The cyber threat landscape has changed significantly over the last two decades. Gone are the days when an IT organization’s primary concerns were viruses and adware—which were more of a nuisance than a threat and only impacted a subset of systems. Today’s threat actors are more sophisticated, highly motivated, and well-funded. There’s more at stake and more to lose—and these bad actors target any and all critical assets and aim to create the maximum possible disruption and impact.
Ransomware is currently one of the most common and destructive cyberattacks across most industries. Ransomware groups have varying levels of sophistication, techniques, and motivations. At a high level, a threat actor would enter from one of various attack vectors—e.g., phishing email, externally facing remote desktop, zero-day exploit, scope out an environment for critical data (e.g., PII, PHI, etc.), and infrastructure (e.g., file servers, backups, and virtual clusters)—and then deploy malware that encrypts files across the organization.
The intent? To maximize the damage to increase the likelihood that a victim complies with the threat actors’ demands. Victims are left helpless, file-less, and with a sense of dread—most victims have never experienced a ransomware incident in the past, leaving them unprepared and overwhelmed.
All that’s left is a ransom note or pop-up demanding a payment in the form of cryptocurrency for a significant sum of money. To make matters worse, if a victim chooses not to cooperate with their demands, a threat actor may choose to expose an organization’s sensitive data, potentially resulting in fines and reputational damage.
These threats are serious, but there is hope. There are also a number of actions that organizations can do to protect against ransomware—or at the very least minimize the impact if an incident occurs.
Multi-factor authentication (MFA) is one of the most effective deterrents when dealing with identity-based attacks. Without MFA enforcement, a ransomware threat actor has a single defense (e.g., credential) to break through in order to gain access to the target resource. MFA requires user intervention and input before authentication can occur. This can either be done by code generators (e.g., Microsoft Authenticator, Google Authenticator, etc.) or via push alerts (e.g., Microsoft Authenticator, Okta) that originate from an end user’s trusted device such as their cell phone.
While MFA can be effective at preventing ransomware from entering through authentication vectors, it cannot protect against every attack vector, which is why having multiple controls in place is critical.
An organization’s employees are prime targets for ransomware groups via phishing techniques. Threat actors will attempt to gain a user’s attention via impersonation of people (e.g., C-Suite, Human Resources) and/or technologies (e.g., spoofed login page). Once a foothold is gained, a threat actor can begin scoping the environment and eventually carry out a ransomware attack.
Security awareness is an effective way to mitigate against these types of risks by ensuring employees are cognizant of threat actors’ phishing techniques. There are two major components to security awareness:
Ransomware threat groups are no strangers to poor cybersecurity practices. One of the most commonly used attack vectors is through externally exposed remote entry points such as remote desktop. Threat actors know that it’s common for an organization to exclude administrator access from identity controls such as password expiration and lockouts. This enables a threat actor to use techniques such as brute force to guess an administrator password. Once identified, they have free roam in the environment.
To make matters worse, most organizations do not monitor login activity (e.g., login failures, attempts, etc.) so activity is left undetected when this occurs. A week or two later, a ransomware group will have mapped the entire environment, critical platforms, critical data, encrypted all assets, and exfiltrated sensitive data.
Placing remote access connections behind an MFA-enabled VPN or portal is an effective way to reduce the likelihood of this entry point being viable to threat actors. Organizations should also be aware of remote access tools such as TeamViewer and LogMeIn. These can bypass VPN requirements and leave holes in an environment that threat actors can exploit. If there’s a business case for use, make sure MFA is enabled on these platforms.
Ransomware groups are increasingly becoming more elusive by employing techniques that utilize everyday IT administrative tools such as Python, PSExec, and PowerShell. This limits the ability for traditional antivirus solutions to detect malicious activity since the tools are otherwise considered benign. EDR solutions use advanced technologies to detect malicious activity and block activity based on behavior patterns before ransomware proliferates in an environment. For organizations with smaller IT/Cyber teams, an MDR provides additional capabilities with a third party providing 24/7/365 monitoring, alerting, and protection.
Even with the most foolproof plans, disaster can strike for a number of reasons.
It is imperative that backups are protected, out of a threat actor’s reach, and that you’ve got a tested restoration strategy. This can be done in a number of ways:
Ransomware is one of the most disruptive and destructive cyber threats today. It’s imperative that organizations are prepared for these types of attacks. Ransomware happens so often that it’s only a matter of time until organizations will have to respond to an incident. These listed controls provide a high-level guide of key items that can help reduce the likelihood and potential impact of a cyberattack.