Ransomware has come a long way from its origins back in the 1980s when a UK doctor exploited AIDS researchers with a bootloader virus on floppy disks that locked down computers and asked victims to mail back cash (like literally, snail mail). Fast forward through the rise of Cryptolocker (what we called shotgun ransomware since it was spammed to everyone) in 2013 to today’s big game ransomware and ransomware-as-a-service, and the costs and impacts of ransomware attacks have exploded. In fact, according to recent reports, ransomware attacks increased by 93% in the first half of 2021 (compared to the first half of 2020).
Ransomware Attacks Morph
Today’s attackers are breaking into networks, spending time enumerating and reconning victims, then positioning ransomware on as many devices as possible, and staging it to execute and encrypt all at once. The impacts can be devastating and costly, as the Colonial Pipeline episode illustrated.
Attackers have also moved beyond the more traditional single extortion attacks – those that just encrypt files and ask for compensation – to double and triple extortion attacks. A double extortion attack doesn’t just encrypt data, it steals that data and holds it for ransom (threatening to leak it publicly if you don’t pay). In a triple extortion attack, they also steal partner and customer data or execute a DDoS attack against services. The latter happened recently to a Finnish healthcare company when attackers threatened to release confidential psychotherapy records of 40,000 patients.
Many mid-market organizations scrambling to combat the threat of malware struggle to understand the layers of security required to mount a formidable defense. While email is still a common threat vector, the paths of a ransomware attack can vary widely. To help overcome these challenges, let’s explore the elements needed to bridge the ransomware security gap many organizations face.
Steps Mid-Market Organizations Can Take to Combat Threats
The first step is simple – patching. Updating corporate software, especially on any publicly available resource like web applications or web servers, is vital. Flaws in this software often allow an attacker to get malware into your organization without any user interaction. More often than not, attackers just exploit old vulnerabilities (Zero-Day vulnerabilities are relatively rare), which may have had a patch long ago. But for IT admins running a hybrid organization with uptime requirements, patching can be a serious challenge.
Next is strong password practices. There’s an old saying in cybersecurity, “hackers don't break-in, they log in.” And it’s true. Much of the time an attacker uses stolen or leaked credentials that they might get from a simple phishing email or find on the dark web. This allows the attacker to get basic access to your organization, which they almost always can leverage to elevate to the domain admin, using other tools and tricks. Strong password practices mean passwords should be long and random (at least 14 characters, preferably more) or a long passphrase. Given that most people have tons of passwords to remember, a better approach is using a password manager, which allows an individual to create one complex password or phrase to access all others. When you use a password manager, 32-character random passwords actually become possible to use (you don’t have to remember them personally).
Passwords lead to the next step, which is Multifactor Authentication (MFA). The only way to strongly validate the trusted identity of users is through MFA. A password is just one factor or type of token; users can also have a biometric as a factor or a certificate as a factor, etc. Realize that moving from just one factor to another doesn’t really help. Biometrics have been broken and copied too. Digital certificates can be stolen. That’s why anyone trying to access a corporate network should be required to provide at least two of these factors in order to prove who they say they are. With MFA, any one factor alone can be broken without enabling unauthorized access.
Backup is also critical to protecting against ransomware. If an organization can recover files that have been encrypted from a backup, it eliminates the threat of a single-extortion ransomware attack. (It’s also just good practice for disaster recovery.) But there are nuances to how backup should be done as part of a ransomware defense strategy. Attackers often target backup services and disable them before an attack. Therefore, organizations should practice what’s called 3-2-2 backup, which basically means backing up multiple copies to multiple services, with multiple offline copies too. You can learn more about 3-2-2 (and 3-2-1) backup here.
More Advanced Solutions
Advanced malware prevention is also a requirement to protect against ransomware. In the past decades, malware detection and prevention has been primarily signature-based – or based on patterns and specific files. That approach is reactive. If an attacker releases some sort of new malware – let's say it's ransomware – a human or automated security research tool has to find the file and figure out that it is bad first before they can look for some sort of unique pattern to identify that file. Once they have done that, they can write a rule to match and identify that file moving forward, but the signature doesn’t exist until they first find that new file to analyze.
Unfortunately, today’s malware has become very evasive and polymorphic (WannaCry, for example, can have thousands of versions). In fact, according to recent research, close to 75% of malware evades signature-based detection. More advanced protection is needed to stop ransomware. Advanced malware detection uses machine learning algorithms and behavior detection to stop Zero-Day malware (which includes evasive ransomware, or the stagers used to drop ransomware).
Next is using endpoint detection and response (EDR) security. New “living off the land” attacks use legitimate parts of an operating system (for instance in Windows PowerShell) for attackers to gain access and launch malware directly, often by injecting it into the memory of a legitimate process. It’s called a “living off the land” technique because there is no malware file necessarily on a computer. Instead, legitimate tools are used maliciously and some of the processes running on a computer are hijacked. Catching this type of attack requires monitoring memory and running processes and looking for things like DLL or process injection. EDR solutions look at post-execution activities and anomalies to identify and help remediate attacks.
The final remedies should be obvious, but with phishing and spear-phishing being common vectors for ransomware, the value of training can’t be understated. It’s crucial that organizations make sure every user knows the basics of email security, especially understanding spear phishing. Organizations should also consider adopting a Zero-Trust security paradigm. This is essentially applying a common security principle called the least privilege access, all the time, everywhere. Historically, organizations have had (what I call) a Tootsie Pop network – a perimeter that has a hard and crunchy exterior that’s hard for attackers to get through, but that’s soft and chewy once inside. With the rise of remote workers, trust needs to be reevaluated. It doesn't matter if someone's on the trusted network, they need to have restrictions on access (and that access monitored). An accountant should not have access to an engineering database for example.
Cybersecurity is unfortunately not simple and getting more complex every day. The old defense-in-depth mantra very much applies today when it comes to ransomware protection and layered security. No single solution can stop it. Fortunately, there is consolidation around technology solutions (such as network perimeter, MFA and endpoint) that give IT pros centralized solutions for fighting ransomware. If you want to learn more about ransomware prevention, check out WatchGuard’s white paper on ransomware and a relevant webinar on the recent Kaseya attack.
About the author: Corey Nachreiner is the CSO of WatchGuard Technologies. A front-line cybersecurity expert for nearly two decades, Corey regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the Secplicity Community, which provides daily videos and content on the latest security threats, news and best practices. A Certified Information Systems Security Professional (CISSP), Corey enjoys "modding" any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word.
