Ransomware Prevention Strategies

3 Ransomware Defense Strategies

Ransomware is constantly evolving. Not only are there more attackers due to ransomware as a service (RaaS) threats, but ransomware attack strategies are changing with data exfiltration extortions, which I will explain in more detail later in this blog post. Backing up your data is the first action to take against ransomware. Once you have created data backups, your next priority should be to defend against the top ransomware attack vectors: Remote Desktop Protocol, email phishing, and software vulnerabilities. Since defense against email phishing was covered in a previous blog post, this blog post explores strategies to mitigate the other two main attack vectors, RDP attacks and software vulnerabilities, as well as how to protect against data exfiltration.

Strategie 1: Reduce Complexity, Patchiness

The priority should be to reduce your organization’s potential map of the network. You cannot protect resources you do not know about. Undocumented assets can sneak into your network over time through acquisitions of companies, hardware upgrades, or other operations. It is important to identify and update these assets. You should also work to remove unnecessary software, hardware, and services. This will reduce the attack surface that you must defend. RDP is the most common attack vector for ransomware. Disable it if it is not necessary for your business operations.

It is important to make sure that security updates are applied quickly to systems to reduce the attack surface. WannaCry ransomware attack cost $4 billion and infected more than 230,000 systems across 150 countries. Microsoft released a security patch for EternalBlue’s vulnerability on March 14, 2017. One month after the Microsoft Security Update, April 14, 2017, the EternalBlue exploit was made public. Nearly two months had passed since the WannaCry attacks to allow organizations to install MS17-010. This critical Windows update protected systems from the threat of WannaCry.

Although software updates can be difficult for businesses, it is essential to ensure that all operating systems and software are up-to-date. Your organization must have a patching policy. Also, plan for regular updates. Keep in mind that exploits can affect both third-party and operating system software. Make sure to update during off-peak hours and keep track of the scheduled updates. Don’t delay patching. These updates can help to mitigate software vulnerabilities and prevent ransomware variants from gaining a foothold in your network.

Pre-existing exploit kits like RIG, Fallout and Spelevo are used by active ransomware variants such Asdinokibi, Maze, and DoppelPaymer to get onto the network. To compromise a system, most exploit kits use known software vulnerabilities. Because exploit kits continue to be successful, it suggests that organizations are still failing to patch their systems regularly. These kits use publicly disclosed vulnerabilities.

Strategy 2: Layer Security Controls

A layered security strategy using multi-factor authentication, firewalls, antivirus software, and firewalls can be used to reduce your attack surface. This will help you to prevent ransomware. Antivirus software blocks known exploits from getting a foothold on the network. Regular updates are necessary to keep your antivirus software’s library of malware signatures up-to-date and any other information that can be used to identify ransomware or other threats before they are deployed on the network.

Firewalls are designed to block traffic based upon structural characteristics such as IP addresses and TCP/UDP port numbers. Your organization should block all ports that are not necessary for business operations. This will fortuitously reduce your organization’s attack surface. RDP is the most popular attack vector for ransomware. If the RDP service isn’t being used, block it.

Firewalls are also helpful for disrupting ransomware command and control (C2) servers. The critical element of ransomware’s operation is C2 communication. It is used to store encryption keys and unique identifiers for victim machines. Sometimes, blocking this communication can stop ransomware attacks. If you are engaging in a collaborative defense strategy, you might be able to obtain threat data, such as addresses of C2 infrastructure from your collaborators. Ransomware will not be able to connect to known C2 servers if they are placed on firewall blocklists. An allowed list that limits a host’s communications only to authorized addresses can provide better protection. It will also prevent communications from unknown C2 addresses.

