Ransomware isn’t going away anytime soon and in the last few weeks, there have been several high-profile incidents including a Ransomware attack against Serco, the outsourcing firm working closely with the UK government on the NHS test and trace programme, as well as other incidents at a French hospital, an insurance company and a video game manufacturer in Europe, which resulted in the source code for a game being auctioned off.
This type of malware attack is a money-making scheme and will target any type of industry in any sector. Alternative investment, and in particular Private Equity, is a major target for ransomware attacks.
What Do We Know For A Fact?
A survey conducted at the end of 2020 showed that the average ransom demand has increased by 60% to over £125,000. If you remove the larger demands that make the headlines (the largest ransom demand in 2020 was around £10 million) the average ransom demand for small businesses was over £4,000.
A survey of 5,000 IT managers conducted by Cyber Security firm Sophos found that 51% of respondents claimed to have been hit by ransomware in 2020. Of those affected, a quarter paid the ransom to retrieve their data.
With ransomware kits being available to buy on the Dark Web for as little as £30, it’s clear that the financial incentives for cyber criminals are vast.
Steps To Protect Against Ransomware
There are a number of steps that you can put in place to reduce the risk of help protect yourself against a ransomware attack on your business and we would always recommend that our clients consider the following:
Ransomware Attack Data Protection & Recovery
Backups: In the event of a ransomware attack, having a valid backed up copy of your business-critical data is going to be vital for recovery. As a result, your backups must be segregated from your production environment. There are many examples of a Ransomware attack also encrypting backed up data as a result of the data not being segregated. Restores from your backup media should also be tested regularly – you need to have the confidence that the solution works. It is also important to ensure that you are keeping multiple generations of your data within your backup strategy. You want the option to restore from multiple save points covering hours and days.
Storage Snapshots: If you are utilising SAN or NAS technology within your production environment you should be taking regular snapshots of that data at the storage layer. This allows for fast restoration of huge volumes of data in the event of a ransomware attack. Our recommendation is for a mix of regular snapshots, covering minutes or hours, as well as less frequent snapshots, perhaps on a 6-hourly or daily schedule. This provides options for restoring data depending on how much data has been affected by an attack.
Access Controls: Traditional ransomware attacks will target any data that the authenticated user has access to. An effective way to mitigate the effect of a ransomware incident is to ensure that users only have access to data that they need to do their jobs. Standard file server permissions are vital in limiting the impact of such an attack.
Disaster Recovery: Your business’s DR plan should consider the potential effects of a cyber breach. If you are replicating data between a production and DR site, multiple generations of the data should be retained at the DR site to protect against corrupt data being replicated to the DR site.
Threat Prevention - How To Prevent Ransomware Attacks
Perimeter Security: Office locations should be protected using a perimeter security solution that offers Intrusion Prevention and Perimeter Anti-Virus scanning of all traffic. At Tribeca, we deploy FortiGate firewalls that provide that functionality as well as web filtering, application control and block access to known BOTNETS, a feature designed to block malware within a network from contacting the command and control server.
Endpoint Protection: An effective endpoint protection platform is more important than ever before with the workforce currently more mobile than at any time in history. The Endpoint can now be seen as the perimeter of most corporate networks, as a result, the protections offered by corporate firewalls need to be deployed to the endpoint. Many solutions now have some form of ransomware protection within their toolkit. At Tribeca, we utilise two solutions, depending on the size of the client, either ESET Endpoint Protection or CrowdStrike Falcon.
Administrator Privileges: End users should not be granted local administrator rights on their machines and furthermore, nobody within the organisation should be using an administrator account for their day-to-day activities. Administrator accounts should have strong complex passwords. Local administrator accounts should also have unique passwords wherever possible, rather than a single local admin account used across the estate as if that account is compromised, it can be used to authenticate across multiple machines.
Email Security: The most popular payload mechanism is still delivery via email. A robust Email Security platform to remove malware and phishing emails prior to them arriving within your end users’ mailboxes is vital to protect your business. At Tribeca we recommend Mimecast as a solution to our clients, however, there are multiple other vendors available on the market.
