How to Avoid the Ransomware Onslaught

iStock illustration

Ransomware is among the most common and persistent threats faced by organizations of all sizes.

The ransomware threat landscape worsened in several significant ways through 2019 and into the current year, according to BakerHostetler’s 2020 Data Security Incident Response Report. Average demands increased more than tenfold and all industry segments saw growth in attack frequency, with stark increases seen by education and government entities.

Several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment, the report noted.

The average ransom paid in 2018 was $28,920 and the largest payment $250,000. But that figure jumped to $302,539 the following year and the largest payment was $5.6 million, the latest report stated.

Questions had arisen in years past as to why ransomware demands seemed relatively low. By deploying ransomware, the threat actors were crippling a company’s ability to function but would often settle for a five-figure payoff, while the victims were losing hundreds of thousands or millions of dollars a day due to the business interruption.

Whatever the reasons, threat actors changed their approach, and 2019 was the year they were ready to increase the stakes. This year has only seen these trends continue.

A primary reason for the demand increase stems from the rise of dedicated ransomware variants that are deployed by various groups with unique and identifiable tactics, techniques and procedures.

For example, the Ryuk attackers most often gain entry through a phishing email when victims click on a malicious link or attachment, which downloads malware — TrickBot, Emotet, Mimikatz — used to collect system credentials. The perpetrators then move laterally across the environment to encrypt as many systems as possible.

Often different groups will work in parallel, with one group exploiting vulnerabilities to gain entry and then selling the access to a second group specializing in inflicting as much encryption damage as possible. The Ryuk attackers were particularly adept in 2019 at steadily increasing demands month over month in an effort to test a victim’s maximum price points.

A second example is the Sodinokibi attackers, also known as REvil, which frequently target information technology managed service providers. Once the group compromises the provider’s remote management tools, they quickly move to as many downstream customer systems as possible and encrypt the systems of dozens or even hundreds of victims in one swoop.

A tip to avoid this: require vendors to implement multifactor authentication to access an environment.

The Sodinokibi attackers often will make one very large demand for a tool to decrypt all customer systems, thereby leaving small customers at the mercy of the managed service providers to procure a tool.

Another reason that ransomware became an epidemic in 2019 was an increased focus by perpetrators on entities that traditionally have weaker security postures, particularly education and local government organizations. In past years, attackers frequently targeted large organizations, perhaps believing that they have greater capacity to pay demands.

Those organizations remain significant targets — manufacturing and professional services still lead all industry segments in attacks — however, many of these organizations have advanced cybersecurity and disaster recovery measures in place and did not pay the ransom.

Notably, across all business sizes, 73 percent of the organizations were able to restore systems without paying the ransom in 2019.

Attackers saw an opportunity to increase ransom demands as smaller and more diffuse organizations obtained cyber insurance and opened their network environments to remote access. These new victims often lacked necessary security measures such as endpoint monitoring, segregated backup systems, network segmentation and strong oversight of vendors with access to the environment, which allowed criminal groups to quickly cripple an organization, leaving no recourse but to pay the ransom in order for the business to survive.

Toward the tail end of 2019, several groups began a relatively new extortion tactic of stealing data from the environment to hedge against victims that were able to restore systems from backups. The first of these groups utilizes the Maze variant. But as the tactic has proved successful, many other groups — including Sodinokibi, Doppelpaymer, Nefilim, Snatch, Lockbit and others — have started to employ the same approach this year.

Extortion groups steal data they deem sensitive prior to deploying ransomware and then threaten to release the data to the public unless the victim pays a ransom, which is usually the same price as the ransomware demand. While the theft of personal information alone may trigger a notification obligation — both to individuals and to regulators — the threat of public humiliation introduces a new level of crisis.

A victim that does not pay the extortion demand — which itself is no guarantee of avoiding publication — is faced with conducting an investigation into an incident about which the public and regulators have already been loudly informed but for which the victim will not be able to provide meaningful answers for some time. These incidents may challenge relationships with key stakeholders such as customers, patients, shareholders and the public at large.

As reflected in the 2020 report, only 6 percent of ransomware incidents in 2019 resulted in unauthorized access or acquisition of data leading to notification obligations.

However, only six months into 2020, BakerHostetler has seen that percentage already jump several-fold and expects the trend to continue as attackers refine their tactics to obtain as much money as possible from their victims. The era of extortion is here to stay.

