Top 10 Actions to Win Against Ransomware

Published by Axio

The whole thing can happen in less than a day. At one company, it was two hours from initial compromise to domain compromise of hundreds of machines.

An employee clicks a link in a phishing email, or a VPN vulnerability is found and exploited, or the attackers have purchased access into your environment, and they get an initial compromise. They employ pen-testing type techniques to explore the environment. They delete your online backups and exfiltrate all your data. Then they push out a ransomware binary, using your own infrastructure against you to deploy it everywhere. Suddenly, employees are looking at a message telling them all their data has been encrypted and a ransom must be paid to get it back.

You’ve read the awful stories. What can you do to protect your organization from the ransomware scourge?

Before Boom

There are some important things to do to try to prevent a ransomware attack, and some to do to be prepared for a ransomware attack.

  1. Get a good cyber insurance policy.

Work with a broker to determine coverages and limits suitable for your business and the types of attacks you may be subject to. Think about what types of attacks are plausible and what the likely impacts will be, and how insurance might minimize the blow to your bottom line if a successful attack occurs.

  1. Maintain, test, and secure backups.

Backups, that is, that attackers aren’t going to be able to delete if they get into your network. What works to prevent deletion of backups? Not having online backups or backups not being domain joined. European companies have fared better during the ransomware scourge than U.S. ones because they have continued to use offline backups.

If you have to use online backup solutions, look for those that have Hunt for Red October type access methods or non-AD authentication. Attackers are routinely able to secure domain admin credentials and use them to delete backups before activating the ransomware payload. Non-AD authentication for network-connected backups is critical.

And backups have got to be tested regularly. Otherwise you won’t be able to be confident that they will work correctly when you need them.

  1. Control or disable network services.

A common method for initial access in a ransomware attack is exploiting insecure remote management services, such as Remote Desktop Protocol. If you use a remote management service, require multifactor authentication for it, and if possible configure it so that it sits behind a remote access gateway. Also, assess all exterior facing systems and close down any unnecessary ports and services.

  1. Use an endpoint detection and response solution.

Advanced endpoint detection and response (EDR) solutions monitor for behavior indicative of malicious software or an attacker. EDR solutions can quickly identify an attack and the scope across your network and isolate or quarantine infected systems to stop the attack. They make it much more difficult for an attacker to establish a solid footing on your network to deploy ransomware. Whichever EDR solution you chose, you should implement it across as many types of endpoints as possible (end user systems, servers, IoT, etc.).

  1. Up your game on patching.

There’s an endless stream of vulnerabilities, so you need to be able to identify critical vulnerabilities—ones that could have the worst impact on your systems if exploited—and prioritize them for patching. At least quarterly, complete a vulnerability scan of all systems and applications, and actively work to remediate all high severity vulnerabilities between assessments.

 


You can launch and complete a Ransomware Preparedness Assessment for free in the Axio360 platform. It’s a quick way to understand your current cyber posture and prioritize what critical improvements need to be done to improve for 2021. The assessment is comprised of 8 control objectives with 75 controls, derived from a proprietary data set of hundreds of ransomware events analyzed by Axio’s research and development team.


 

  1. Train and test employees on phishing.

Provide training about phishing to all employees who use your corporate email. Randomly test employees, at least quarterly, to see if they are susceptible to phishing scams. Provide additional resources and training to employees who keep clicking those links. (And maybe more serious consequences for those who just never get it.) Provide a process for employees to report suspected phishing emails to IT for investigation and confirmation.

  1. Restrict privileged access and deploy a privileged access management solution.

Restrict the number of people that have administrative or privileged access to only those that need it for their job responsibilities. Implement multifactor authentication for all privileged and administrative access IDs. Restrict those with administrative privileges to use them only when necessary to complete a task that requires elevated privileges. Ideally, this would mean implementation of a privilege access management (PAM) solution, which requires an employee to request the necessary escalated privileges, be approved for the access, and then only for a certain period of time to complete the work. If you don’t have a PAM capability in place, consider restricting administrative access and tasks to be completed only on a jump server or privileged access workstation.

