About

How to protect against Ransomware

There have been a series of ransomware attacks on US based corporations, healthcare organizations and even the essential service providers. The ransomware activity has picked up pace in the last few months. In the past week, we have seen BlackMatter ransomware group targeting the Japanese company Olympus. Last night we heard about Iowa based New Co-operative being targeted by the ransomware group BlackMatter.

What is a Ransomware attack?

A ransomware attack means that the target’s computer systems and networks are exploited by hackers. The exploits happen due to one or multiple reasons, discussed below. The goal of the ransomware group or gang is to encrypt target’s data with a private encryption key. Such encrypted data can be un-encrypted only by a corresponding key used to encrypt the data. A target’s data becomes unusable and the operations of the target company or corporation remain affected. Ransomware amounts to the money sought by hackers to decrypt data.

To decrypt the data, the ransomware gangs or groups ask for ransomware amounts. In the case of New Cooperative, BlackMatter has sought a ransomware amount of $5.9 million. In case of Olympus, the hackers from the BlackMatter group have sought a ransomware in millions of $. Since June 2021, more than 40 ransomware attacks have been attributed to the BlackMatter gang.

How does ransomware attack happen?

Ransomware attacks could start in multiple different ways. A simple phishing email that is laced with malicious payloads or dynamic ActiveX controls could induce an employee to click on malicious links. Such a single click could lead to a compromised system on the network. In due course, the malicious code will spread within the company’s network and offer an entry point to the ransomware group.

Once the ransomware group has an entry into your network, they could remotely control the computers or network and encrypt all the user and company data as they traverse through the network.

While phishing is one of the ways that offers an easy entry to the ransomware groups, outdated software and poorly-maintained applications or operating systems could provide many opportunities to the hackers to target remote computers and networks. Such attacks could be of the types of remote code execution or even the privilege escalation attacks. All that the ransomware group needs is an entry into the corporate network. This is one of the reasons that IT security is becoming more and more challenging. Before you patch your systems for a particular vulnerability, the hackers are a step ahead and looking to tap into vulnerabilities that have not been known publicly.

This does bring us to realize the significance of keeping the application software, CMS software and operating systems fully updated at all times. Costs of ill-maintained networks and systems could run into millions of dollars.

How do I protect against a ransomware attack?

We are fighting against a hidden challenge posed by the ransomware groups, who have access to cutting edge tools and technologies for finding new prospects for their ransomware as a service group.

Protection against the ransomware attacks would result from integration of best habits and practices of IT security. Some of these are really very common sense, while others are more technical, advanced and rely on boosting endpoint security at the periphery of the network. Let us discuss the ways by which we can protect our businesses against the ransomware attacks.

Protection against Email Phishing

Email phishing – Emails are a point of contact between employees and the outside world. One of the simplest ways to target a prospect is through emails that contain malicious payloads or through emails that link out to the malicious sites through legitimately sounding links in the email body.

Employee Training

Employee training is a good start. Educate your employees about the need to develop a habit in figuring out the risks associated with opening 3rd party emails on the network. Especially, the ones that have attachments. Devising a company policy to check the threat level of an attached file before being released to a mailbox will help you uncover threats at the server level. Tools such as Virus Total and Metedefender’s OPSWAT can be integrated in your email handling solution to improve chances to mitigating risks from compromised emails.

Passwordless or 2FA enabled authentication

Wherever possible, make use of passwordless login to your infrastructure. Microsoft deployed passwordless login to Microsoft’s accounts in the past week. If the passwordless login in not possible, do ensure that you have enabled 2FA or two factor authentication for employee and administrator logins. Our goal is to make the hacking task less attractive or more exhaustive for a ransomware gang. If you deploy a detailed security setup on your network, the task becomes more tedious and less attractive for the ransomware gangs. They are more after tapping into the low-hanging fruits. There are so many companies and organizations who still run on critically vulnerable software, operating system or hardware. Yes, the hardware could be anything that makes use of firmware to run. Outdated firmware on the network devices such as the routers and modems provide an easy entry to attackers into your networks.

Regular patching of the operating system and application software

Keep regular maintenance schedules, and ensure that all the security updates for the operating system, vendor software and application software are deployed in a timely and safe way. You could device a staging environment to quickly test the new security updates. Upon successful testing on a staging site, you could deploy the updates on your live infrastructure. Out of data plugins, software and operating systems pose a critical risk to IT infrastructure.

Deploying a threat intelligence system

Deploy a Threat-intelligence system – A good threat intelligence system will allow your organization to keep an eye on the threats to the security of your infrastructure. In most cases, threats arise and the IT staff is unaware of the latest threats because lack of communication or awareness. A good threat intelligence system will allow you to be on top of your IT security.

If you are out of budget for deploying a full scale threat-intelligence system, you could deploy a threat intelligence feed to be aware of the latest challenges to security of your IT infrastructure, comprising of your networks and systems. These threat feeds are always evolving and make for a compelling use case scenario in your company. There can be no excuse for not trying enough to pre-empt an attack or to bolster security against unknown threats and attacks.

Ongoing Vulnerability assessment and remediation

Vulnerability assessment and remediation is a core part of the IT security team. Regular assessment of vulnerabilities through the systems, networks, hardware devices such as routers and switches is a foundation for enhancing security across your IT assets. It is a shame that we could come across thousands of businesses that still make use of out of data WordPress installs and plugins for marketing leads management, or for scheduling appointments for the executives. All that an attacker wants is a single security gap to launch a full frontal attack on the company’s digital infrastructure.

End-point protection

Deploy end-point protection – Until last year, end-point protection never got the budgets it ought to. Unsurprisingly, the networks and devices remained robust and secured. But, the challenge existed at the user’s end-point. We need a security mechanism through the use of system wide security policies and 3rd party tools to protect the end users against the onslaught of attacks. If we can manage the end-point security, we can be reasonably certain of have a good first level defense against threats coming from unseen and unknown threat actors.

A good end-point protection scheme should help to protect our end-users against –

  • malware originating from emails
  • dynamic macros from loading through emails
  • phishing emails that take you to proven malicious websites
  • attempts to use USB drives for network corruption

Good end-point protection system will not only detect an incident, it will also take incidental steps to prevent the threat from compromising the security of the end-point. If we can arrest end-point attacks, we can definitely boost the security at the bottom most layer of the company’s network. This layer is also the broadest layer on the company’s network.

While we can take all these protection measures, nothing is full-proof. And, ransomware gangs are after your data. Data is the modern day asset that needs to be protected, at all costs. How do you ensure that your company’s or organization’s data can be protected against threats, assuming that your network and systems have been compromised.

How to keep secure backup of data to protect against ransomware?

It really comes down to protecting your data and data backups. A good protection against ransomware should see an infrastructure design that keeps backups of data in a logically separate network or location. If your infrastructure is impacted due to ransomware exploits, there are chances that the entire network would have been held hostage through an encrypted key. If our backups remains on the same network, all the backups would get encrypted as well.

Offline Backups

How do you ensure that your data backups can be protected against ransomware demands? It, essentially, boils down to a good backup strategy. For a start, we suggest that you should have a good offline data backup planning. Offline data backups are cold backups. Yes, it is slow and it is tedious. But, if your entire data set gets encrypted, the cold backups will prove very handy in resuming business operations or in giving confidence to your customers.

Offsite backup strategy

Still better, choose a disaster recovery strategy. Keep backups on a physically separate location. The costs for such an arrangement will be high. You will need to send the backup copies periodically to the disaster recovery site. Protecting your business data through the Business continuity programs will ensure that your data is safe, though there are chances that the data at the disaster recovery location may be behind the actual data on the live business environment. I would consider that as a cost of salvaging business operations during times of ransomware attacks.

Cloud backup strategy

Another good option to backup your data for safe release at a later date would be to use a cloud based data archival strategy. You could use AWS or Azure to maintain regular backups of your business critical data in the form of offsite backups or in the form of tapes. Tape backups may look cumbersome, but they fully justify the time, money and effort to provide seamless business continuity during times of ransomware attacks.

Use encryption on data

The best solution to protect your business data from ransomware attacks is to keep encrypted data at all times. Run your customer and user critical data through an encryption algorithm. At any point of time, if there is a ransomware attack, the attackers will have access to a data set that is already encrypted by you. Only you could decrypt that data. The challenge in implementing encryption of data on the premise lies in integration issues with applications. Once I decide to encrypt data, I will need to change my security policies and application controls to allow access between the data and the applications. A good access control mechanism between the application and the encrypted data will allow for a secure data environment. Even the ransomware attacks may not be able to steal data for an eventual release on the dark web.

While there may not be the single best alternative to protecting against ransomware attacks, I still feel that

  • offsite data backups
  • use of encrypted data on-premise

provide the maximum protection against data theft and data encryption by an attacker.

Building a good offsite backup strategy does cost money. So, does the use of encryption and decryption on an on-premise network. But, the money comes in handy at times where your business operations get impacted due to potential ransomware attacks.

The choice to use one or all the strategies for protection against ransomware attacks needs to be taken in consultation with the management team, and in line with the expected costs of a potential data breach.

Summary

The goal against ransomware should be to protect data from an imminent attack. You could encrypt your user data and confidential data. Or, you could use an aggressive offsite backup strategy to maintain dated backups of the site. Cloud based backup storage offered by AWS and Azure could also help in creating a redundant backup strategy across the business locations and business sites.

Investments incurred in creating a robust and scalable data backup strategy will ensure business continuity even in times of ransomware attacks.