Ransomware Attack Trends: Tips for Prevention & Response
Ransomware continues to cause severe disruptions and the loss of critical data within business information systems. It is also leveraging the use of certain providers and tools to increase its devastation and profit. Consistent with what we noted earlier in the year, malicious attackers continue to target managed service providers (MSPs). An MSP is a business model that remotely manages client information technology infrastructure and/or end-user systems. MSPs may have hundreds or even thousands of business clients. They have become targets of malicious hackers because, through them, attackers have access to not just the MSP, but to all of their clients’ information systems.
From the attacker’s perspective, rather than attack just one business, why not target their MSP and successfully affect hundreds or even thousands of businesses with the same effort? The sheer size of these attacks are an order of magnitude larger and more complex than previous large-scale attacks due to the number of entities simultaneously affected, and the corresponding large-scale efforts that must be undertaken to swiftly and effectively respond and remediate these attacks.
Often as part of the MSP attacks, and as part of a similar attack trend involving the simultaneous victimization of information systems, malicious attackers have compromised the use of professional services automation (PSA) tools, remote monitoring and management (RMM) tools, enterprise resources planning (ERP) applications, and similar means of access to numerous information systems or repositories of data – often simultaneously. Depending upon the exploit used by the attacker, hundreds of systems can be encrypted simultaneously to increase the extortionate value of the attack, and/or much more sensitive data can be exfiltrated from those systems, substantially increasing the resulting profit on the dark web. Preparing for and effectively responding to these attacks requires significant coordination.
Ransomware continues to cause severe disruptions and the loss of critical data within business information systems. Certain variants of ransomware continuously evolve to evade detection by the most sophisticated anti-virus products. The more sophisticated ransomware attacks may be preceded by credential stealing Trojan attacks, allowing the attacker to elevate privileges within the network, providing them access to substantially more digital assets in which to seed the encryption malware. When the ransomware attack is executed, the resulting encryption can be devastating to the network, essentially locking up servers containing mission-critical sensitive client information and operational data required for information system functionality.
Tips for Prevention and Response
Preparing for ransomware attacks should be a part of every information security program. In addition to various risk-based information security frameworks that must be employed to protect against general online threats, there are a few specific measures that can be taken to defend against ransomware attacks:
- Appropriate cyber insurance should be obtained. Although this should be part of any enterprise risk management program, it is more important than ever before. The expense of responding to a ransomware attack can be substantial. At a minimum, an effective ransomware response typically involves the deployment of robust endpoint monitoring tools to contain the attack. It also typically involves forensics investigations to determine what happened, when it happened and how it happened. The endpoint monitoring and forensics investigations, while necessary, can often result in a substantial five or six figure expense. This economic risk can be mitigated by the acquisition of appropriate cyber insurance.
- A system should be deployed for creating backups, checking backups, and restoring backups of all vital applications and data in a separate and secure location. Ideally, backups should be “gapped” to ensure they cannot be accessed or corrupted by a malicious attacker.
- A system should be deployed for creating and maintaining a gapped golden image so that, if necessary, it can be uploaded with backups in the event a system is encrypted and the data has to be completely restored.
- Anti-malware tools should be continuously deployed.
- Endpoint monitoring tools, with strong data analytics used in a heuristic manner, should be continuously deployed to detect and quarantine ransomware and other malware.
- A system should be deployed for continuous and timely patch management.
Responses to ransomware attacks should involve the following actions:
- Contact your cyber insurance broker/carrier immediately. Your cyber insurance carrier has critical resources available to you and those resources (forensics, consumer remediation, and legal) can guide you through the entire response process.
- Do not initiate contact with the attacker from your domain. Attackers often do not know the identity of their victims – they may only know their IP addresses. It is important that you not reveal your identity to the attacker as the information may result in higher ransom demands or further damage to your infrastructure.
- Do not disclose information about your network infrastructure. Information pertaining to your infrastructure may result in higher ransom demands. If the incident is not yet fully contained, it may also result in further damage to your network infrastructure.
- Do not pay ransom without exhausting other resources for decryption keys. Decryption keys for some ransomware variants exist in the public domain, are maintained by digital forensics firms, or are maintained by the FBI. Decryption keys should be sought from all available sources before paying ransom for them.
- Do not pay ransom directly to the attacker. Use a vetted third party that has established protocols for compliance with U.S. Treasury regulations pertaining to anti-money laundering and foreign asset laws.
- Engage appropriate forensics resources. It is important to deploy appropriate forensic resources to detect and remove the malware before the system is returned to operational status.
- If ransom is paid for a decryption key, ensure that the key is analyzed by appropriate forensics resources to determine if it properly decrypts, does not contain malware, and is otherwise safe to deploy in your network.
- Do not wipe digital devices without obtaining forensic image. It is important to gather forensics evidence before rebuilding the network. The forensics evidence may help to determine how and when the attack happened, what the malware was designed to do, and whether sensitive evidence was accessed or acquired without authorization.
- Do not enable operations without identifying and securing vulnerabilities – or clearing all end points. It is important that the environment be free of malware before it is returned to operational status to prevent reinfection.
- Do not make unnecessary public statements. It is important to not make unnecessary public statements that may reveal your identity to the attacker. The best course of action is to work with legal counsel to draft internal and external messaging that will comply with your legal obligations while simultaneously protecting your best interests.