8241714491?profile=RESIZE_400xRansomware attacks on enterprises of all sizes across industry sectors are on the rise.  Cyber threat experts estimate that worldwide, ransomware is expected to infect a business every 11 seconds and projected to cost over $20 billion in 2021.  Any organization can be a victim as a successful ransomware attack is within the reach of cybercriminals everywhere.  As ransom demands have increased, organizations continue to pay these hefty sums.

The sophisticated threat actors have proven to be meticulous planners.  They map out internal networks in detail to identify core business functions and sensitive data storage, even going so far as to research a company’s financial results to gauge how much they can afford to pay.  At the other end of the spectrum, creators of Ransomware-as-a-Service (RaaS) who simply ask for a percentage of the ultimate ransom, have created an additional class of cyber-attackers to initiate attacks with minimal risks targeting a wide range of businesses.   

Proactive preparation is the most effective protection against ransomware attacks. While completely preventing ransomware attacks is nearly impossible, security and risk management professionals can take proactive steps to neutralize or mitigate their harm.  Taking the time to follow basic cyber hygiene guidelines remains your first step.  

First, that means taking the time to document the entire configuration of your network accurately and regularly.  Second, data mapping inventories are more equally important.  During 2019, many ransomware actors threatened to release stolen data to pressure victims into paying ransoms.  Almost overnight, ransomware attacks evolved from primarily expensive operational disruptions to crises fraught with regulatory data privacy and breach notification issues.  Knowing what kind of data you possess and everywhere it is collected and stored is imperative.

Seven fundamental security steps can deliver immediate layers of protection from ransomware:

  1. Institute least privilege policies for data/system access
  2. Delete unused email addresses
  3. Enforce strong password policies
  4. Implement multifactor authentication
  5. Create, update, segregate and protect viable backups
  6. Whitelist safe applications
  7. Accurately map network configurations

If ransomware strikes, organizations should have a plan to take immediate action with six response steps that include:

  • Isolate impacted systems from other computers and servers within the network and disconnect from both wired and wireless networks.
  • Identify the infection, which sometimes is stated in the ransom note, but can also be determined from numerous open-source sites. Kroll can also help pinpoint not only the ransomware-type but any other malware and persistence mechanisms still present in your environment.
  • Report the incident to the appropriate local law enforcement agency – e.g., in the US, that would be your local FBI field office or through the FBI Internet Crime Complaint Center, the police or the national Action Fraud website for the UK, or via the ReportCyber website for Australia.
  • Think before you pay. This involves decision-making processes that should already be outlined in your incident response plan.  If applicable, contact your cyber insurance carrier for any ransomware-related coverage.
  • Retain log data! Because many log types roll off quickly, timely action is necessary to retain any potentially relevant event data for subsequent investigation.
  • Restore systems and ensure your organization has prioritized effective backup policies and protocols.

There are many ransomware preparedness assessment forms, questionnaires, and tools available.[1]  The goal is to identify where your defenses are strong and where vulnerabilities exist that ransomware actors can exploit. These can easily be found during a web search and there are many consulting companies that will perform such assessments.

Areas of assessment interest and concern include, but are not limited to:

  • Analyze relevant firewall and network device configurations for security weaknesses
  • Review user activity logging and audit configurations to aid potential investigative efforts
  • Review network and endpoint security monitoring solutions and processes
  • Evaluate email and web filtering options and configurations to prevent phishing attacks and malicious payload delivery
  • Review access and privileged access controls and processes
  • Evaluate vulnerability and patch management controls and processes

Important subjects to consider protecting the organization against email-based attacks include:[2]

  • Remote access controls
  • Email and web controls
  • Application whitelisting and audit controls
  • Endpoint protection controls
  • Employee awareness and training
  • Backup and audit logging controls
  • Incident response
  • Business processes related to vendor management

Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

Red Sky Alliance has been tracking cybercriminals for years.  Throughout our research, we have painfully learned through our clients that the installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough.  Our current tools provide a valuable look into the underground, where malware like all the different variants of Ransomware are bought and sold, and help support current protections with proactive underground indicators of compromise.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.

Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.  

Red Sky Alliance is a Cyber Threat Analysis and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949

 

[1] https://infotechlead.com/security/how-to-defend-against-ransomware-attacks-64033

[2] https://ia.acs.org.au/article/2020/6-ways-to-defend-against-a-ransomware-attack.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!