Ransomware is an increasingly appealing cyberattack method. Compared to traditional methods, ransomware typically involves fewer steps and a more direct route to payment (which is the goal in this case). And nowadays, with publicly available toolkits, it's easier than ever for cybercriminals to develop effective ransomware. This leads to a continual evolution of ransomware variants, which is what helps them evade the security defenses working to detect them.
Somewhere along the path of attack, ransomware breaks into a network at the point where defenses are down (or weak). This is referred to as a failure point. As we know, successful ransomware and malware-based attacks are crafted to allow them to evade traditional defense checkpoints. Below we list common failure points and their solutions to help you prepare for future ransomware attacks.
Common failure points and their solutions
| FAILURE POINT |
SOLUTION |
|---|
|
The firm’s upstream email simple mail transfer protocol (SMTP) provider did not scan attachments for malicious content.
|
#4 |
|
The firm’s next generation firewall did not identify the attachment as malicious (or questionable) content.
|
#1, #4 |
|
The firm’s local email system (e.g. Microsoft Exchange) did not scan attachments for malicious content.
|
#4 |
|
The end user was not sufficiently trained to identify a phishing email (with malicious content).
|
#5 |
|
The user’s workstation (or mobile device) did not flag the malicious content (through anti-virus or other endpoint protection methodology).
|
#1 |
|
If the delivery vector was a macro hidden within an Office document (the most common delivery method), macros were enables within Office (or the user was enticed to enable them manually).
|
#4, #5 |
|
The user’s workstation did not have restrictions places on the execution of downloaded content.
|
#3 |
|
The firm’s next-generation firewall and/or Intrusion Prevention system did not recognize and/or block the command-and-control traffic (including key generation) of the malicious code (particularly important if the remote IP addresses were previously known to be bad).
|
#1, #4 |
|
The firm did not detect (through filesystem analysis) that a specific user was modifying a large number of files rapidly.
|
#3, #6 |
|
Depending on how many files were affected by the infected endpoint, it is a possibility that the end user had more access than they necessarily needed to execute their job.
|
#3 |
|
During the restore process, some newer data/files might have been not backed up due to a gap in backup rigor.
|
#2 |
These failure points may seem very specific and hard to avoid – but don’t despair! We’ve provided solutions to help you overcome each of them.
1. Ensure all systems are up to date
This may sound obvious, but it’s extremely important and easy to overlook. “All systems” includes all workstations, servers (including internal and DMZ) and mobile devices. Always perform patches whenever and wherever possible. Use tools like anti-virus, anti-exploit (for ex, EMET), application whitelisting (for ex, AppLocker) and mobile device management software. And finally, restrict downloading of applications and payloads (for ex, Network Application Control).
2. Ensure backups of critical systems and data are successful and available
This solution is two-fold: test regularly for content accuracy and back up important data offline. Do these often. Attacks can (and often will) come when you least expect them, and the more recently you backed up data, the less likely you will have lost data.
3. Restrict access
You can avoid a lot of unnecessary anxiety by following this solution. Very few employees need access to everything. In fact, only select employees with specifically the “need to know” should be able to access highly-sensitive information, and only then, in accordance with the company policy and job function. Knowing this, it would be a good practice to enforce “least privilege” access throughout systems. It’s also important to segment networks. This includes restricting workstation-to-workstation access and utilizing a jump box for important and critical parts of your network. Finally, log and investigate any access attempts to shares that get denied, as this could very well be early signs of an infestation.
4. Reduce susceptibility footprint
Under this solution, there are four practices to consider. First, reduce inbound vectors (for ex, personal email) as these can make the network susceptible to different attack vectors. Second, disable macros within Microsoft Office if they’re not needed; and in a similar vein, use Microsoft Viewer when you don’t need to edit Office documents (especially if/when viewing suspect documents). Finally, investigate options to improve/harden upstream SMTP attachment scanning and quarantine, as this will help flag anything suspicious before it goes any further.
5. Training
Effective training is key. Encourage your employees to be skeptical when it comes to opening emails and clicking on files. One way to do this is through ongoing and interactive security awareness training, in addition to weekly reminders and postings about the importance of data security. Regular phishing tests can’t hurt either – they’re a great way to gauge the overall security awareness and vigilance of your employees, and the success of your training program.
6. Alerting
Although it’s the last solution on the list, alerting is as important as any other tactic you can use. One that is particularly important to implement is behaviour-based alerting when a certain threshold of files is modified. Also, be sure to have a comprehensive Continuous Monitoring/Embedded Incident Response methodology. Alerts must be investigated; it doesn’t help if the warnings fall on deaf ears.
Conclusion
While these solutions by no means guarantee you’ll never experience a ransomware attack, they’re a step in right direction. Applying these solutions to any failure points you’ve identified will reduce the chance of ransomware getting into your network and disrupting business, which is what we all want.
Between running a business and protecting that business, it’s a lot to keep track of. With Managed Detection and Response, our SOC can be a great resource to monitor operations when you can’t. We’ve got your back. Let us know what we can do to help.
