How to Outplay the Ransomware Playbook
Organizations across industries are increasingly concerned about their cybersecurity posture and overall ransomware preparedness – and rightfully so – with the 64% increase in attacks from 2019 to 2020 (304 million attacks worldwide in 2020). We have also seen a 2x increase in demand for ransomware preparedness assessments and exercises.
However, one of the biggest hurdles for cybersecurity practitioners to respond to ransomware is creating a response plan for the full life cycle of a ransomware attack. This should include the identity, protection, detection, response and recovery stages.
Security practitioners should work with the organization’s C-level executives to answer questions and develop a ransomware protection plan. Consider how ransomware is prevented and detected in addition to how your organization would respond.
To develop a plan, organizations should ask themselves:
- How do we contain the ransomware when an attack happens?
- How can we identify what systems are being affected? What is our exposure?
- Will we negotiate with the hackers? How can we respond?
- What is our stance on the payment of ransom?
- When would external response resources be leveraged?
- Are there better solutions available to prevent ransomware from taking hold in the environment?
Today, ransomware attacks are more than just an adversary dropping encryption software into a system and letting it run across an environment. While cybersecurity experts have increasingly improved their ability to respond to ransomware attacks and decrypt the environment, hackers have a much more sophisticated and calculated playbook, moving from encryption to extortion. Adversaries can combine ransomware attack methods with malware tools to exfiltrate sensitive data and threaten to release the information to the public if a ransom is not paid.
Security administrators need to be prepared on multiple fronts. It’s not just about securing the endpoints, but also ensuring there is a strong data loss protection plan and solid backup infrastructure.
The majority of ransomware incidents actually occur as a result of two issues. Either the patching cadence within the organization is weak or slow, or the organization has not deployed endpoint protection solutions across all systems. Without a full implementation, machines without EDR are often the foothold that hackers need to attack the system. Organizations need to make sure systems are up to date and patched and that an EDR tool is installed on every device.
Unfortunately, a lot of organizations are just not doing this holistically. Organizations should run tabletop preparedness exercises to prepare for three common ransomware scenarios:
- The most common is a ransomware incident resulting from a phishing attack. Organizations should reduce their risk of email-originated threats with organization-wide security awareness training. People still click on links in suspicious emails—it’s human nature. However, this behavior can lead to the attacker installing a remote access tool or a per-stage ransomware malware on a work machine. The hacker is then able to run automated discovery so the malware can start propagating itself and encrypting any data that is accessible. This can also lead to more lateral movement across the network.
- The second scenario is often for organizations with separate networks—like manufacturers or medical facilities. Security practitioners should consider what happens if a system on the operational network gets compromised, and the effect this might have on the entire environment. This becomes a hostage scenario; the attackers are not holding data, but instead taking hostage the availability of a system, while can greatly affect business operations.
- The third scenario is related to the supply chain. Consider: If a key supplier or section of the supply chain has been affected, is it possible for that supplier to propagate infection into the organization’s network based on the connections they have with them? The impact of this type of attack can be two-fold. The breach could propagate into the network or render supplier systems inoperable, causing business continuity concerns.
For robust ransomware protection, organizations need to consider their overall security strategy, including data segmentation. Even with this segmentation strategy, organizations need to understand every way a system could be breached across the environment. If you believe there is a risk of attack, consider how to minimize the impact of that breach across the environment. First, identify what/where your critical data is based on everyday operations and administration. Then, segment your operational components from administrative components to prevent the spread of potential malware. Be sure to also consider the different access controls or permissions needed.
To get ahead of ransomware attacks, organizations need both security professionals and C-level executives on board. Keep in mind the possible scenarios and where your environment might be vulnerable to attack and be prepared with a plan. The more prepared organizations are to detect and respond, the better.