Removable Media: Blocking the use of removable media across the organisation further reduces the risk and an avenue for malware to enter your network.
Network Design: As far as possible you should segregate your network and control the flow of data between client/server and client/internet. Adopting a zero-trust model whereby each user/device only has access to the resources they require.
End-User Education & Testing: Perhaps the most critical of the tools at your disposal to combat the threat of ransomware. Most breaches occur after an action of someone within that business. Even the best technology solutions are not going to be 100% foolproof to an attack and it’s therefore vital to ensure your team is trained on how to recognise potential threats and how they should react.
Many firms now have a regular phishing testing programme in place to keep employees aware of the risks alongside ongoing education. One key KPI for such testing should be how many employees report the phishing email to the IT and Security team, as that is just as important as how many fail the test. The behaviour that needs to be encouraged is to report a phishing email so that the rest of the organisation can be protected against that threat.
Patch Management: As was evidenced during the WannaCry outbreak back in 2017, attackers will target devices running software that is end of life or missing vital security patches. As a result, a robust Patch Management programme should be in place across all devices. Again, the ability to deploy these patches to devices regardless of location is now a baseline requirement due to the changes in working practices for most businesses.
Vulnerability Scanning: A regular vulnerability scanning programme alongside your patch management will provide visibility over any known vulnerabilities within your environment and provide the IT and Security team with the information they need to remediate those vulnerabilities, removing the opportunity for them to be exploited during an attack.
Threat Detection - How To Detect A Ransomware Attack
Endpoint Detection: As outlined earlier within this blog, detecting a threat at the endpoint is critical to keeping your network secure. Ensuring that the solution you have in place reports back into a central console, regardless of the location of the endpoint is critical.
Network Monitoring: There is a wide range of tools available that can provide monitoring for common ransomware attacks. These range from network monitoring tools such as SolarWinds or Paessler PRTG to more sophisticated solutions that provide deep packet inspection such as DarkTrace or eSentire.
Perimeter Security: The solution installed at the perimeter of the network should also provide detection capabilities. Alerts should be configured and monitored for any detection of malware entering the network.
Ransomware Attack Recovery & Response
Response Team: At Tribeca, we recommend our clients have a dedicated Cyber Security Incident Response team defined within their business. With each member of the team understanding their role, be that technical, legal, or to handle internal and external communication of an incident.
Response Plan: A high-level plan should be formulated detailing the workflow for a Cyber Security Incident. We recommend our clients follow a simple 6 stage ransomware attack recovery and response process:
- Isolate – In the event of a ransomware incident, the immediate priority is to isolate the affected machine(s) and your business-critical data. Depending on the environment there are many ways this can be achieved by disabling a VLAN, removing remote access, physically disconnecting a machine from the network or disabling a virtual network adaptor within a virtualised environment. The IT and Security team should have scenarios documented and plans in place on how to isolate the environment for each scenario. Historically powering off machines was an effective way of isolating an environment however with the prevalence of Fileless malware many security firms now recommend leaving machines powered on after an incident but isolating them from the network. As fileless malware only resides within the memory of a computer, once it is rebooted any sign of the malware is removed. As such, if there is a desire to understand the source of the infection, machines need to be left powered on to allow a forensic examination of the origin of the malware.
- Assess – What systems have been impacted by the incident? What is the potential impact on the business? What are the next steps required?
- Communicate – Who within the business needs to be made aware of the incident? Generally, these will be members of the Response Team outlined above. Agree on a communication schedule until the incident is closed.
- Investigate – The priority is to find the source of the malware, then to establish which, if any, other systems have been infected.
- Remediate – This can often happen during the Investigation phase if it is safe to bring systems back online and release them to users. I.e., if the malware was contained to a single user/machine. Remediation and restoration of systems should be prioritised with the business.
- Report – Once the incident has been contained, a report should be created detailing what happened and why. The process that was followed to resolve the incident – any learnings that can be taken or improvements made etc… Depending on the extend extent of the incident, are there requirements to report to external third parties such as the ICO or a regulator?
Tribeca will work with your internal teams and support wherever needed against ransomware whether that be needing to protect data or putting processes in systems in place to protect all elements of the business.