By Adrian Moir, principal technology evangelist, Quest
Ransomware has been a topic of conversation for several years, but it’s been incredible to watch how this phenomenon has grown and shifted to where it is today.
In the US earlier this year we saw the issue reach epic proportions, with attacks against the Colonial Pipeline and JBS provoke an international political response and cause disruptions which were felt personally by millions of everyday citizens.
Here in the UK we had an early taste of the potential human cost of ransomware as far back as 2017 with the WannaCry attack. Its most high profile victim was the NHS, and estimates put the number of cancelled hospital appointments at over 19,000. But ransomware has evolved since then – the size of the ransoms has pushed the issue up the board’s agenda and the attacks themselves have become much darker, manipulative and disruptive that before.
It used to be much simpler to deal with the ransomware strains and tactics of old: have a business continuity strategy in place, good backups, and effective recovery processes in place, and you won’t have to pay any hackers a penny. These days though more and more businesses are paying the ransom due to the increased sophistication and targeted nature of the attacks. Even though the figures can sometimes be in the millions of dollars, organisations wonder if cyber liability insurance is their best bet, or if simply paying the ransom is going to be the cheaper option due to the multiple angles of extortion that attackers can take.
Unfortunately with the current wave of ransomware, there is no silver bullet or answer of what you must do in these situations, but what is clear is that defence is still vitally important – once you’re hit with ransomware, there’s no way around the fact that this is a dire situation – it will cost you money in some way, it will disrupt your services and could affect your company’s reputation.
An ounce of prevention is worth a pound of cure. It’s an inconvenient truth that most ransomware attacks, whilst sophisticated in their targeting and planning, involve some form of basic security hygiene failings. Cybersecurity and business leaders need to be opting for a layered defence, which reduces your attack surface, allows you to minimise disruption if possible, and may even bring down your cyber liability insurance premiums, if that’s the route you want to take.
The 5 layers of ransomware protection:
- End-user training: It’s imperative to educate and train your userbase and let them know the risks. Educate them on the ways that ransomware enters an organisation (i.e. downloads, files, fake websites, file sharing sites, phishing attacks to gain user details and credentials). End users should also be made aware of physical opportunities for ransomware to enter the organisation. For example, there are known cases of infected USB keys being left in car parks, office lobbies, etc. and being picked up by unsuspecting users who plug them into a laptop.
- Patching: Keep your systems up to date. Don’t rely on remembering, or spreadsheets. Automate the process. Don’t leave it to chance. Patch all machines, clients and servers.
- Not just Windows: Don’t assume that this is just a “Windows thing.” Linux still has its threats, so keeping Linux servers updated is just as important.
- Network monitoring: Make sure you monitor anything that looks like traffic interception. Re-routing, spoof apps and traffic re-direction are the starting point to gaining access to the wider organisational infrastructure with ‘Man in the Middle’ (MITM) attacks. A successful attack on your Active Directory is like handing over the keys to the castle to your worst enemy.
- Data protection: Backing up your data seems obvious, right? Well, these are still servers, and they’re still running an operating system, and it makes them just as vulnerable. Moreover, backup products that use network shares to store backup data are at a higher risk, since network shares are a target for most ransomware.
What about when Data Protection isn’t enough?
All things considered, creating a layered defence is the only reasonable outcome that must be employed. Simply relying on a data protection solution as a prevention measure is not enough.
Data protection is a reactive technology. You react to a need that requires data to be recovered. Data protection is carried out on a regular basis, or should be, to mitigate against data loss. But this is only effective if the solution provides methods to prevent loss of the backup data itself.
Consider for a moment what a backup solution must achieve: It must move all your data from point A to point B as fast as physics will allow. At least that’s what most people will look for. This necessitates that it has access to all of the organisation’s important data, applications, network, production storage, etc. In fact, it has more access than most corporate users, except for domain administrators!
Yet, we still see data protection solutions that are poorly secured with default usernames and passwords. Or these data protection solutions use open shares that are just that: wide open. We’ve all done it. Selecting ‘Everyone’ as a permissions option is the easy way to make something work, but that also creates one of the easiest entry points for ransomware.
Preparing for the next chapter
Following the recent spate of attacks, the debate continues around ‘what to do’ about the great ransomware problem. From suggestions of banning ransom payments, legislation on mandatory breach reporting, the role of cyber insurance amongst many other factors, there really is no way to truly win, the best way is to try not to play the game in the first place. Although the big attacks make the headlines, the majority of ransomware attacks are smaller, they happen every day, and can be prevented or mitigated through a layered defence. We will no doubt see further evolutions in this great ransomware saga, but defence in layers will never go out of fashion.