Ransomware continues to be a popular tactic for cyber attacks and seems to be even growing in popularity with hackers because it is both a highly successful form of attack and can be very lucrative. If you’ve fallen victim to a ransomware attack in the last year, chances are they asked for payment in cryptocurrency. That’s right, it might be useful to grab some Bitcoins just in case.
We see the usual targets as the primary focus of attacks: Health care, education and government. But the reality is any organization is at risk of becoming a ransomware target. There are also many cases of ransomware hitting smartphones via malicious apps, which will lead to attacks that can impact the private citizen as opposed to just being in the realm of large institutions.
There is no shortage of information about ransomware on the web, ranging from the executive overview information to the deep dive technical analysis of a specific attack. We tapped our CTO and resident threat hunter, Chris Dodunski, to chime in on this topic.
1. How should an organization begin planning ransomware defense strategy?
CD: The first thing an organization needs to do is to understand what they are trying to protect. Specifically:
- Where is their critical data?
- How is it being accessed?
- In what format does it reside>
It is also essential to have complete visibility into networks and have trained professionals hunting and disrupting suspicious behavior. Of course, a solid business-continuity and disaster-recovery plan is a crucial ingredient to all of this as well.
2. What are the key elements in a ransomware defense plan?
CD: In a nutshell: patch regularly, back up your data, train your employees on security awareness, have complete visibility into your network, have a documented incident response plan and reduce your attack surface with zero-trust, proactive security infrastructure.
Ransomware is typically a “smash and grab” style attack. Unlike traditional malware that can live in the network for months or even years in a latent state, ransomware is much more focused and will function almost immediately following a breach. This makes it more important to be proactively preventative rather than reactive. Preemptive defenses look at stopping the malicious payload delivery before it can land on its endpoint.
Assuming patching, backing up data and training is done, then from a security controls perspective, I would start by eliminating malicious payloads that are sent via email (phishing attacks) and web browsing (drive-by attacks) as these delivery methods typically represent 90 percent to 95 percent of all successful breaches. There are some excellent technologies that will neutralize any traces of “active code” delivered through email and web and set up properly, they can be transparent to the users and extremely effective, even against zero-day attacks.
The next step in the security controls implementation would be to use an endpoint protection solution that can block ransomware encryption from executing. This is where the AV and EDR players sit.
3. How can employees be trained to react appropriately to a ransomware attack?
CD: My personal opinion would be to have regular interactive training on general cybersecurity awareness and to combine that with regular simulated phishing campaigns that are backed up by topical online education for reinforcement.
4. What are the best ways to make individual PCs bulletproof?
CD: There is no such thing as bulletproof. The reason these attacks are successful is that, from the perspective of security controls, the attacker behavior is indistinguishable from normal user activities. In other words, client-side attacks work. However, as I outlined in #5, eliminate 90 percent 95 percent of malicious payloads being delivered to the network via email/web and then lock down the endpoint for the ones that slip past or use alternate payload delivery methods (e.g., plug in the malicious USB stick found in the parking lot).
5. Would switching to a non-Windows platform make an organization more resilient to ransomware attacks?
CD: Statistically, yes, because Windows is the largest target group and therefore the primary focus for attackers. So being non-Windows may lessen the probability. But again, no software is bulletproof. Ransomware samples can be found for most operating systems, including Mac and Linux.
6. How can an active ransomware attack be contained?
CD: That is tough to say as every network has a different incident response plan and tolerance for these things. Obviously, in the event of an attack, you need to get the infected machine off the network as fast as possible in case there are attributes of the malware that would allow it to spread to other systems. I would also shut down access to any file servers until the spread is contained and understood.
This is where usability and security clash a bit. Single-sign-on (SSO) architectures certainly allow for transparent access to network file servers, but they also provide a distinct path for ransomware attacks. Implemented from a pure security perspective you would want an architecture that eliminates the concept of “the domain” (an exploitable trust relationship), and also remove all SSO access to critical infrastructure, replacing it with explicit multi-factor login everywhere. Of course, this is not how an enterprise works as it is inconvenient for users.
7. Does it ever make sense to negotiate with a ransomware attacker?
CD: My personal opinion is no. If you pay the ransom, there is a real chance that they will not release your files or systems that have been locked. These are criminals after all and have little to no moral compass. Additionally, if you pay the ransom, it is likely they will come back for more at another time. I would say that most clever ransomware attackers will establish multiple beachheads inside the network just for this purpose. This is where regular cyber threat hunting operations can help identify these areas of post-breach activities (i.e., late-stage kill chain).
8. How is the ransomware threat likely to evolve over the next few years?
CD: Great question. My guess is that advanced adversaries will transition from human beings to AI platforms. I think that AI will make a big splash in the weaponization and delivery of these types of attacks. An AI attacker would not only be capable of rapidly crafting millions of highly effective zero-day attacks with its ability to iteratively learn how it is being stopped, but it will also be able to learn about its target environment, completely blending into the “noise” of the network, becoming almost invisible in terms of presence and behavior. Cyber defenses will have a real challenge ahead of them…perhaps one that can only be countered with more AI.
9. Do you have any other thoughts to share on this topic?
CD: One final thought is it is important to understand that there is no such thing as perfect cybersecurity solution. Advanced persistent threat actors have the means and the patience to figure out how to bypass even the best security controls. It is highly likely that your organization will be breached (if it hasn’t happened already). Ensuring your people are well trained, and your processes are in place are necessary steps to ensuring you have a solid security posture is a best-laid plan.