Hexegic – Ransomware: How to be on your guard

Hexegic

20th November 2020

What sensible preparations can you make to counter ransomware? 

 

Ransomware is a form of malware which encrypts files on a device, rendering any files and the systems that rely on them unusable. Cyber criminals then employ extortion tactics, pressurising victims for payment to regain access to their systems, or threatening to publish stolen data or to publicly name and shame the company.  Such an attack is potentially devasting to an organisation – causing material harm to operations, reputation, and the balance sheet.  Unfortunately, given the profitability of ransomware attacks to criminals, their prevalence is on the rise, and everyone is at risk.  Just last week, an FBI-CISA threat warning drew attention to ransomware targeting of the health sector, and the urgent need to mitigate this risk.  The US CISA agency has also recently highlighted the trend of criminals using lateral movement (techniques employed after they have gained initial access) to locate and delete a victim’s systems backup before launching ransomware, thus hampering restoration and recovery efforts – and ramping up the pressure to give into ransom negotiations.

 

Fortunately, there are sensible steps that organisations can take to reduce the impact of ransomware attacks on their business. The most important of these is to be prepared.  The UK National Cyber Security Centre (NCSC) recommends four key ways to do this. Of course, every organisation is different and you need to follow this guidance carefully within the context of your own situation, but the principles are extremely helpful. The following advice comes from the NCSC website (www.ncsc.gov.uk):

 

Prior preparation prevents…poor performance

 

Action 1: Make regular backups

Make regular backups of your most important files – also check that you know how to restore files from the backup, and regularly test that it is working as expected.  Scan backups for malware before you restore files – ransomware may have infiltrated your network.  Keep offline backups separate from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment. You shouldn’t rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.  Ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible – cloud services often automatically synchronise immediately after your files have been replaced with encrypted copies.

 

Action 2: Prevent malware delivery

 

You can reduce the likelihood of malicious content reaching your devices by filtering to only allow file types you would expect to receive, blocking websites that are known to be malicious, actively inspecting content, and using signatures to block known malicious code. These methods can all be executed at your network boundary using proxies and gateway services.  To guard against attack via remote access, you should consider enabling MFA (multi-factor authentication) at all remote access points into your network, enforce an ‘IP allow list’ using hardware firewalls, use a reputable VPN for remote access to services, stick to the ‘least privilege’ model for providing remote access to employees (you can always provide an audited process to allow a user to escalate their privileges where necessary), patch vulnerabilities in remote/external facing devices as soon as you become aware of them, and follow vendor guidance including installing new patches as soon as they become available.  Prevent malware spreading across your systems by thwarting lateral movement tactics – use MFA to authenticate users so that if malware steals credentials they can’t easily be reused, ensure obsolete platforms are properly segregated from the rest of the network, and regularly review and remove user permissions that are no longer required.  Also ensure system administrators avoid using their accounts for email and web browsing, practice good asset management – including keeping track of which versions of software are installed on your devices so that you can target security updates quickly, and always keep individual devices and the whole infrastructure patched, especially security-enforcing devices on the network boundary such as firewalls, IDS/IPS and VPNs.

 

Action 3: Prevent malware running

 

Prepare for the worst-case scenario and assume that despite all your efforts, malware will reach your devices. In this situation you need to try to prevent the malware from actually running. Measures will vary for each device type, operating system and version, but in general you should look to use device-level security features.  Centrally manage all devices to only permit trusted applications to run (there are good technologies for this including AppLocker, or others from trusted app stores). Consider whether third-party antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date. Also provide security education and awareness training to all your employees.  Disable or constrain scripting environments and macros by protecting your systems from malicious Microsoft Office macros, disabling autorun for mounted media, and by enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy – you can use AppLocker for this.  Bear in mind that attackers often exploit vulnerabilities in a device. To thwart this, keep all your devices well-configured and up to date. The NCSC recommends you install security updates as soon as they become available, enable automatic updates, use the latest versions of OS(s) and applications, and configure host-based and network firewalls to disallow inbound connections by default.

 

Action 4: Prepare for an incident

 

With computer systems taken out of action and in some cases data never recovered, a ransomware attack can be devastating for an organisation. If recovery is possible, it can take several weeks – and your corporate reputation and brand value could take a lot longer to recover.

To help prepare for this impact, identify your critical assets and determine the effect on these if a malware attack were to strike. Plan for an attack, even if you think it is unlikely: there are many examples of organisations that have been impacted by collateral malware, even though they were not the intended target.  Develop an internal and external communication strategy. It is important that the right information reaches the right stakeholders as soon as possible.  Determine how you will respond to the ransom demand and the threat of your organisation’s data being published. Ensure that incident management protocol and resources such as checklists and contact details are available even without access to your computer systems.  Identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this.  Exercise your incident management plan. This helps clarify everyone’s roles and responsibilities to prioritise system recovery. For example, if a ransomware attack meant a complete shutdown of your network, consider:

 

how long it would take to restore the minimum required number of devices and re-configure for use
how you would rebuild any virtual environments and physical servers
what processes need to be followed to restore servers and files from your backup solution
what processes need to be followed if onsite systems and cloud backup servers are unusable, and you need to rebuild from offline backups
how you would continue to operate critical business services. 
 

After an incident, revise your incident management plan to include lessons learnt to ensure that the same event cannot occur in the same way again.  For more information and a full version of these action points, visit https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

 

References:

MS-ISAC Ransomware Guide September 2020

NCSC Small Business Guide: Cyber Security 08 October 2020

AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector

EC-Council Certified Incident Handler v2

 

DISCLAIMER. Our guidance is intended as information only and Hexegic Limited shall not be liable for any direct or consequential loss suffered by any third party as a result of any decisions made or action taken as a result of the information contained in our articles or checklist.

 

Join the cluster today!

Enjoy all the benefits being a member brings and complete the registration form here.

Join the cluster here
For more information on the stc please contact us

01327 856108

Send us a message
Founding Members: