Help with Ransomware

Ransomware attacks keep increasing in volume and impact largely due to organizations' weak security controls. Mid-market companies are targeted as they possess a significant amount of valuable data but lack the level of protective controls and staffing of larger organizations. According to a recent RSM survey, 62% of mid-market companies believe they are at risk of ransomware in the next 12 months.

As ransomware is still the preferred way for actors to monetize their access, there is a need to understand organizational levels of preparedness, and to identify and remediate gaps before an attacker can exploit them. Cybersecurity teams can quickly gauge their ransomware readiness by following the NIST CSF framework, asking themselves, "Do we have something like this in place?" for each of the core functions: "Identify," "Protect," "Detect," "Respond," and "Recover":

Identify - Asset management is the process of knowing what all your organization's critical assets are, where they're located, who owns them, and who has access to them. Data needs to be classified so that access may be governed, and the company benefits from ensuring the integrity of the data. An organization only needs to protect the confidentiality of some of its data based on its classification. Controls that ensure the utility and authenticity of data bring an organization real value.

Protect - Identity is a form of data that defines the relationship between a person and an organization. It is verified through credentials (username and password) and, when compromised, a security event becomes an incident. For example, using leaked credentials allows threat actors to install ransomware onto your computers. According to the Microsoft Defender Report 2022, following 98% of basic security hygiene such as Multi-Factor Authentication (MFA), applying zero-trust principles, keeping software updated, and using extended detection and response anti-malware still protects against 98% of attacks.

Another key aspect of protecting identities is awareness training helping an employee recognize a malicious attachment or link. When it comes to breach simulations, it is important to reward employees that did well rather than penalize those who did not. Carried out incorrectly, breach simulations can severely hinder employees' trust in their organization.

Good data security can protect your data from ransomware and allow you to recover from an attack. This means having access management, encryption, and backups in place. Although this sounds basic, many organizations fall short in at least one or two of the above. Other controls that fall under the "Protect" function of NIST CSF are vulnerability management, URL filtering, email filtering, and restricting the use of elevated privileges.

Restricting software installations is essential if you cannot install software, you cannot install ransomware. However, some ransomware can successfully exploit existing vulnerabilities which permit an elevation of privilege, bypassing restricted installation control.

The next control under the "Protect" function of NIST CSF: policy control. Policy enforcement software can reduce the number of staff needed to implement controls like restricting use and installation to only authorized software or restricting use of elevated privileges.

Detect - Technologies that address the requirements for controls under this function can really make a difference, but only if accompanied by a human element. A lot of acronyms here: User and Entity Behavior Analytics (UEBA), Centralized Log Management (CLM), Threat Intelligence (TI), and EDR/XDR/MDR.

Ransomware is easily detected by good UEBA because it does things that no good software does. This technology can only detect ransomware it cannot prevent or stop it. Prevention requires other software, like phishing prevention, Security Continuous Monitoring, and EDR/XDR/MDR. According to IBM's Cost of a Breach 2022 report, organizations with XDR technologies identified and contained a breach 29 days faster than those without XDR. Also, organizations with XDR experienced 9.2% reduced cost of a breach, which might sound like a small improvement, but with an average cost of a breach is USD 4.5 million, this represents almost half a million USD in savings.

Respond - Regardless of how effective the organization's controls and tools may be, there will always be something that requires a human response. Having a plan and testing it dramatically reduces the cost of the breach by USD 2.66 million on average, per the report.

Additional controls can maximize your ransomware readiness: having communication templates (to ensure the team knows what, how, and whom to contact during an incident), performing mandatory event analysis, and deploying Security Orchestration, Automation, and Response (SOAR) technology as either a separate product or a native part of an XDR solution.

Recover - Having a recovery plan, immutable cloud backups, and an incident communications plan are the three key controls to maximize your organization's ransomware readiness. A recovery plan for ransomware must include the means to recover encrypted data, reestablish operational systems, and restore customer trust in the event of a breach.

Ransomware works by preventing access to data. If that data can be restored from a device not infected by the ransomware (immutable backup), then the path to recovery can be swift and relatively cost free. Per the Microsoft Defender 2022 report, 44% of organizations impacted by ransomware did not have immutable backups.

An incident communication plan improves the organization's ability to respond and minimize reputational damage by providing mechanisms for quickly alerting and coordinating internal and external stakeholders while monitoring customer sentiment.

It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.

The following is what Red Sky Alliance recommends:

All data in transmission and at rest should be encrypted.
Proper data back-up and off-site storage policies should be adopted and followed.
Implement 2-Factor authentication-company wide.
For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
Institute cyber threat and phishing training for all employees, with testing and updating.
Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
Ensure that all software updates and patches are installed immediately.
Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories including Keyloggers, with having to connect to your network.
Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com

Weekly Cyber Intelligence Briefings: