Prevention of getting locked in by ransomware is becoming a growing concern for many businesses around the globe. The attacks are getting more bold and sophisticated. It encompasses a threat to the availability of information systems and the related business continuity, and can cost organizations much money and their reputation. Nowadays, ransomware is evolving more aggressively to target the cloud infrastructure, either using it as an access gateway to corporate identities or directly attacking the data stored within. Recent ransomware attacks are dragging SaaS solutions into the attack space and widen the criminal’s potential impact and leverage. In this blog, we give some practical guidelines for organizations to cope with this threat.
It is important to do a risk assessment first to identify a proper level of protection for an organization against security threats in general and this crime of data kidnapping in particular.
The risk assessment will typically include the following steps:
- Define a list of hardware and software
- assets used for the organization’s information system.
- Identify potential threats to those information system assets. As stated in the introduction, ransomware can be – and mostly will be – identified as one of the threats potentially impacting the availability of information systems.
- Identify possible weaknesses (vulnerabilities) in those information system assets that can enable a threat to materialize.
After these steps the risk for the organization can be determined by considering the likelihood and impact of the threat being materialized. By then, the organization should have a clear idea of whether the already implemented controls provide proper protection or whether this is not the case, and additional measures should be applied.
When going through this exercise, an organization has to figure out the possible weaknesses that a ransomware attack can exploit. It can be done best by looking at how ransomware is typically distributed to a target system. The delivery is generally done using one of the following four ways:
- By exploiting Internet-Facing Vulnerabilities (as done with f.i. SamSam ransomware)
- By deceiving humans using phishing attacks (as done with f.i. Cerber, Reveton, and Ryuk ransomware)
- By spreading it via malware (as done with f.i. Wanacrypt, Cryptolocker and, Petya ransomware)
- By compromising Third Parties and Managed Service Providers and making use of their trusted channels to attack related organizations in the supply chain (as done f.i. with the recent attack centered around Kaseya)
Many government-related bodies have issued guiding documents for organizations to help them cope with this threat. One example is the Ransomware Guide issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). This guide provides detailed recommendations for applying measures to prevent infection from the angles mentioned above. Some important recommendations we can derive from this guide and others are:
- Have a continuous process in place to keep the software assets updated with the latest security patches. This applies to both Operating System and Application Layer.
- Check the configuration of your assets and make sure they are configured in a secure manner (hardened).
- Encrypt your sensitive data. Make sure that even if hackers access your information, they won’t be able to use it.
- Pay special attention to your assets that are used to take over systems remotely. Follow the security recommendations from the vendor and apply whitelisting where possible or enforce the usage of VPNs for those connections.
- Cultivate a security-aware culture within an organization. Make your employees aware of how they can recognize phishing attacks and enforce them using an internet browser with secure browsing features enabled.
- Have your assets equipped with proper antivirus and malware protection. Preferably one that will not only detect based on signatures but also program behavior.
- Have mechanisms in place that block unauthorized software from running.
- Use Multifactor Authentication by default and enforce the use of strong passwords.
- Limit the privileges for user accounts that are meant for daily operational usage.
- Perform a vulnerability scan on the internet-facing endpoints to identify any weaknesses that might still be present.
To limit the impact of an attack, it will certainly help if the application architecture is compartmentalized. In many cases, this is already happening naturally when companies start using cloud-based services for emails and files, such as Google Workspace. It will generate a natural barrier. Although there can still be an impact if the offline synchronization feature is enabled on the victim machine, there is still the option to revert to a version that is unaffected by the ransomware. However, it’s good to be aware that actions like mounting a network storage or cloud location as a drive can nullify to a certain extent the benefits of compartmentalization.
Many times attackers take their time to look around on the infected machine before they launch the ransomware. During that investigation, they can find information that will help them extend their attack scope. So it’s recommended to combine a layered defense with an intrusion detection system (IDS). This can be a separate system, but many antivirus providers have it already added to their more advanced offerings. An IDS is a device or software application that monitors the systems for malicious activity and will inform so that there are good chances that the attack can still be countered in an early stage. In general, using layers of defense with several mitigations at each layer will give more opportunities to detect malware and then stop it before it causes real harm to your organization. This layered defense is sometimes also referred to as “defense in depth” and is a main element of the so-called “zero trust architecture” (See Introducing BeyondCorp Enterprise). In our practice of guiding our customers in their application modernization journey, these principles are kept in mind and applied where possible.
As a Google Cloud Platform (GCP) and Google Workspace partner, Vanenburg aims to implement the many tools and services Google provides to protect its customers against ransomware and similar threats. When interested, you can read more on it in their best practices to protect your organization against ransomware threats. In the cloud, security is always a shared concern between a Cloud Provider (like GCP), Cloud Broker (like Vanenburg), and the organization. The organization can easily outsource the responsibility for patching and maintaining the infrastructure to the Cloud Provider or Cloud Broker. Vanenburg has a Cloud Operations and Support team that is dedicated to running the cloud services for many of its clients.
Another way to decrease the impact of a ransomware attack on the business is to make sure there is a proper backup strategy and that the business continuity plan covers the handling and recovery of a ransomware attack. The recovery process should be regularly tested and verified to make sure the backups are usable and encrypted. Furthermore, the backup should not only be stored in a physically different location. It should also be separated from the network (offline) so that an attacker cannot touch it in the event of a hack. Be very careful in granting delete privileges to the files on your backup location. Preferably provide the agents that execute the backup with append-only privileges. If an attacker compromises the agent’s account, it cannot be used to destroy the backups.
If ransomware goes from being a risk to an actual issue, the first step will be to activate the incident response plan. Paying the ransom is an option to consider, but it should be discouraged as it incentivizes criminal activity. Even if an organization pays the ransom, there is no guarantee that it will regain access to its data. The attacker may revisit and demand further payment to highlight the data errors.
To mitigate the financial damages caused by ransomware, based on risk assessment & business impact analysis, insuring against financial loss by having a “cyber insurance policy” covering the damage from such attacks will help transfer the financial risk. The insurance company might oblige the organization to have certain minimum requirements to be fulfilled. Google offers its GCP customers a risk protection program where implementing a set of security measures is combined with an affordable insurance fee.
Finally, it’s worthwhile to take a look at the site www.nomoreransom.org. This site guides organizations that have become victims of a ransomware attack and contain decryption tools for many known ransomware threats. There is a good chance the attackers will use new types of ransomware, but it’s definitely one of the things you want to have checked first, so it’s good to have this mentioned in your business continuity plan.
Feel free to reach out to us if you have any questions on this blog or want to have more clarity on what this means for your specific situation. Our mission is to help our customers in making their enterprise systems affordable and agile. In that journey, security is implicitly considered and treated as an integral part.
Vanenburg, a typical tech entrepreneur, assists industry incumbents in realizing their digital transformation. We develop modern applications based on leading technologies and an architectural model that mimics the dynamism of the digital mesh. Vanenburg is a partner of Google Cloud Platform, Salesforce, and ThinkWise. We have expertise in the ERP, iPaaS, and Information Security domain and use these experiences and technologies actively to modernize the application landscapes of our clients. The organization is certified for ISO27001 and NEN7510.