Maintaining a high level of cyber security has always been important. But in today’s climate, it has never been more crucial.
Since the Covid-19 pandemic struck, ransomware attacks have increased significantly.
As of September 2020, one in four attacks remediated by IBM Security X-Force Incident Response was caused by ransomware, with demands, in some cases, of more than $40 million.
Criminal groups are increasingly switching to COVID-19 themed lures for phishing attacks which can leave those working from home particularly vulnerable. Not just because of weaker security controls on home networks, but also a higher likelihood of users clicking on COVID-19 themed ransomware emails driven by high levels of anxiety.
So, it’s no surprise that improving cyber security posture is at the top of many business priority lists right now. And because the threat landscape is always evolving with new, more sophisticated malware, the need for a proactive approach is critical.
What is ransomware?
Ransomware is a piece of malicious code which, when executed, will encrypt your files allowing the attacker to hold your data to ransom until you pay the requested amount.
Ransomware is commonly be delivered via email, through infected websites which users then click on or via a breach of unpatched systems.
Some currently popular ransomware lures include:
- Information about vaccines or other medical research, as well as short-supply commodities such as hand sanitiser.
- Financial scams offering Government support payments during the economic shutdown.
- Free downloads for technologies in high demand right now, for example, video and audio-conferencing platforms, contract tracing apps etc.
Why is ransomware such a big problem
Simply put – because it works. While nobody likes to believe they would pay a ransom to criminals who have infected their systems, it can be difficult to maintain that stance when your business cannot function due to all systems, including backups, being encrypted and you are threatened with your private data being sold or published – potentially with devastating results for your business.
There are major criminal organisations that have earned tens of millions in this way and often they will invest a portion of this into improving their attacks to achieve even better outcomes. Some even offer customer assistance in decrypting files and systems once you have paid in an attempt to improve public confidence that paying is the safer option. While highly illegal, ransomware is also an extremely lucrative business and as long as people keep paying, it will not stop.
Why businesses need to be concerned about ransomware
The major issue facing businesses today is that even with security controls in place, they are still vulnerable to ransomware attacks. Businesses often wonder why their anti-virus did not detect the ransomware, but by then it is too late.
And in many cases, an attack may not just impact a business financially, but it could have a knock-on effect. Last year, in Germany, there was a case of a lost life being directly attributed to the effects of a ransomware attack.
So, how do you protect your business against ransomware attacks? And what should you do if you get hit?
In this feature, we examine the steps involved in a ransomware attack and what controls you need to have in place to ensure the worst doesn’t have a chance to happen.
Ransomware Red Flags: Signs you are about to get hit
Ransomware can hit at any time. Here is an example of the potential pitfalls which could lead to your data being compromised.
One of your employees has received a realistic looking COVID-19 themed phishing email and has clicked on the link within the email. Nothing happens so they forget about it and go back to work. The following day, a user reports that their Microsoft Office files are not accessible and there are files named YOUR_FILES_ARE_ENCRYPTED.html in each folder.
Realising that something is wrong, they immediately inform their manager over the phone.
The manager informs the Head of IT, who then refers to their incident handling guide. To their surprise, they find:
- The incident handling guide was last updated in 2015, and
- System support information is outdated.
- The admin contacts within the organisation left in 2017
- The environment has evolved so much the last updated network design is not valid
Trying to figure out what is happening, they review antivirus logs and firewall logs but can’t find anything (although they do notice an unusual amount of upload traffic to an unknown IP – no time to investigate now though!). They log onto the fileserver and see the results but cannot understand the cause. By now there are more calls coming in, from other parts of the business, that files in other areas are getting encrypted and that systems are going offline.
In a panic, all systems are shut down…IT has been crippled and the IT Manager is just left with a ransom note and instructions to comply or the files will be lost forever, and all of their client and financial data would be published (so that’s what the unusual upload traffic was!).
Assessing the risk, the company decides to see what they can recover without paying the ransom…maybe the data theft side of it was a bluff. The backup server is brought back online in isolation to see if full backups are available and it is discovered that all backups have been deleted and the storage volumes have been formatted. Maybe that move away from backup tapes wasn’t such a good idea after all!
The IT Manager clicks on the link in the ransom note to see where it goes and gets brought to a ‘customer service’ chat page where he is presented with an invoice for decryption service and several samples of critically sensitive company data that will be published if he does not pay the ransom within 48 hours.
The IT Manager is wishing he had paid more attention to preparing a response to such an incident.
How to properly prevent ransomware attacks
So, how do you respond effectively to a ransomware attack? Below, we discuss the exact same scenario, but this time, showing where the attack-chain could have been disrupted.
One of your employees has received a realistic looking COVID-19 themed phishing email, but due to security awareness training and previous phishing simulation campaigns they do not automatically click on the link (even if they did click, safe-link technology would block the active connection to the malicious website).
During the following minutes and hours, the organisation’s SOC provider identifies suspicious connectivity and lateral movement in the network through QRadar and isolates the connection, resetting the compromised account. An attempt to initiate encryption of files is also identified by the EDR solution and the process is blocked and alerted to the SOC. Attempted outbound connections to Command and Control websites are identified and automatically blocked on the firewall.
When the Head of IT is informed of the issue, they then refer to the incident handling guide and immediately notify their system administrator, firewall admin and SOC team that there is a suspected ransomware incident. The backup admin is also put on stand-by in case any restoration of data is needed – the recent implementation of an immutable backup solution means that at least there is no risk of backups being affected.
Following tried and tested procedures, the infected machine is isolated from the network, the firewall admin blocks the suspicious outbound connections, and the system administrator identifies the account performing encryption and disables it. The SOC team sends an incident response analyst and they begin an analysis of the systems to ensure there is no remnants of malware or other malicious artifacts. The organisation’s EDR solution, in conjunction with the SIEM solution and a forensic analysis of the infected system, enables the SOC team to fully recreate the chain of activities from the initial breach to the point where it was eradicated, providing assurance that there were no further traces left in the network.
The SOC team performs a number of follow-on tasks, identifying the malware and performing a search for the file throughout the environment while also adding it to a blocklist. The attack vector is noted to be addressed via security awareness training and an additional phishing simulation campaign is planned to ensure the risk is fresh in users’ minds.
There were many elements that contributed in this scenario to disrupting the attack – each at different stages or focused on different activities, some providing layered defences. These were:
- User security awareness
- Email Security
- Endpoint Detection & Response
- Managed QRadar SIEM Solution
- Incident Response Planning
- Immutable backups
One of the key things we’ve highlighted here is the importance of detection – not just via the software used but the security service as well.
Evros provides 24×7 security monitoring and Incidence Response services to a wide range of customers from our global Security Operations Centres.
How to protect your organisation
To ensure your business is protected against ransomware, download our free Ransomware Protection Checklist. Inside, we detail the measures you should have in place to ensure your organisation is protected against ransomware attacks.
More specific security measures relevant to the Covid-19 situation are also included.
Finding the right security strategy for your business
Designing the right security strategy for your business is a complex process. Our Security Experts have the experience and technical expertise required to provide you with 360° visibility of your environment.
Find out more about our full range of managed 24/7 cyber security services or get in touch for a free consultation.