All organizations are at risk of their valuable data being encrypted by attackers, causing them to lose access to that data. A malicious actor carries out a ransomware attack to hold the organization’s data hostage for ransom.
Ransomware is malicious software that encrypts files on a device, rendering them inaccessible to the user. Then, in exchange for decryption, malicious actors want a ransom. Ransomware attacks have become more widespread among national, municipal, and regional businesses, government agencies, and critical infrastructure groups.
Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services. Malicious actors also prefer to use ransomware tactics to evolve, threatening to release stolen data if victims refuse to pay and pressure for payment.
Recently, the monetary value of ransom demands has also increased, and today, ransomware incidents have become more destructive and effective in nature and scope. Malicious actors use various attack methods to target critical data and spread ransomware across entire networks. These actors are also increasingly employing tactics such as deleting system backups that make restore and recovery difficult or impossible for affected organizations.
The economic and reputational consequences of ransomware attacks can be devastating for organizations large and small. During downtime and long-term data recovery operations, it has also proven to be a challenging task.
Malicious actors can acquire access to an organization’s data through phishing and unpatched software, among other methods. A firm with a cybersecurity culture may fend off a ransomware attack by implementing preventive measures and developing a ransomware incident response strategy.
Internet Vulnerabilities and Misconfigurations
- To limit the attack surface, regularly scan for vulnerabilities to identify and address vulnerabilities found, especially on internet-facing devices.
- Regularly patch and update software and operating systems to the latest available versions.
- For known vulnerabilities, prioritize timely patching of internet-facing servers and software that handles internet data, such as web browsers, browser plug-ins, and document readers.
- Make sure devices are configured correctly, and security features are enabled.
- Use best practices for using RDP and other remote desktop services. After gaining access to a network, attackers use exposed and vulnerable remote services to spread ransomware.
- Audit your network for RDP-enabled computers, disable unused RDP ports, enforce account lockouts after a specific number of failed login attempts, utilize multi-factor authentication (MFA), and keep track of RDP login attempts.
- Disable or block the SMB protocol and uninstall or disable old versions of SMB. Threat actors use SMB to spread malware. Organizations should consider the following procedures to defend their networks in light of this specific danger.
- After reducing current dependencies that may break if disabled, disable SMBv1 and v2 on your internal network.
- Remove dependencies through updates and reconfiguration: Upgrade to SMBv3 or latest version with SMB signing.
- Prevent all versions of SMB from outside accessing your network by blocking TCP port 445 with the corresponding protocols on UDP ports 137–138 and TCP port 139.
- Implement a cybersecurity awareness training program with guidance on identifying and reporting suspicious activity or incidents such as phishing.
- Perform enterprise-wide social engineering and phishing tests to measure user awareness and reinforce the importance of identifying potentially malicious emails.
- Apply filters at the email gateway to filter out emails with malicious indications, such as subject lines that are known to be malicious and block suspicious IP addresses in the firewall.
- Implement DMARC policy and verification to reduce the possibility of fraudulent or altered emails from valid domains.
- If you’re sending Microsoft Office files through email, disable macro scripts. These macros have the potential to be exploited to send ransomware.
- Make sure the antivirus and anti-malware software and signatures are up to date. Also, turn on automatic updates for both solutions.
- A ransomware infection can be evidence of a previous network compromise.
- In some cases, ransomware distribution is only the last step in network compromise, leaving it as a way to hide previous post-breach activities.
- Use the application directory allow list on all assets to ensure that only authorized software can run and that all unauthorized software is prevented from running.
- Enable application directory allow-listing via Microsoft Software Restriction Policy or AppLocker.
- Instead of listing all possible application permissions in a network environment, use the directory allow list. Applications can run from PROGRAMFILES, PROGRAMFILES(X86), and SYSTEM32 using safe defaults. All other venues are not permitted unless an exemption is granted.
- Before distributing ransomware, consider installing an intrusion detection system (IDS) to identify command and control activity and other potentially harmful network activity.
Third Parties and Managed Service Providers
- Consider risk management and cyber hygiene practices of third parties or managed service providers that your organization relies on to perform its various functions.
- If a third-party or managed service provider is responsible for maintaining and securing your organization’s backups, ensure that they follow the applicable best practices outlined above.
- State best practices and additional requirements in contracts to formalize your security requirements.
- Remember that attackers can exploit your organization’s trusted relationships with third parties and managed service providers.
- Threat actors can target managed service providers; they can use network connections and clients of managed service providers to access as a major attack methods for spreading malware and ransomware.
- Threat actors can impersonate organizations with which your organization has a trusted relationship or use their associated compromised email accounts to ensure network compromise and information disclosure.