Risk Mitigation for Ransomware
How to create a defense posture to reduce risk of ransom
Ransomware is an increasingly present threat in today’s security and information technology landscape, earning criminals over $1B USD annually. The number of ransomware attacks that occurred in 2022 is estimated to be around 250 million.
Attackers often get away with these incidents by accepting payments in crypto, and often due to working from nations or territories unfriendly to those where the target systems are located, impeding the co-operation of law enforcement or sometimes making it impossible.
An example of such an attack is the 2017 WannaCry incident involving North Korea’s use of cyber-weaponry stolen from the United States NSA, resulting in about 200,000 computers affected in over 150 countries.
Due to the increasing frequency and severity of ransomware attacks, it is more important than ever for organizations of all sizes — especially within critical sectors such as infrastructure and defense — to develop and implement security measures that correctly scope the potential for things to go wrong and implement a plan-of-action with highest-priority items at the top of the list, ensuring the safest possible outcome.
Overview
A ransomware incident occurs when an attacker is able to remotely encrypt sensitive data on a target network and demand payment of ransom before agreeing to decrypt the data. Sometimes, even after paying a ransom, the encrypted data is not or cannot be decrypted for whatever reason (the attacker isn’t exactly motivated to follow through with their end of the deal, having successfully stolen money from a victim).
Like all criminals, attackers in these scenarios are predators who go after the highest-value and most-vulnerable targets, which are often medical, education, and government offices that are unable to keep up with securing the commodity systems they have been effectively forced to upgrade to in order to keep up with the times.
In the 1990’s, the architecture of computer networks was different than it is today. Much of the internet at the time was powered by Sun Solaris and other durable Unix variants on machines running custom RISC-based processors, and client computers at offices or home would often be very simple dumb-terminal or other limited-access machines, leaving few opportunities for what is a relatively new attack vector — locking users out of their own files or even backend SQL Server databases.
In fact, in the 1900s the idea of a remote attacker locking you out of your own data and then being able to demand money anonymously would have been an absurd idea to say the least. Computers were the future — there’s no way we would ever mess up bad enough to create situations in which your government office is locked out of itself by someone on the other side of the world, right? Clearly something went very wrong.
Stats
Estimates frequently place MS Windows as the overwhelmingly most popular OS to be compromised by malware, often at 90% or greater. While arguments do exist that MacOS and Linux get targeted as well, the truth remains that the majority of attacks happen on Windows systems.
If your network has MS Windows machines (either servers or workstations) then this is one of the most important points to remember when developing a security strategy to mitigate risk of cybercrime, both in general and especially pertaining to ransomware.
The next most important trend to consider is the popular attack vectors used to instigate attacks within the last few years: RDP, phishing, and vulnerabilities in internet-facing services (websites or APIs over HTTP).
The very fact that RDP accounts for nearly half of the utilized attack vectors available and that RDP is a protocol used almost exclusively by Windows servers (most Linux servers do not have a GUI desktop to remote-view), shows the importance of enumerating any and all Windows-based solutions within an environment, to properly test and triage them for any required immediate patching and/or redundant measures. This cannot be overstated enough, and any claim otherwise is negligence at best.
Phishing-driven ransomware often involves the target person downloading a malicious attachment which either encrypts the user’s data locally or propagates to another machine such as a server. With vulnerable websites and services, an attacker is able to inject malicious code directly into a public-facing or compromised intranet endpoint.
Regardless of the attack vector used, in all successful ransomware attacks, the attacker is able to perform such an operation as drastic as encrypting the entire contents of a data folder or even a SQL database while the machine is running in production and otherwise operational. By the time any ransomware attack that causes any noticeable service interruption has occurred, the task of securing the network has been failed extensively.
Strategies
There are a number of strategies that can be used to create a plan for securing one’s organization from these attacks. The very most important step and the only one that anyone has 100% control over, is to become aware enough about ransomware trends and basic concepts such as those outlined in the previous section of this article, so that when a question or other opportunity arises on the job pertaining to vulnerable systems, the right information can be placed into the right hands to ensure that the top risks have been addressed or will be upon the next development iteration or maintenance cycle phase.
Waiting until you have time to sit down and craft a plan that includes every possible angle you can think of is probably not a good strategy. It never happens that way. By the time you do get a moment, especially if you’re so busy that it could be weeks or months before you really get around to having the time budgeted for it, the security landscape is likely to have changed to some degree. Begin now. Start increasing awareness about ransomware attack vectors and trends within your organization immediately using whatever logical means necessary, whether it be official company emails, free drinks for your colleagues that are willing to jump on board and hear you out, or whatever else you need to get the job done (legally and safely, of course). Leave no stone unturned.
Based on some of my experiences with auditing and securing corporate networks in the past, here is a list of the most likely to be important tasks you will want to accomplish thoroughly to ensure you have mitigated the risks of ransomware in your organization to a reasonable degree:
- Map your network — this is absolutely critical and is often overlooked even in large organizations. Use whatever resources are available to you and your team to create a list of all workstations, servers, databases, routers, hypervisors, APIs, repos, buckets, or anything else. In some cases this information will be spread across departments on incomplete documents with highly inconsistent formatting. Pay especially close attention to Windows machines! Leave no corner un-checked!
- Train your staff — ensure that department and product leads are in-the-know about security requirements pertaining to ransomware mitigation, such as regular OS patches, regular updates to SQL database and app server binaries, consistent review of access levels, and ensuring data is regularly backed up to more than one location. Employees or contractors who work with clients or the general public are at high risk as phishing targets and should notify security personnel of any and all suspicious activity they encounter. Everyone should be encouraged to ask questions and learn as much as possible.
- Keep Backups — an organization which has 100% data backup coverage is effectively immune to data loss, however in cases in which the data can be sold for profit or used as blackmail, the potential for damage can still be high. Therefore, in addition to keeping regular backups, it’s important to compress and archive unused data and store it in a set of offline locations for safety and redundancy. That way, the data cannot be used to compromise your organization in some way. Additionally, source code should always be stored in secure version-controlled repositories with limited access.
- Perform Maintenance — tidying up your organization’s network and keeping track of which machines are deployed where running which version of what OS should be someone’s full-time job, or close to it. Attackers often exploit vulnerabilities that turn what should have been a non- issue into a serious breach, moving laterally through a network and wreaking havoc, creating an incident that could have been a minor annoyance such as limiting the damage to a few workstations instead of a potential system-wide compromise. Keep all operating systems and server or remote control software up-to-date.
- Lockdown — if it can be turned off or disabled, it should be. There is no reason to run RDP openly on systems that nobody will be accessing remotely, or to leave unnecessary ports open on a server that could give an attacker an entry point. Machines that only need to communicate with a few other servers or routers should use whitelisting to limit network traffic (both ingress and egress) to only these trusted systems. Background services that are unnecessary should be disabled, and rotating access keys should be used for authenticating between services and for client-server apps when possible. API keys for third-party external services such as phone communications or data transfer systems should be given expiration dates and rotated through a trusted secret provider such as secret server. Lock down all the things!
Conclusion
While ransomware is an increasingly dangerous threat to organizations with each passing year, the techniques remain largely the same. This is not an alien invasion in which we have to scramble to build fusion-powered energy weapons to defend ourselves. Year after year, attackers exploit the same vulnerabilities in people and the systems they operate and manage, pulling off the same heist over and over with new targets in mind.
If you are responsible for your organization’s infrastructure even a little, you are responsible for security. Everyone is responsible for security, because no weak link is acceptable when it comes to protecting your school, hospital, government office, or other business. Everyone from interns to the CISO should receive as much relevant training as they can handle (without inducing training fatigue).
