Ransomware has become a national security issue and a major point of concern for organizations of every industry and size. Now it’s no longer just an enterprise or large company concern, but a real worry for small and medium-sized organizations.
Ransomware is a type of malware that attackers use against organizations to seek monetary gain in exchange for regaining access and control over their systems and data. Traditionally, ransomware spreads throughout a network, encrypting files and servers, locking out users from accessing their machines and accounts.
Once infected, a victim organization will be contacted by the attacker to pay a ransom in order to receive the encryption key. But as seen in the past, there’s no guarantee that once paid, ransomware operators will follow through on the promise. These days, extortion has become part of the ransomware process. Attackers will not only encrypt but also steal your data, threatening to leak or sell it if an organization doesn’t pay the requested ransom.
At the core of every IT and/or security team’s objectives is the ability to keep servers running, operational and keep data confidential, with integrity intact. But ransomware’s objective is to bring the very concept of business continuity to a grinding halt, while costing your organization more in downtime and legal and compliance fees.
The Ransomware Task Force released a report, citing the following state of ransomware in the U.S. and how it affects organizations:
A lot of organizations aren’t sure where to start, or what best security practices are foundational to ensure good security hygiene and help reduce overall the risk of ransomware infection.
Here are some of the security basics to focus on to make the biggest difference, with many mapping to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s guide to ransomware prevention best practices. The general guidance includes tactics to ensure preparation, prevention, detection and response.
In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
This has been a critical step for many of our customers that have been impacted by security incidents to contain, recover and re-image infected servers, by recommendation from the Blumira security team. This is a key part of the incident response process that helps to minimize downtime and provide an unmanipulated backup to begin recovery. All critical systems should be backed up regularly to help you rebuild quickly.
According to CISA, you should maintain image templates of a preconfigured operating system and applications that you can quickly deploy to rebuild a virtual machine or server. In addition to system images, you should have applicable source code or executables available to help for situations when images fail to correctly install on different hardware or platforms.
To more quickly remediate during stressful times, it’s important to create a comprehensive plan for post-incident triage, communication, investigation and full-company response. You don’t want to wait until you’re faced with an unfamiliar situation with looming threats and a ticking clock. Check out our Incident Response Guide For Ransomware Attacks to help inform your custom plan.
Ideally, you should invest in a detection and response solution that provides easily accessible, step-by-step playbooks for different types of attacks that can guide your existing IT team through the response process. That way, when faced with a security incident, anyone on your team will know how to contain and stop a threat quickly, such as isolating all affected systems and taking them offline. For help creating a basic plan, see the second half of the CISA report which provides a detailed Ransomware Protection Response Checklist.
Layering on an additional authentication factor means an attacker must know your password in addition to having access to a physical device, like your phone, in order to verify your identity. This second barrier to entry makes it much more difficult for attackers to remotely log into your accounts.
Implement two-factor or multi-factor authentication on every account, especially administrator-level accounts that could allow access to sensitive information or give attackers permissions to move laterally throughout your network and encrypt data with ransomware.
Attackers may use brute-force attacks to gain access to email or VPN accounts protected only by a single factor, a password. Weak passwords are easily guessed by automated systems, or access can be gained by cycling through multiple usernames with one password, which avoids detection by most security systems (known as a password spraying attack). Stolen passwords found online in data dumps by attackers are another easy way to get in through the front door.
In this year’s attack on Colonial Pipeline, one of the largest U.S. pipeline operators that provides 45% of the East Coast’s fuel, an attacker was able to get into their systems initially by stealing a single password to a legacy VPN account that wasn’t protected by multi-factor authentication (Reuters).
In addition to two-factor authentication, invest in a solution that can detect and alert you to anomalous logins early enough to stop an attacker before they install ransomware.
Limit the amount of users with privileged access to only those that need access to perform their job duties. CISA recommends restricting user permissions to install and run software applications to limit the risk of malicious downloads.
You should also limit the ability for a local administrator account to log in from a local interactive session to prevent access via RDP; remove all unnecessary accounts and groups while restricting root access; and control and limit local administration overall.
Auditing user accounts regularly, including third-party access given to managed service providers (MSPs) can help you keep track of who has access to your systems and services. This will help prevent attackers seeking unauthorized privileged access to install ransomware on your networks.
