Ransomware and Cyber Extortion: Strengthen Defenses and Improve Your Incident Response Plan
By Simone Q., Principal Security Consultant at SureCloud
Published on 24th April 2023
Ransomware presents a constant threat to organizations. In 2021 alone, US banks and financial institutions processed over $1 billion in ransomware payments, almost triple the amount paid the previous year.
The impact of the global pandemic saw ransomware groups adopt new tactics to extort the maximum amount possible from their victims. One of the biggest developments in recent years has been the emergence of Ransomware-as-a-Service (RaaS), where ransomware operators write software that other bad actors can purchase for use in their own attacks. This provides cybercriminals with even more tools to execute attacks with speed and efficiency.
In 2022, the Internet Crime Complaint Center identified 2,385 complaints as ransomware. These complaints resulted in a loss of over $34.3 million to businesses. Furthermore, experts believe these figures will rise even higher over the next 12 months.
In this article, we discuss the motivations behind ransomware groups, how organizations can better protect their infrastructure and assets, and why now is the time to develop a robust incident response plan so that your business does not become the next victim.
The ransomware landscape is evolving at a rapid pace, so having a robust incident response plan is vital.
Who are these ransomware groups, how do they choose their targets, and how do they operate?
The people behind ransomware groups are often skilled individuals with strong knowledge of infrastructure attacks, cryptography, and anonymity. They’ve realized that the financial rewards of illegal activities surpass those of their day job but haven’t considered the long-term consequences of their actions. Typically, they work in groups, but it’s not uncommon for some to work alone.
The end goal is to extort as much money as possible from victims. They actively target organizations and individuals or provide affiliates with undetectable ransomware in exchange for a share of the profits.
There is no distinction, or ethical reasoning, behind which organizations they target. For example, hospitals, universities, and other sensitive infrastructure have all been targeted simply for financial gain. Alternatively, ransomware groups take advantage of new vulnerabilities such as zero days to carry out attacks on a mass scale.
Most groups are motivated by a desire for quick financial gain, regardless of the consequences.
Protecting infrastructure and assets against ransomware attacks
Organizations can take these immediate actions to protect against ransomware attacks:
Asset management – Asset refers to any device able to access or handle corporate resources, including emails. This usually includes desktops, laptops, mobile devices, switches, routers, and cloud or on-premise servers.
Each company’s IT department should have and maintain a list of assets currently deployed within their estate. At a minimum, the list should include:
- Operating system and build (e.g., Windows 10 Business 22H2 19045.2604 or iPhone 14 running iOS 16.3)
- Software installed on each machine and their versions (e.g., Adobe Acrobat Reader 23.001.2006-4.0 or WhatsApp 188.8.131.52)
- Hardware and firmware version (e.g., ASA 5506H-X running IOS 9.12447 or Lenovo S205 running firmware 5.08.01)
Knowing which operating system or software is on each asset is imperative as it becomes easier to locate and isolate potential malicious activity. ISO 27001 certification can also help in managing assets.
Regular updates – A comprehensive list of assets within your estate will make it easier to identify which software or operating system requires an update. All operating systems release regular monthly updates that include patches to security vulnerabilities.
For example, on a Windows system, this process is known as ‘Patch Tuesday’. Critical updates should be actioned as soon as possible, medium and low-risk updates within 15 days, and cumulative updates within 30 days. Updates to operating systems or anti-virus software can be applied automatically via, for example, GPO policies on Windows environments.
We understand that patching the production environment might be scary for some, but keep in mind that all major vendors extensively test updates on several different platforms before releasing them to the public. There is nothing to be afraid of. However, if you’re still not convinced, we recommend applying the latest security patches in a test environment first and observing if it introduces any unexpected behavior or incompatibility.
Phishing exercises and training – Phishing remains the most common cause of a cyberattack, claiming over 300,000 victims in 2022.
Implementing phishing exercises and mandatory training could reduce the likelihood of an attack but won’t eliminate the threat. Why not? Mainly because humans are the weakest point of any security policy. Training will raise awareness about the risks of suspicious links and attachments. However, there should also be an additional focus on physical threats, such as leaving a laptop unlocked in public or using a malicious USB stick.
Password Policy and MFA – It’s no secret that humans tend to choose weak passwords for their accounts. It is the IT department’s responsibility to enforce a good password policy which, at the time of writing, and per the National Cyber Security Centre (NCSC) directive, is:
- Specify a minimum password length to prevent very short passwords from being used.
- Implement machine-generated passwords, for example, using a password manager.
- Employ a password deny list that prevents the most common passwords from being used.
- Consider alternatives to passwords such as SSO, hardware tokens, and biometric solutions.
- Use Multi-Factor Authentication (MFA) for all accounts and internet-facing systems.
MFA is one of the best defense mechanisms against malicious access to a network. Installing an authenticator app on a mobile device removes the reliance on clunky SMS messaging and quickly alerts users to anyone trying to access their accounts.
Hardening of remote connection services – The majority of an organization’s assets will have a remote connection service that allows IT technicians to connect and perform maintenance.
The most well-known services are:
- Remote Desktop Protocol (RDP) for Windows
- Secure Shell (SSH) for Linux/Unix
- Web interfaces for firewalls and routers
These services are often shipped with a standard level of security and additional steps will be required to harden them. It’s important to regularly check developer sites for updates to their software and apply them as soon as possible, as this will ensure remote connection services are protected.
Monitoring of remote connection services – Once access to the remote services is secured, it’s important to continuously monitor. Add an extra layer of security by sending out SMS and email alerts each time a core system is accessed remotely. For every other non-critical part of the network, logging solutions can be configured to send logs to a centralized system, which makes it easier to filter and follow any potentially malicious activity.
Backup, test, and repeat – The most effective way to recover from a ransomware attack is to have a well-tested and robust backup procedure. It’s hard to get it right, but here are a few crucial steps you should follow:
- Have and regularly update a backup policy. This document will contain details of how backup is initiated, stored, and tested.
- Identify the best solution for air-gapped backups. It should be completely separate from the company’s infrastructure and resilient to tampering.
- Force or schedule regular backups of all business-critical data.
- Check that everything is working as expected in the air-gapped backup solution. Is it receiving regular updates from all systems and users? Can users tamper with its content?
- Test the efficiency of restoring backup data to validate how fast the solution can restore business activities in the event of a ransomware attack.
Think of the amount of money organizations would save if they could restore their IT infrastructure in a few hours instead of weeks.
Incident response plan – Every CISO should have an incident response plan. It’s a pre-agreed strategy that all staff follow if there is a security breach. Enabling a prompt response to a security incident is essential to minimizing the attack and coordinating a unified response.
According to the National Institute of Standards and Technology (NIST), an incident response plan should follow these four steps:
- Detection and analysis
- Containment, eradication, and recovery
- Post-incident activity
An incident response plan will help restore business operations, minimize losses, and strengthen an organization’s overall security posture.
Authorities are slowly trying to identify, isolate, and stop ransomware groups by offering rewards of up to $10 million in exchange for information about their activity. Evidence suggests it’s an approach that is beginning to work. In October 2021, for example, the FBI was able to successfully infiltrate and disrupt the infrastructure of the REvil ransomware group. Though it’s clear more needs to be done.
It’s everyone’s responsibility to secure infrastructure and assets. However, it requires buy-in from all levels of an organization. You can start by implementing a robust incident response plan, and if further support is needed, seek the advice of an external security provider such as SureCloud.