When it comes to security challenges, businesses of all sizes are alarmed by the abundance and gravity of ransomware attacks. Cybercriminals have targeted every industry with specialized malware, collecting untold amounts in ransom. Ransomware is specific to when attackers demand payment to unblock access or unencrypt the data and allow victims to regain access. Often, ransomware results in the crime of cyber extortion.
Ransomware has 4 significant categories – Encryption (most common category), Lockers (restricts use of computers), Scareware (scare users in buying unreasonable software or floods pop-ups), and DoxWare (threatens to leak personal or organization information). The traditional ones are locker and encryption, and both deny access to your system and data unless Ransom is paid. Considering the Governments have very strict norms on Ransom payments, Cybercriminals have resort to Multi Extortion Techniques. In this technique they employ various tactics to increase the likelihood of payment. This could include threatening to sell or leak the encrypted data, threatening to launch distributed denial-of-service (DDoS) attacks against the victim’s systems, or even threatening physical harm to individuals associated with the targeted organization.
The rise of Ransomware is also because of the ease with which Cyber Criminals can launch an attack as they don’t even have to invest in anything but subscribe to Ransomware as a Service to get initial foothold and use their skills to spread laterally within the network.
Ransomware typically infiltrates organizations through three common vectors: phishing, Remote Desktop Protocol (RDP) and credential abuse and exploitable vulnerabilities or Zero Days.
How to Recognize Attacks
Initial foothold is generally established using Phishing, Credentials Compromise and exploitable vulnerabilities so maintain strong defence against these techniques.
Typical signs for ransomware might be a spike in system disk activity, creation of privilege accounts on critical infrastructure devices, suspicious inbound and outbound traffic, installation of unauthorized tools like Mimi Katz and tampering intervention on backups.
Cyber security controls need to be complimented with strong XDR as it will prevent, detect, and alert against behaviour-based anomalies especially post initial foothold and executing legit tools (PowerShell, Ps Exec etc) for malicious purpose.
Organizations must use a combination of automated security tools and malware analysis to uncover suspicious activity that could result in a ransomware attack.
How to Prevent Ransomware Attacks
Organizations can lessen their vulnerability to ransomware attacks and limit the damage they cause by assuming a strong cybersecurity posture and strong foundational controls. Few steps to prevent ransomware attacks are:
- Regular software updates and patching
- Invest in the right Anti Phishing technology.
- 2 Factor Authentication
- Invest in Zero Trust and move away from traditional VPNs.
- Invest in XDR
- Network segmentation
- Email protection
- Application whitelisting
- Limiting user access privileges
- Frequent and periodic security testing
- Educate employees about the risks of social engineering.
- Perform frequent backups of critical data and maintain a Non immutable copy of the same
How to respond to & recover from Ransomware Attacks
Catch it early is the mantra if not then there are very few options apart from rebuilding the systems or restoring from the last good backup copy. Once a ransomware attack happens.
Organizations must follow the ransomware incident response plan that they ideally would have created and tested well ahead of the attack.
Sign for good retainership service – You will need it
- Contain it – Isolate the infected devices and disable the network segment for communication of the impacted system/s.
- Review session logs, file properties, terminal service logs and windows security logs to identify traces of the infection and significant authentication and access events
- Determine the ransomware group to enable more targeted remediation efforts and specific IOCs.
- Rebuild the infected systems.
- Continuously run clean sweeps on the network for any remaining traces of IOCs on the network
- Establish continuous monitoring as part of your SOC and remain hyper vigilant for atleast 4 weeks.
- Be in constant touch with the customers to keep them updated with the progress made
Negotiating Ransomware Payments
Determining whether to pay a ransom in the middle of a ransomware attack can be harrowing. Companies should already know their criteria for complying or not complying with demands. They should know if they can trust their ability to quickly recover systems and backups if they deny attackers. And they should know what vulnerabilities they have in the data that attackers have locked, encrypted and potentially exfiltrated.
Companies might decide not to hand over a ransom because they believe it might encourage other attackers or could escalate future payments. Additionally, there is no guarantee the data will be returned, and paying the ransom could subject the company to legal issues.
Clues for negotiating with the attackers:
- Remain calm and composed.
- Do not reveal information on the availability of cyber insurance.
- Worst case, for making payments, only a small amount to be paid upfront and the remainder amount after the decryption key is obtained from the threat actor
- Publicizing the attack and the ransom negotiation might be considered for putting pressure on the attacker and preventing others from being victimized of the prey of the attacker in future.