With ransomware attacks on the rise, many companies are looking for ways to limit their exposure to this potentially expensive cyberattack. According to Coveware’s 2020 study, enterprise organizations paid up to $780K in ransom payments per event. Smaller businesses lose, on average, $200K in downtime and recovery costs, with many of them filing bankruptcy due to the event. (CNBC, 2019)
According to the FBI, Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. This is accomplished by encrypting all of the files on networked computers and forcing businesses to pay a ransom for the decryption key.
There are many methods that attackers use to get ransomware onto a corporate network. These include (spear) phishing with malicious attachments or links to fraudulent websites, social media posts, fake versions of legitimate software (often offered as Warez) of otherwise paid products, drive-by downloads, or even low tech methods like leaving an infected thumb drive in a place that an unsuspecting user will find it and plug it into their computer, purely out of curiosity.
What happens then?
Once the malware has found its way onto the network, it then moves laterally through the network by exploiting known weaknesses on network endpoints. These can include unpatched vulnerabilities and insecure configurations like default/weak passwords, privilege escalation, and services like RPC, RDP, and SMBv1.
As neighboring devices are discovered, the malicious code is spread throughout the network without any need for human involvement. More advanced variants (like Ryuk) will do things like discovering all neighbors via local ARP table, send a Wake-on-LAN packet to these machines to bring them out of sleep/hibernation, infect them, and then delete the Windows VSS (local backup) so that, once encrypted, the drive cannot be recovered.
The old adage of “Defense in Depth” holds true regarding ransomware. The following measures are recommended as part of a comprehensive security strategy.
1. User Training: This is the first line of defense in any corporate security strategy. Teach users how to avoid threats, and to report them as soon as they notice anything suspicious.
2. Principle of Least Privilege: Always employ the principle of least privilege for users within the network. Restricted-rights accounts can not only limit the ability for malware to compromise the host computer, it can also limit its lateral spread.
3. Patching: Ransomware, like all malware, takes advantage of weaknesses or bugs in software that can be exploited. One of the simplest, and most effective ways to protect endpoints is to make sure they are up to date on their OS, as well as all installed applications.
4. EPP/EDR: Invest in a quality next-gen AV platform with behavioral monitoring and response capabilities. Should ransomware find its way onto a corporate endpoint, this software can often detect and stop the threat.
5. Shore Up Your Configuration: Ensure that all systems are using the strongest security options available. Use SMBv2 instead of SMBv1, SSH instead of Telnet. Ensure that passwords aren’t being transmitted in clear text. Ensure that critical data like SS#, Credit Card Numbers, and patient records are encrypted.
6. Discover the Gaps: Patching, EPP/EDR, and Configuration are only successful if they are fully implemented. Auditing the environment is critical for finding gaps. What endpoints don’t have EPP/EDR installed (or the agent is out of date)? What endpoints have unsupported OS’s or unpatched vulnerabilities? Which endpoints are running vulnerable services?
7. Network Monitoring and Response: All of the previous recommendations have been geared towards preventing malware from getting a foothold in the environment. However, should an attack occur, detecting and containing the spread of malware is time critical. Network traffic should be continuously monitored for anomalies and malicious behaviors. Dynamic response actions should be configured to lock down dangerous devices without the delay imposed by human intervention.:
8. Network Segmentation: Network segmentation can drastically slow down the spread of malware by restricting device access between different security zones. At a basic level, this can be done with VLANs using Access Control Lists. Or more advanced filtering can be employed by using a Next-Gen Firewall with Deep Packet Inspection.