Ransomware has become one of the most serious cyberthreats today, in both frequency and severity. According to the FBI’s IC3 report, ransomware losses in 2020 more than tripled compared to 2019, which had itself more than doubled from the year before that. For 2021, Cybersecurity Ventures predicts a $20 billion cost globally from these attacks.
In the last few months alone, the Colonial Pipeline attack disrupted the gasoline supply for the US East Coast, an attack on JBS USA shut down 20 percent of the US meat market, and as this article is being published, an attack on Kaseya has affected hundreds of businesses across the world.
When a ransomware attack is successful, the victim must choose between two options, both of which are bad. A refusal to pay the ransom means that the victim must try to seize control of their data and systems back from the attackers. Often, this requires rebuilding everything from backups; in any case, it is a difficult and time-consuming endeavor, with a high chance of being unsuccessful.
Or, the victim might choose to pay the ransom demand. At best, this is a short-term solution that makes the overall problem worse. As the FBI notes, “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
If the ransom is paid, often the relief is only temporary. According to a study by Cybereason, about 80 percent of all victims who pay the ransom will be hit with another attack (and almost half will be hit by the same group of threat actors).
Clearly, defending against ransomware attacks has become one of the most important aspects of cybersecurity. In a previous article, we discussed ransomware in general terms. In this article, we’ll discuss how to create and maintain effective defenses against this threat.
Why Ransomware Defense is Difficult
Ransomware is a complex problem, because threat actors can infect the target’s systems in a variety of ways. Thus, organizations need to have robust protection against a number of potential attack vectors. And because these span multiple departments within an organization, planning and management must be done at the executive level.
In today’s threat environment, a single type of security is not enough, and ransomware requires a defense in depth. It can be helpful to think of this as three layers of protection:
- Block threat actors at the perimeter.
- If they manage to gain access anyway, prevent them from deploying ransomware inside the environment.
- If they manage to deploy ransomware anyway, make it ineffective.
Let’s discuss each layer.
Keeping Hackers Out
The perimeter is the first layer of defense against ransomware, and it’s usually the one that gets the most attention when security measures are implemented. The logic here is straightforward; if attackers can’t get into your environment, then they can’t infect it with any type of malware.
Hostile actors can penetrate the perimeter using a broad variety of techniques. Therefore, defeating them requires a number of different countermeasures.
Traffic filtering. Internet-facing servers are subjected to continuous attacks. By their nature, web application and API servers must accept incoming connections. Meanwhile, the apps and APIs that they provide are constantly growing in features and complexity, which means that their attack surfaces are constantly expanding.
In today’s threat environment, a robust web security solution is required. The foundation of this is a next-generation WAF, but don’t settle for security services that provide traditional WAF functionality alone. In addition to customary WAF features like signature-based request analysis and ACLs, effective ransomware protection also requires contemporary technologies such as UEBA (User and Entity Behavioral Analytics, which help to detect zero-day exploits), advanced bot detection, session flow control, account takeover protection, API security, and more. And in addition to the security technologies provided, other aspects of the solution should also be considered; for example, the most effective solutions are comprehensive, single-tenant, and fully managed security.
Remote Desktop Protocol (RDP) security: RDP is one of the most common vectors for ransomware infections, and it’s vitally important to secure it throughout your organization. A good introduction to this topic is this white paper from the Center for Internet Security.
Email scanning: Email phishing is another common entry point for ransomware. Cybercriminals send emails containing malicious links or files; when a recipient clicks on one, malware is deployed. There are a number of email scanning solutions available today for detecting and blocking these messages.
Security training: Along with technological solutions, the human element of security must not be neglected. Regular team training is important; staff members must be familiar with best practices for email hygiene, recognition of social engineering tactics, and other topics related to preventing system breaches and ransomware infections.
Software updates: Keeping systems up-to-date with the latest patches and updates is a vital part of security. Although this statement seems obvious, many organizations still do a poor job at this. The FBI notes that system vulnerabilities are one of the most common means of ransomware infections.
Preventing Ransomware Deployment
As mentioned earlier, most organizations focus on perimeter security as their primary protection against ransomware. Although this is necessary, it is still insufficient. Even if your perimeter seems impregnable, all it takes to bypass your defenses is one click on a hostile email by a distracted team member.
Effective ransomware protection requires additional security inside your perimeter. You should plan for the possibility that someday, attackers might gain access to your environment; therefore, you need to restrict their ability to successfully deploy malware if they ever get in.
Of the three security layers discussed in this article, this layer tends to be the most neglected. Its two most important elements are zero-trust architecture and continuous monitoring/reporting.
Zero-trust architecture: Many organizations still use a castle-and-moat approach to security, which relies upon the perimeter to exclude threats. Once users make it through, they are implicitly trusted. This approach is outdated and flawed, because if attackers ever penetrate a network, they can move and act through the system with few restrictions.
The modern approach is to replace castle-and-moat with zero trust security. In this paradigm, every user has a limited and granular set of permissions, and every action must be authenticated and authorized before it is allowed. A zero-trust architecture makes it much more difficult for attackers to successfully deploy malware within a system, even if they were to somehow gain access to it.
Of all the recommendations in this article, zero-trust is probably the one that organizations are least likely to be using today. Converting a system to zero-trust is not a trivial undertaking, and so, many organizations have not yet attempted to do so. Nevertheless, zero trust is rapidly becoming a necessity for effective security.
Monitoring and reporting: Continuous and extensive system monitoring is another security best practice. The only thing worse than a system breach is a system breach that the victim does not notice for a long period of time, so that the attackers have the freedom to operate within it. Even if you were convinced that your system was immune to compromise, it’s still important to monitor it and investigate all anomalies immediately. Then, if a breach ever did occur, this can allow you to expel the attackers and limit the damage that is done.
Making Ransomware Ineffective
Below the two layers of defense discussed above, there is a third. This one requires imagining a very uncomfortable scenario: that the top two layers have failed, attackers are inside your system, and before you could stop them, they encrypted your data and locked up your system. Now they’re making ransom demands. What can you do?
Ideally, you can neutralize the attack by resetting and rebuilding your infrastructure if necessary, and then restoring your data from recent, verified backups. If this can be done quickly, then a potentially disastrous incident can be converted into a temporary interruption of service.
Of course, this assumes that your team knows how to do this and has recently rehearsed it successfully. It also requires a schedule for frequent backups, including verification of their integrity.
Most organizations have protocols for backups. However, the number of organizations that regularly verify their backups, and that require their teams to practice system resets and backup restores, is far smaller.
This situation is unsurprising; there are never enough IT resources to meet current requirements, and it’s always tempting to defer the incident recovery rehearsals for more pressing needs. But these deferrals tend to become a habit, until suddenly an attack occurs, and then you discover—too late—that the incident management plan cannot be implemented.
The good news is that modern practices such as Infrastructure as Code and Immutable Infrastructure have made incident recovery management much easier than it was in the past. Here’s a question to consider; if you were hit with a ransomware attack tomorrow, how much confidence do you have that your team could reset/restore everything in short order? If the answer is “not much,” then now is the time to rectify this.
An in-depth discussion of ransomware is beyond the scope of a single article, but the multi-layered approach described above will create a security posture far better than what many organizations currently have.
Ransomware is one of the most serious threats on the Internet today. The attacks are growing more frequent, the attackers are tenacious and sophisticated, and there are many ways that an attack can succeed. If your organization isn’t implementing everything described above, consider doing so. Judging by the current epidemic of attacks, it’s possible that your organization will need these defenses in the not-too-distant future.
Questions about this, or other cybersecurity topics? Contact us here.