  1. Build decisions about ransomware attacks into your incident response plan.

Ransomware is pervasive, so you should be prepared to respond. Attackers are constantly scanning for vulnerabilities and throwing out lots of phishing emails. Sometimes they are creating targeted attacks. It’s smart to consider all the angles in advance and build decisions about how you will respond into your incident response plan. Here are two key considerations:

First off, please don’t pay the ransom for a decryption key just to try to avoid a three-week recovery time. As in all extortion stories, that only makes the extortionist keep coming back for more. (And if you got that cyber policy, it’s probably going to help you cover business interruption costs.) And please don’t depend on the attackers to give you a magic key that will immediately unlock and restore all your data. They may or may not do that, the key may or may not work, your data may or may not be restored intact. In any case, it’s better to have a decision in place about what you will do.

Second, the attackers may have exfiltrated all your data and will ask for an additional ransom to not publish it. Some attackers are publishing but not always, even if the victim doesn’t pay the ransom. Find out what the impacts would be of your data going public. Decide whether you are willing to take the reputation hit. Again, preferably, you can decide not to pay the ransom.

Your decision about paying ransoms should account for the possibility that the attacker might be sanctioned by the U.S. Office of Foreign Assets Control (OFAC). An OFAC advisory issued in October 2020 states that “U.S. citizens are prohibited from directly or indirectly engaging in economic transactions with those persons, nationals, countries, and regions on OFAC’s Specially Designated Nationals and Blocked Persons List.” This is partly because “ransomware payments made to sanctioned persons or…jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States.” (See “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” issued by the Treasury Department on October 1, 2020.) Even if you unknowingly pay a ransom to a sanctioned attacker, you might still get slapped with a sizable penalty.

If you make a policy about ransoms, document it in your incident response plan. Otherwise, identify which role in the organization has the authority for making that decision. If you decide that you are willing to pay ransoms, make sure that either your cyber policy or kidnap and ransom policy covers them.

After Boom

We hate to be pessimistic, but in spite of your best efforts, you’re still likely to get hit with a ransomware attack. Here are some strategies to contain the damage.

  1. Call a law firm.

Who should you call first when a ransomware incident happens? Retain a law firm with cybersecurity incident expertise and then let them retain other help for incident response. If you got that cyber insurance policy, it’s most likely going to cover outsourced legal and incident response expenses (depending on your limit and the total costs involved in the incident). A law firm can help you navigate OFAC and other regulatory issues related to your response.

A law firm can also help you create a forensics report that’s not privileged. You do want a forensics report so you and possibly others (such as your insurer) can learn from your experience, but you don’t want it ending up in discovery and weaponized by defense council in the event of a lawsuit. Also, you may need to claim that the report is sensitive, so don’t send it out to a lot of people.

  1. Decide whether you will reimage or fix in place.

Were your backups domain-joined and nuked by the attackers? Or were they protected so the attackers didn’t get them? If the latter, you still have to decide whether to reimage or restore. Do you trust your backups? Have you been testing them?

If you would need help, such as in reimaging a lot of machines, how many people can you bring in? You don’t want to pay outsourced IR rates to do something like reimaging. Think about who can help do it at scale.

– – –

Ransomware can be costly and damaging to an organization that is not actively working to protect against it and fully prepare for it. As the trend for this type of attack increases in frequency and continues to evolve, you need to be aware of current attack patterns that lead to an attacker’s success and what things you can do to reduce your exposure. By following these steps, you can lower the probability of a successful ransomware attack and minimize the impact if an attack occurs.


You can launch and complete a Ransomware Preparedness Assessment for free in the Axio360 platform. It’s a quick way to understand your current cyber posture and prioritize what critical improvements need to be done to improve for 2021. The assessment is comprised of 8 control objectives with 75 controls, derived from a proprietary data set of hundreds of ransomware events analyzed by Axio’s research and development team.


 

Contributors: David White, Pamela Curtis, and Wassie Goushe