Despite the recent incidents at the City of Baltimore, aluminum giant Norsk Hydro, and ASCO Industries, ransomware attacks have declined in both 2018 and 2019. Researchers report that only four percent of organizations worldwide experienced ransomware infection in 2018 — that’s a 44 percent drop compared to 2017. However, the news that Lake City, the City of Riviera Beach, and La Porte County opted to pay a combined $1.3 million in ransom has security experts warning that we should brace for a wave of ransomware attacks of epidemic proportions. The decision by these cities to pay the ransom, which goes against common wisdom and the advice of the FBI, will undoubtedly encourage copycat attacks looking to cash in on the fact that some organizations, in this case municipalities, are willing to pay up. Given the likelihood of an uptick in ransomware attacks, let’s consider steps organizations can take to minimize the risk of being victimized.
Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years. Today, cyber criminals are applying these ancient techniques to modern technologies. Ransomware is most commonly delivered via spam emails whereby the crimeware was deployed by clicking on an attachment or URL. Upon infection, ransomware begins encrypting files and folders on local hard drives, any attached local storage or backup areas, and potentially other computer nodes that reside on the same network that the victim’s device is attached to. The infection typically goes unnoticed until either access to the data is denied or a message is presented to the victim that demands a ransom payment in exchange for a decryption key.
Ransomware often has a major impact since encrypting and blocking access to sensitive data can shut down business operations. A good example, were the WannaCry and NotPetya attacks in mid-2017 that spread like wildfire across the globe, crippling banks, logistics firms, manufacturing plants, and many other industries.
While these wide-spread attacks led to the deployment of additional defense mechanisms, cyber-attackers have also created more sophisticated attacks, using spear-phishing emails that target specific individuals and seed legitimate websites with malicious code. Targeted attacks might affect fewer organizations but have a much higher success rate.
That’s why the decline in infections has not resulted in declining revenues for attackers or financial impacts on the victim organizations. In fact, the damages associated with ransomware have dramatically increased according to the FBI’s Internet Crime Complaint Center (IC3). The City of Baltimore is a good example, as the damages are expected to exceed $18 million.
There are a few fundamental steps that organizations can take to minimize their exposure to ransomware attacks:
• Implement security awareness programs to educate employees on how ransomware is being deployed and how to recognize and avoid spear-phishing attacks.
• Regularly update anti-virus and anti-malware with the latest signatures and perform regular scans.
• Create an application whitelist, allowing only specific programs to run on endpoints. This should include the disabling of macro scripts from Microsoft Office files transmitted over email.
• Back up data regularly to a non-connected environment and verify the integrity of those backups regularly.
Stopping Ransomware Attacks with a Dual Therapy Strategy
While these practices cover the security basics, ransomware is just one form of exploit that can easily be replaced by another. According to Forrester, an estimated 80 percent of data breaches are tied to privileged access abuse. By applying proper access controls, organizations can apply a “dual therapy” to this epidemic: address the number one cause of today’s data breaches — privileged access abuse — while at the same time minimizing the impact of a ransomware attack by preventing malware from running or at least limit its capability to spread through a network.
In this context, organizations can stop ransomware attacks in their tracks by:
1. Establishing a Secure Admin Environment
In order to prevent malware from spreading during sessions that connect servers with privileged access, establish policies that only authorize privileged access from a “clean” source. This will prevent direct access from user workstations that are connected to the Internet and receive external email messages, which are too easily infected with malware.
2. Zoning Off Access
Enforce “access zones” that restrict access by privileged users to specific systems and requires multi-factor authentication (MFA) in order to reach assets outside of their zone. Without an MFA challenge, ransomware can spread to other systems. By zoning specific systems and organizational units, ransomware may spread but not to those systems that require additional user verification.
3. Minimizing the Attack Surface
By vaulting away shared local accounts, organizations can minimize their attack surface. Ransomware does not always need elevated privileges to spread, but if it is able to gain it, the impact will be much more damaging.
4. Limiting Privilege
Ultimately, applying the concept of least privilege empowers organizations to granularly control what access admin users have and what privileged commands they can run. Without the ability to install files or at least elevate privilege when installation is necessary, ransomware cannot spread undeterred through a network.
There is no broad-spectrum therapy that will treat every existing variant of ransomware. However, following basic security best practices including implementing security awareness programs, backing up data regularly, and applying least privilege access, can minimize an organization’s exposure to becoming a casualty of ransomware.