The following are steps organizations can take now to avoid becoming a victim and to be better prepared to respond effectively to ransomware attacks.

First, avoid being phished. Most attacks start with an employee falling victim to a phishing email. Through phishing emails, attackers can obtain access to an organization’s computer system or steal an employee’s access credentials before deploying the ransomware. Conduct periodic phishing and security awareness training to help employees spot suspicious emails and avoid common social engineering tactics. Encourage employees to report suspicious emails to the IT team and express the importance of phishing vigilance throughout the organization. Look into using an email threat filter.

Next, use strong passwords. Attackers also exploit organizations with weak password policies. Require the use of strong passwords of sufficient length that must be changed periodically, prohibit reuse of passwords and implement a password management tool for employees.

Another tip: employ multi-factor authentication. The use of MFA — particularly for remote access to systems and email by employees — can lessen the risk of an attacker accessing your system or email accounts with stolen credentials. Multi-factor authentication creates an additional layer of authentication by requiring the employee to input a unique code before access is granted.

Next, secure remote access to company systems. In addition to establishing a foothold in the environment through a malicious link or an attachment in a phishing email, attackers frequently seek to connect to systems using remote desktop protocol before moving laterally within the system to deploy ransomware.

Adopt controls to restrict source internet provider addresses seeking remote access, including prohibiting connections from countries that are not essential for business operations. This can be done through hardening your firewall configuration, requiring the use of a third-party service to connect to your systems remotely, or by using a virtual private network.

Another recommendation: limit the use of domain administrator accounts. Many recent attacks have been preceded by compromise of credentials for a domain administrator account. Such accounts should be limited to select employees who need administrator permissions and, even for those employees, should not be used for normal work functions.

Administrators should have separate accounts to use for their non-administrative functions.

Also, maintain good access controls and the principle of least privilege. The greater the access a compromised employee’s account has to different parts of an organization’s network, the more easily ransomware can spread. A basic tenet of good cyber hygiene is to limit an employee’s access to the minimum systems and files necessary to do his or her job.

It’s also wise to segment the network. Attackers often move laterally to deploy ransomware to as many systems as possible. By identifying and segmenting critical data stores from systems accessible from the internet, an organization can limit the impact of an attack. Also requiring passwords with multi-factor authentication to move across environments may limit the scope of a ransomware attack.

Organizations should also ensure backups. The ones that have updated, intact and accessible backups secured and segmented from production systems are in a much better position to respond to and recover from a ransomware attack. Adopt and implement a procedure for the creation, updating and storage of on-site and off-site backups of all critical files and data. Be sure to include procedures for verifying and testing backups and for securing them so they are not impacted by the ransomware attack.

Another mistake is that firewalls are not configured properly. Many types of ransomware attempt to move laterally within systems using standard Windows operating system protocols, including server message block, to communicate between endpoints within a system. Ensure that Windows firewall policy is configured properly to restrict the scope of permitted communications between common endpoints. Attackers often exploit software vulnerabilities that could have been remedied by regular and timely deployment of the software developer’s updates and patches.

In addition, periodically evaluate business continuity, disaster recovery and incident response plans to ensure they align with the current threat landscape. Consider yearly incident response tabletop exercises to test the organization’s ability to timely and effectively respond to a security incident.

Another tip: enable appropriate security logging and retention to ensure forensic artifacts can be reviewed in the event of an incident. Often, default logging settings do not provide an organization enough information to investigate an incident. Also, ensure the logs are stored for a sufficient amount of time and are secure in the event of a system compromise.

Knowing daily business losses in the event systems are unavailable is also an important data point in an organization’s ransom payment analysis. Paying a ransom is a business decision where the only leverage an organization has are time and the ability to restore from backups. Even if recovery from backups is possible, it may make business sense to pay a ransom if the losses exceed the demand.

Finally, deploy endpoint monitoring, which can detect system anomalies and malware, such as credential harvesting tools that often precede a ransomware attack.
Evaluate the current endpoint monitoring solution, and determine whether it should be upgraded to properly protect against the current malware and ransomware threats. ND

David E. Kitchen is a partner and Anthony P. Valach counsel at the law firm of BakerHostetler. The views expressed in this article are those of the authors and not necessarily those of BakerHostetler or its clients.

Topics: Cybersecurity