Ransomware attackers often attempt to get initial access or gain a foothold in your environment by exploiting known vulnerabilities. In a recent ransomware attack on Kaseya, a network and endpoint remote monitoring and management tool, an attack was initially triggered via an authentication bypass vulnerability found in its web interface (ZDNet).
A series of other vulnerabilities were used in the ransomware attacks, which impacted more than 70 managed server providers (MSPs) and 1,000 companies as their servers and workstations were encrypted with ransomware.
Patching on a timely basis as soon as updates are pushed out is ideal to close the window of time an attacker has to target you or your customers. However, for many industries that rely on legacy systems and infrastructure, patching can often be difficult or impossible, especially for any software that is no longer supported by its vendor – so this is just one best practice that should be accompanied by many others.
In 50% of ransomware attacks, Remote Desktop Protocol (RDP) was the initial attack vector, according to a 2020 report by Unit 24. RDP is a Microsoft Windows protocol that allows users to remotely connect to systems and control them. When RDP ports are left open to the internet, protected only by a password, they can be leveraged by attackers seeking to gain access to your organization’s servers and launch a ransomware attack. Attackers can scan the internet for open RDP ports, then brute force or use stolen credentials to log in, or use man-in-the-middle attacks or exploit known vulnerabilities in old versions of RDP to gain access.
In an analysis of data from 2019 to May 2020, a Blumira-hosted honeypot saw an 85% increase in RDP scanning and brute-force attempts as remote work became prevalent around the world. Honeypots can be used to easily detect unauthorized login attempts and attacker lateral movement. With a security monitoring and response solution, you can automate watching for RDP-related attacks and scanning to catch an attacker early before it results in deployed ransomware or a breach.
A few best security practices for RDP include:
With the sheer breadth of endpoints, users, hosts, cloud applications and more interconnected in your environment, you need a good way to collect, centralize, analyze, detect, alert and respond to malicious activity that could be indicative of a ransomware attack in progress.
But it’s not easy to know where to start, or what types of threats you should be monitoring, especially as new vulnerabilities emerge. A good place to start is by sending your logs to a detection and response solution that will identify:
Identity or user-based attacks: Logins from countries you don’t do business in; geo-impossible logins (time and locations of different logins from one user are suspicious); users visiting blocked websites; phishing attempts; fraudulent 2FA requests; password spraying attempts and more.
Services to monitor: Any 2FA or identity applications like Duo Security, Okta, Active Directory; other cloud security applications like Cisco Umbrella and KnowBe4
Email and data security risks: Newly created inbox rules; external document sharing; admin or security group changes; email forwarding enabled (could indicate attackers redirecting emails); users clicking on malicious URLs in emails; anomalous access attempts to email inboxes; email password creation or deletion and more.
Services to monitor: Microsoft 365 (formerly Office 365), Microsoft Outlook, Google Workspace (formerly G Suite)
Endpoint security events: Malware applications; potentially malicious executable files; compromised processes; potentially fake applications; suspected adware; early-to-late stage endpoint intrusion and more.
Services to monitor: Any endpoint protection applications like VMware Carbon Black Endpoint Protection, Crowdstrike Falcon Endpoint Protection, Microsoft Defender for Endpoint, ESET Endpoint Protection
While there’s no solution that can prevent ransomware alone, a variety of different security practices and layers of security can help you prevent a ransomware attack. At the core of your ransomware prevention strategy, you’ll need an automated way to gain complete visibility of your entire environment, identify indicators of an attack in progress and quickly respond to threats.
To enable you to do that, Blumira offers an all-in-one solution that all organizations can leverage, no matter what size of team or level of security expertise. Blumira’s platform enables you to easily detect and respond to threats to prevent a ransomware attack and data breach:
Monitor and detect real threats:
Enable your team to quickly respond:
Gain access to security expertise:
*Based on a comparison of 12 different SIEM providers on G2
Blumira detects every stage of a ransomware attack and provides playbooks on how to respond to contain them. Our platform notifies you to indicators of real attacker tactics and techniques used to gain information about your environment’s security weak spots; get initial access to systems; escalate privileges to move laterally across networks; and exfiltrate data and install ransomware.
See how easy and fast it can be to set up a free trial of Blumira today.
Small and medium-sized businesses (SMBs) are often ill-prepared to deal with the impact of ransomware and have limited resources to detect and prevent an attack.
Download our guide to learn more about ransomware protection, including:
Grab your free copy here: