Of the 5,400 organizations surveyed by independent research firm Vanson Bourne, 37% reported being hit by ransomware as compared to 51% last year. Is ransomware on the decline? Have we become adept at defending ourselves? There’s more to the story than these figures suggest.
Ransomware groups have shifted from the automated, ‘spray and pray’ tactics of yesterday to highly targeted, human-operated ransomware attacks, carefully crafted to find and encrypt your data and cause maximum critical service disruption. The numbers have fallen, but the stakes are higher than ever. Average remediation costs for ransomware in just one year has more than doubled to $1.85 million.
Backups and cyber insurance aren’t enough
Modern ransomware has gone nuclear in its impact. Attackers will extort sensitive data to publicly shame and extort organizations including hospitals and schools into paying a ransom. They’ll also steal as many credentials as they can get to set you up for future attacks such as business email compromise (BEC).
You could consider paying the ransom to save your data and reputation… if paying is legal in your jurisdiction. Most probably, it isn’t. It’s illegal to transfer any funds to individuals or organizations that are on the official Federal sanctions list. The Office of Foreign Assets Control (OFAC) has put many malicious cyber actors, including ransomware gangs, under its cyber-related sanctions program. Paying them directly or facilitating the ransom payment can lead to fines and penalties. This dilemma is like being in-between a rock and a hard place. Paying the ransom may feel like the best option if lives are on the line (e.g., hospital) or if not paying could cause weeks of downtime, potentially costing more than the ransom, fines, and reputational damage.
Do we have any hope at all in the face of ransomware threat?
Stop ransomware in its tracks
You must stop ransomware from accessing your environment in the first place. The key to prevention is identifying and mitigating the root methods of exploitation. To do that, you’ll want to first rank the methods based on the risk they pose to your organization and then focus on countering the risks you’re most prone to.
Countering the top five ransomware attack vectors
1. Social engineering
Social engineering is to blame for over half (54%) of ransomware attacks. Your employees are your first line of defense against such attacks. They’ll be your weakest link if they are untrained and unarmed. Given proper security awareness training they could become your strongest allies.
Conduct comprehensive training that covers ransomware and the latest phishing and spear-phishing tactics.
Educate your employees about rogue URLs because almost all phishing emails involve a malicious URL. When employees know about rogue URL tricks like look-alike domains, URL Character Encoding, and cross-site scripting, they’re less likely to click on malicious links that appear to be authentic.
Conduct unannounced phishing simulations frequently to ingrain good cyber hygiene practices in your employees so they double-check everything by default.
When possible, find ways to give employees a glimpse into the mindset of an attacker. By role playing an attacker for a while, your employees will naturally become more skeptical of every interaction.
2. Unpatched software
Zero-day exploits are expensive. Ransomware actors like to target software bugs with known available patches — they know how organizations can be tardy with updates. Closing this door on ransomware requires constant monitoring and vigilance.
Patch your internet-accessible software, operating systems, applications, browsers, browser add-ins, etc., as soon as a patch is available. Frequently scan your network for known, unpatched vulnerabilities that you may have missed. It can be mind-boggling to track all the software you’re using and the many versions available. Use patch management software to streamline and automate patches.
3. Password guessing
Everyone knows how important strong passwords are at this point. Yet, ‘123456’ and ‘password’ are still some of the most used passwords. Unsurprisingly, password guessing accounts for 19% of ransomware attacks. Companies that mandate employees change their passwords regularly actually do the company a disservice. Password rotation has been demonstrated to actively encourage people to choose less secure passwords.
Educate employees about password best practices during your scheduled awareness training workshops.
Implement multi-factor authentication (MFA) where possible.
Use a password manager to auto-create unique passwords for every website and service log-in.
Implement account lockouts.
4. Exposed RDP access
Microsoft’s remote desktop protocol (RDP) has a history of being exploited by malicious actors. Open-source Intelligence tools like Shodan make it a breeze for attackers to spot exposed RDP ports. Luckily, the same tools make this one an easy fix.
Disable internet-facing RDP if not needed. When needed, change the default port used by RDP, and restrict connections to whitelisted IP addresses only.
Scan your network periodically to identify exposed RDP instances and spot unpatched RDP vulnerabilities.
5. Poor access management
After initial infiltration, attackers move laterally across the network to identify the organization’s prized assets and critical services. They’ll want to strike where it matters the most. To save your critical assets, use the principle of least privilege — only grant access to the resources that a user absolutely needs to perform their job. (Note: Home editions of Windows 10 do not support RDP by default.)
Identify sensitive data and critical assets and restrict access by default.
Implement role-based access control (RBAC). Instead of assigning privileges to individuals, assign them to user roles. This approach decreases human error in access management.
Progressively move on to a zero-trust architecture where access is never granted by virtue of being on a trusted network. Access is granted only after authentication and authorization. This way, ransomware won’t progress beyond the entry stage.
These five countermeasures should help avoid the primary attack vectors that account for most ransomware attacks. Closing these top entry points could effectively make your network immune to most ransomware infections. That said, prevention doesn’t override the need for detection and response. You’ll still need functional, offline, and up-to-date data backups, a cyber insurance policy, ongoing security training exercises, a legal advisor and experienced partners to bring peace of mind.