The top 6 things you should do right now to prepare and defend against a ransomware attack.

The number of organizations affected by ransomware so far this year has more than doubled, compared with the same period in 2020. Many of the reported larger breaches this year have impacted hospitals, police departments and local governments resulting in lengthy outages and large ransomware payments. The attackers have increasingly targeted these areas because these are environments typically contain legacy systems, out of date protections, and general slow technical changes due to factors such as patient safety, budget concerns, and sometimes a lack of skilled resources to manage an IT infrastructure and identify security gaps. It is important to note that no industry is safe from these types of attacks.

HALOCK has also seen this uptick with Ransomware with our customers this year during our incident response and forensic investigations. Continually, there are repeating security areas that come up as a gap that could have identified and prevented an attack and allowed for a quicker recovery.

 

1. Keep systems up to date:

Rarely does a web application initially get deployed with known vulnerabilities. Over time though, due to lack of resources, skills, or perhaps the platform is challenging to upgrade, vulnerabilities in the existing applications are discovered and exploited by attackers to introduce ransomware into the network. Additionally, once the Ransomware is introduced to a network, often operating system vulnerabilities exist that are used to spread the ransomware rapidly throughout a network with little to no ability to detect and respond before it’s too late.

Recommendation: Ensure that patches and application versions are updated monthly to take away the low hanging fruit an attacker may use to breach systems and spread Ransomware.

2. Don’t allow remote desktop directly from the Internet:

There were several vulnerabilities identified in Microsoft Remote Desk Protocol (RDP) this year that were utilized to gain administrative access to systems exposed to the Internet. Once accessed, the system, if not segmented, can be utilized as a jumping point to access and spread ransomware to any system it can communicate with. It is not a good practice to allow remote administrative access directly to systems.

Recommendation: Utilize a VPN solution using multi-factor authentication (MFA) to allow secure access to the company network from the Internet.

3. Use a web application firewall (WAF):

A good amount of successful attacks occur at web application servers. This can be achieved through vulnerabilities; as discussed in the first recommendation. Unfortunately, there are additional attack methods that patching alone will not address such as brute force password and credential stuffing, and web application attacks that are targeted against the application code base. Once these attacks are successful, typically an attacker will install a remote shell/backdoor access to the system that is difficult to identify and stop.

Recommendation: Deploy a web application firewall (WAF) in front of all web facing assets serving HTTP and HTTPS content. The solutions available today can be cloud based and require minimal setup and maintenance. A WAF will protect against the targeted web-based application and brute force attacks as well as provide protection from known vulnerabilities. This allows an IT staff longer windows to complete patching.

4. Use a Ransomware aware endpoint security solution:

Many of the anti-malware solutions are not effective at identifying a piece of malware that has not been seen before, uses normal windows binaries such as PowerShell, and other normal scripting tools present on operating systems. Increasingly, malware like ransomware will execute in system memory which thwarts many of the malware solutions protections. This makes Ransomware difficult to identify and stop from execution.

Recommendation: Deploy an endpoint solution that has anti-Ransomware capabilities that can identify encryption processes that occur on the system whether on the HDD/SSD or in memory. Once identified, the solution will stop the encryption process, roll back encryption that has occurred to date, and prevent the same attack method from occurring again. Another important item related to endpoint security is to periodically check on the health of your endpoint security solution to verify endpoints are regularly checking in to a central console, getting the latest protection updates, and are scanned on a regular basis.

5. Back up critical data and systems:

Ransomware is at a minimum annoying and may impair the business from operating effectively for a period. A ransomware infection becomes critical however when there is not an effective way to recover from it. Too often, backups have not been maintained and are non-operational or incomplete. Also common is the backup media has never been tested to ensure that restoring is possible resulting in longer downtime, manual rebuild of the infrastructure, or paying the ransom.

Recommendation: Validate or start backing up all critical data and systems. Periodically test the restoration of backups to ensure optimal recovery from a ransomware situation.

An easy and increasingly effective method of introducing ransomware into the environment is through email. Typically, there is an attachment like a Word or Excel document that contains embedded macros with instructions for the user on how to “properly” open the documents by guiding the user on how to enable editing and content. Once enabled, the infection process will begin. Another common method is by providing a URL link to a location on the web within the email that will also kickoff the infection, usually in memory, without the user experiencing anything out of the ordinary until the infection is complete.

Recommendation: Deploy an email security solution that will perform advanced threat scanning and blocking capabilities. A needed capability is the ability to scan and run attachments in a sandbox environment to determine if there are behaviors and connections indicative of malware. Email is not delivered to a recipient until an “all clear” is provided by the solution. As equally important, the email security solution must identify and re-write URL links within an email to track if a user clicks on the URL link. Even more importantly the solution will scan the destination for potential threats and malware behaviors before allowing a user to access the web destination.

Ransomware attacks are on the rise and the techniques used to introduce it into an environment are increasingly more sophisticated and harder to defend against. The six recommendations provided will significantly reduce the threat profile and effectiveness of a ransomware attack and keep your organization out of the headlines as the next ransomware attack victim.

 

Cyber Data Breach News

HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.

 

Are you prepared for a cyber security incident? Assess your incident response readiness. We can help if you have a security incident to help minimize the impact.