Multi-factor authentication requires two or more credentials to authenticate an individual. This security control protects against hackers logging on to your company’s systems with stolen or weak credentials. Ransomware attackers often target vulnerable systems and services to infect a large number of hosts. They hope to collect the maximum financial reward by using the easiest methods. To gain access to an organization’s systems, attackers can use two simple methods: brute-forcing credentials or purchasing cheap RDP credentials. Attackers then disable security controls on the compromised RDP system based on the compromised RDP account user privileges (e.g. administrator privileges versus standard user privileges). After making the network and system as vulnerable as possible, attackers then deploy ransomware. Attackers can use RDP credentials in combination with RaaS or a cheap ransomware kit to create an efficient and cost-effective attack strategy. The cost of using additional authentication factors can increase because attackers will now have to compromise these authentication factors. This complicates the economic value and negates the economic benefit of stolen passwords.

Strategy 3: Know your high-value assets and data

We have covered several ways to stop ransomware from ever reaching your network. But how can you protect yourself if ransomware gets onto your network? While backups are essential, it is important to protect your network from ransomware attacks. Criminals used the Maze ransomware to steal data from Allied Universal, a security firm. They demanded payment in ransom or the right to publish the data online. The payment deadline came and went, and the attackers followed through with the threat and published 700 MB of Allied Universal’s data online.

These attackers are becoming more frequent. Even if your company has backups of your data and can respond to a typical ransomware infection that encrypts your files with encryption, organizations still have the potential to be hacked. At this time, the only reasonable mitigation is to strongly encrypt data at rest that might, for your organization, justify paying a ransom.

DHS Cyber Infrastructure Security Agency, Multi-State Information Sharing & Analysis Center, and FBI advise against paying ransom to attackers. It is important to note that ransom payments can be risky. The ransom payment is not guaranteed to allow you to retrieve your data. The U.S. The U.S. Treasury Department is currently investigating financial penalties for cybercriminals who facilitate ransom payments. This is because ransomware attacks are encouraged by ransomware payments. Your organization could also be subject to fines based on the amount of information stolen. If your company is a victim of ransomware, you can prevent these situations from happening and avoid having to deal with cybercriminals by creating data backups and encryption at rest.

This problem can be avoided by encrypting data at rest. The stolen data can be made unrecognizable by using strong encryption. Data encryption protects your company’s information from ransomware attacks, but it does not protect against the data exfiltration part. Ransomware can still encrypt encrypted data. Decryption keys must be kept secret from ransomware attackers. Also, ensure that encrypted copies of sensitive data do not remain in system RAM or caches.

Ransomware continues to expand and evolve

Ransomware is now being used by more attackers because of RaaS. Organizations can usually recover their data from backups without having to pay attackers. Data exfiltration is a worrying strategy that attackers can use to get payments. Applying security controls to the main attack vectors and encrypting important data are good preventive measures in addition to the SEE preventive actions. However, ransomware attacks can still be successful, regardless of the preventive measures.

Additional Resources

Tim Shimeall’s blog post Three Places to Start when Defending Against Ransomware outlines three initial steps to protect against ransomware. These efforts will make it harder for attackers and more cost-effective for organizations.Marisa Midler’s blog post Ransomware As a Service Threats explores why ransomware is still a top tool in cybercrime. It also presents current ransomware variants using ransomware-as-a-service (RaaS), which could result in a shift in the ransomware business model.

The SEI whitepaper An Updated Framework of Defenses Against Ransomware, written by Timur Snoke and Timothy Shimeall, is loosely based on the NIST Cybersecurity Framework. It outlines a strategy for defending against ransomware-as-a-service (RaaS), as well as direct ransomware attacks.

The SEI whitepaper Current Ransomware Threats is written by Marisa Middleler, Kyle O’Meara, and Alexandra Parisi. It discusses ransomware and explains its design, distribution, and business model.

Ransomware: Best Practices to Prevent and Respond by Angela Horneman and Alexander Volynkin of SEI outlines best practices in response to ransomware attacks.

The SEI blog post Defending Against Phishing outlines technical controls organizations can use in conjunction with a user education program to stop successful phishing attacks.