Ransomware is a nightmare! Given the most recent civil unrest combined with the expanding remote workforce, threat actors continue to target and exploit victims through malware and social engineering. Recent malware variants such as Maze, LockerGoga, MegaCortex and BitPaymer have captured our attention. The BitPaymer ransomware variant reportedly demanded ransom payments ranging from $50K to $4.9M. Though a nightmare, ransomware is a problem we can hopefully prevent, utilizing vulnerability management, backup and disaster recovery plans, and training and awareness.
Defang the Attack Method
Ransomware allows the actor to profit from an attack in multiple ways. The actor can encrypt the data and systems, demanding that the victim pay a monetary ransom to get the data back. In this scenario, the victim can pay the ransom or refuse if proper precautions, like full backups and reliable recovery plans, are established. The actor can pivot to releasing the data on the black market; however, this avenue doesn’t give the attacker any monetary benefit. The negative press associated with a public dump of the data is a useful way to encourage future victims to pay.
Maze ransomware has gained attention due to its use of extortionware tactics. The operators of Maze News, an extortion website, will post the name and domain of victims infected with Maze ransomware, along with a sample set of data stolen from the victims’ networks. If the victim pays the ransom, Maze operators will remove the data. If the victim refuses to pay, the actors often leak additional data.
Preventing Ransomware Attacks
Post-incident analysis indicates that vulnerability management, backup recovery plans, and training and awareness failed in almost all ransomware attacks. The first line of defense for organizations is to be proactive in identifying, prioritizing and remediating security vulnerabilities in software and hardware, including keeping operating systems updated. A standard security practice for vulnerability management is patching, or bug fixes. However, reports have shown that it is not uncommon for it to take 100 days or more for organizations to deploy a patch.
Consider the scenario of a Chief Information Security Officer (CISO) and a Chief Operations Officer (COO) disagreeing on the timing to implement a security patch to a particular technology. The COO doesn’t want to apply a technology patch that could interrupt business operations, and the CISO is following best practices to implement security, which may cause business interruptions. This scenario is a common point of failure with vulnerability management.
In May 2017, the WannaCry ransomware variant crushed systems worldwide as malware exploited a common vulnerability that was available 60 days before the attack. Post-mortem analysis indicated clearly that patch management could have aided in the prevention of this attack.
Provided an actor does exploit a vulnerability, an organization does not have to pay the ransom because the organization can use backups to recover the system without paying the bad guys. Industry best practices recommend that organizations ensure that a backup is kept separate from their network, offline or in a cloud service designed for this purpose. Pause! A brief word of caution relying on cloud-syncing services such as Google Drive or Dropbox. Many cloud-based services automatically synchronize data, which could occur immediately after files have been locked due to ransomware. This would render backups useless. While backing up data is sufficient to prevent data loss from ransomware attacks, this will not protect stolen data from being published or sold.
Last, human error will circumvent all technical controls and mitigation planning implemented in an information security program. According to Bolster’s Q1 2020 State of Phishing and Online Fraud Report, there was exponential growth in phishing and websites scams, reporting 854,441 confirmed phishing and counterfeit pages and ~4M suspicious pages.
A robust phishing/online security awareness program is critical to preventing ransomware and other threats. Educating the workforce on identifying fraudulent emails that appear to be from a reputable company, refraining from opening an infected attachment and reporting suspected phishing incidents according to incident response procedures will assist with preventing a security incident. A recommendation is to deliver social engineering training as a competition between office units. Security practitioners can evaluate user metrics and encourage staff to build upon security training actively. Rather than having security practitioners resort to publicly shaming users, good old-fashioned competition can be much more effective.