Prepare To Be Ransomed
Ransomware can be defined as a type of malware that is used to prevent users from
accessing their data or systems until a payment has been made to their attackers. One well known family of ransomware is REvil.
The average demand to restore a machine infected with the REvil ransomware is $260k. This doesn’t include the money used for resources and time spent cleaning up after the attack. Attackers are collaborating and becoming more organized and targeted in their ransomware attacks, no longer casting a wide net, but going after specific targets with deep pockets and minimal security. Attackers are breaking into networks, lurking to see how valuable the data is, then setting ransom based on that analysis and what they think victims could afford.
Here are some protective measures your organization could implement to reduce your risk of being ransomed, and your ability to recover quickly and at a lower cost if you are.
1. Revisit user awareness training. User training needs to take place from executives all the way down to individual contributors. Teach users how to identify phishing attempts. Do they know if that attachment is safe? How about verifying hyperlinks? Could they spot that one detail in the signature block or tone of conversation to raise a red flag and question the validity of that email? (Speaking of which, missed our Whale Phishing webinar? Watch David Carson of Flagler College ON-DEMAND).
2. Test the principle of least privilege by verifying that users have the least amount of privileges needed to perform their required job duties, regardless of their technical skill or trustworthiness.
3. Start emulating attackers. If you have technically skilled internal resources, are they using tools like Atomic Red Team by Red Canary, BLUESPAWN by Jake Smith, Mitre Caldera, or others to evaluate security? If not, use a trusted vendor who has the aptitude and knowledge to perform these attacks from a risk-based standpoint. Additionally, you can help improve your defenses by means of these exercises by closely monitoring the attacks performed in your network and enterprise defense logs so you can see which ones are being detected.
4. Additionally, we recommend establishing an overlap of visibility by using multiple levels of detection in case a product fails. This can be done by implementing antivirus and endpoint detection software, as well as network security monitoring, security information and event management, and user behavior analytics. Make sure your antivirus or endpoint detection monitoring software, network security monitoring tools, centralized logging systems, and any user behavior analytics tools overlap to provide complete coverage for all areas of your network. Make sure workstation firewalls and antivirus are turned on and cannot be disabled.
5. And of course, regularly backup your mission critical systems and ensure that the backups are working at least monthly. To provide further security so that the backups can't be compromised, they should be air-gapped, or physically separate from the internet, and if possible, stored off of your physical network and password-protected. Again, apply the principal of least privilege by ensuring that only the required accounts have access. This is crucial because attackers are gaining access to systems, creating user accounts and waiting weeks or months to verify those created accounts become part of those backups, making sure their malware is now part of those backups. So regularly auditing these accounts will help to ensure that your backups have not been compromised prior to an outbreak of ransomware.
Unfortunately, without these protective measures, there may come a point where paying the ransom may be your only option. In advance of this, talk with management about the risks of paying versus not paying. If you feel you have no alternative, try to negotiate or use a third party consulting firm. This tactic may reduce your overall cost to pay the ransom by more than 50%. However keep in mind, this doesn’t guarantee that files will be restored, and that this won’t prevent you from possibly getting ransomed again. Paying a ransom doesn’t fix what allowed the ransom to happen.