 

Incident Response Hotline: 800-925-0559

 

Incident Response Encryption

Author: Erik Leach, CISSP, SCF

 

FREQUENTLY ASKED QUESTIONS (FAQs)

1. What is a ransomware risk assessment?

A ransomware risk assessment is a cybersecurity evaluation that measures an organization’s vulnerability to ransomware attacks. It examines systems, processes, and user behaviors to identify potential gaps that threat actors can exploit to breach defenses and execute attacks. The scope of the ransomware assessment is conducted and reported on per NIST CSF, NIST RMF, CMMC, and MITRE ATT&CK® matrix standards to make sure your security program is in alignment with your risk exposure.

HALOCK’s ransomware assessments and readiness reviews measure your organization’s preparedness for ransomware, enabling you to understand your current exposure, prioritize remediation, and close security gaps that attackers are most likely to target. The ransomware risk-based assessments are based on an organization’s critical assets and support security teams in understanding and aligning incident detection, protection, and response strategies based on frameworks and standards, including NIST CSF, NIST RMF, CMMC, and MITRE ATT&CK®.

 

2. How does a risk-based threat assessment work?

A risk-based threat assessment measures the potential risk a specific threat poses to an organization based on its likelihood to occur and the business impact of the threat. It then applies this analysis to security controls and countermeasures to create actionable risk-reduction plans.

HALOCK uses the MITRE ATT&CK® framework to map real-world adversary behaviors, techniques, and processes to your network environment and accounts so that your organization can understand which paths are most relevant to its environment. With this knowledge, security investments and security controls can be applied where the risk is the highest.

 

3. Why use the MITRE ATT&CK® framework for cybersecurity assessments?

MITRE ATT&CK® is a globally accessible knowledge base of tactics and techniques that adversaries use in their attacks. It is a valuable tool for security teams to identify, understand, and prevent future attacks.

HALOCK includes ATT&CK® in our ransomware and risk-based threat assessments to help organizations create more complete and robust visibility into potential attack vectors to avoid and prioritize defenses that best reduce risk.

 

4. How can HALOCK help prevent ransomware attacks?

HALOCK can help your organization prevent ransomware attacks by first identifying potential weak points with our compromise assessments, ransomware readiness reviews, and penetration testing.

HALOCK cybersecurity experts then work with your business to develop a risk-based security plan for attack path prevention that applies the MITRE ATT&CK® framework so that all attack paths and known tactics used by adversaries can be prioritized and defended, including your organization’s critical assets and incident response capabilities.

 

5. What are the benefits of a ransomware readiness assessment?

A ransomware readiness assessment identifies gaps in detection, response, and recovery processes BEFORE an attack occurs so an organization can significantly reduce downtime and have a documented, practiced, and tested incident response plan in place when attacks occur. This helps your business maintain “reasonable and appropriate safeguards” against ever-changing ransomware threats, per cybersecurity and data protection compliance standards and legal guidelines for HIPAA, PCI DSS, NIST CSF, FedRAMP, GDPR, and CMMC.

 

6. How often should businesses conduct threat assessments?

Businesses should conduct risk-based threat assessments at least annually or whenever their cyber infrastructure or environment has significant changes, such as cloud migration projects, mergers and acquisitions, or extensive software and hardware updates, to ensure defenses remain effective against ever-evolving tactics posted to the MITRE ATT&CK® database.

 

7. What industries benefit most from ransomware and risk-based threat assessments?

Healthcare, financial services, education, legal, and manufacturing industries can benefit greatly from these assessments due to high data sensitivity and stringent compliance requirements, but every organization should have a ransomware readiness strategy and assessment built into their overall cybersecurity program.

HALOCK tailors ransomware and risk-based threat assessments to each industry’s cybersecurity risk profile, applicable regulations, and inherent legal obligations to third-party customers.

 

8. What makes HALOCK’s ransomware assessment different?

HALOCK ransomware assessment is unique in that it goes beyond vulnerability scanning to determine whether technical controls are in place to support cybersecurity resilience. We also uniquely apply Duty of Care Risk Analysis (DoCRA) and ATT&CK® mapping to our ransomware and risk-based assessments, ensuring not only the effectiveness of cybersecurity and IT controls, but that those controls are reasonable and appropriate under current cyber regulatory and compliance guidance and legal standards. This can ensure your organization is making reasonable and appropriate efforts to protect customers and suppliers — essential for demonstrating defensible due care.

 

9. What is the relationship between risk assessments and incident readiness?

Risk assessments focus on identifying and prioritizing potential threats and vulnerabilities that may impact an organization. Incident readiness, on the other hand, is the ability of an organization to quickly and effectively detect, respond to, and recover from a security incident. In short, an incident response plan (IRP) is a vital component of risk management as it outlines the steps an organization should take in the event of a security incident.

HALOCK provides both cybersecurity risk and ransomware assessments and incident readiness as combined services to help clients better prepare for and respond to not only ransomware attacks but also insider threats and APTs.

 

10. How can I start a ransomware or threat assessment with HALOCK?

 
Schedule a ransomware or risk-based threat assessment for your business.

Our experts will help you to scope the work and define a roadmap for risk-reduction aligned to standards, including NIST, CMMC, and MITRE ATT&CK®.