabilities. A needed capability is the ability to scan and run attachments in a sandbox environment to determine if there are behaviors and connections indicative of malware. Email is not delivered to a recipient until an “all clear” is provided by the solution. As equally important, the email security solution must identify and re-write URL links within an email to track if a user clicks on the URL link. Even more importantly the solution will scan the destination for potential threats and malware behaviors before allowing a user to access the web destination.
Ransomware attacks are on the rise and the techniques used to introduce it into an environment are increasingly more sophisticated and harder to defend against. The six recommendations provided will significantly reduce the threat profile and effectiveness of a ransomware attack and keep your organization out of the headlines as the next ransomware attack victim.
Author: Erik Leach, CISSP, SCF