Ransomware attacks are more common than people think and can affect anyone from small business to enterprises, and from privately owned corporations to the highest government entities.
Incidents that may seem distant and isolated often have catastrophic results for individuals located miles away from where the attack occurs. The Colonial Pipeline ransomware cyberattack affected several states on the East Coast of the U.S. when consumers found themselves with a major gas shortage for nearly a month.
This is just one example of how a ransomware attack can influence an unexpected number of individuals—so what exactly is ransomware and how can you prevent an attack?
The Growing Ransomware Threat
According to CISA (The Cybersecurity and Infrastructure Security Agency), ransomware is a form of malware, or malicious software, that is designed to encrypt files on any given device, rendering both the files and device unusable.
Hackers that deploy ransomware often threaten to sell, leak or delete collected data if a ransom is not delivered. The payment for decryption of data is often demanded in a cryptocurrency such as Bitcoin or Ethereum for easy access. When Colonial Pipeline was attacked in early May, hackers requested 75 Bitcoin (or $4.4m) be paid within just hours of the attack. This resulted in a wave of repercussions that impacted both the U.S. Government and its citizens.
Ransomware is an Issue for Everyone
Ransomware may negatively affect large companies, but the problem doesn’t end there. Businesses of all sizes are struck by ransomware attacks both directly and indirectly. This was the case with The Kaseya Ransomware Attack that affected not only the software company itself, but many of the Managed Service Providers(MSPs) that utilize their software and the thousands of business customers that outsource these services to MSPs. Similar situations, where businesses were put at risk by third parties, arose with the SolarWinds exploit in 2020 and the Microsoft Exchange hack of early 2021.
No matter the size of an organization, a ransomware attack invariably leads to a number of negative outcomes such as:
- Reputational damages
- Massive financial loss
- Deleted/Stolen files or critical data
- Unforeseen company-wide downtime
Once the trust between a customer/client and a business is broken, it’s difficult to earn back—and the financial repercussions are often much worse.
Understanding Your Risk
Organizations that are most vulnerable to attacks, simply do not have a clear picture of their network and the attack surface. They are vulnerable to just about any kind of cyber attack, because often they don’t know how many open doors or windows they have in their organization.
- The first step towards security is to conduct a thorough analysis of your network and map all of your devices, connection points, applications, databases, cloud and data providers and users
- Bluewave’s Multi Layered approach to cybersecurity starts at the edge of the network and works inward to identify not just the usual attack points but also in more complex interactions between networks, employee behaviors, mobile devices, security/IT policies, and third-party vendors.
- Additionally, a Bluewave baseline assessment can help gain visibility into your WAN assets and identify overspending within your existing budget to fund shoring up your cybersecurity posture.
Preventing a Breach
Active prevention is key in guarding against ransomware attempts. Here are a few strategies to consider when designing your network that help prevent future attacks:
- Implementing deep packet inspection at the network edge.
- Leveraging web security gateways to inspect traffic/content from all users, on all devices, from every location.
- Incorporating mail inspecting services that block and remove emails and remote-activated attachments.
- Adopting a Zero Trust Network Access (ZTNA) model for all locations, including remote workers.
- Securing and inspecting your applications and systems can also help fight against malicious content and prevent ransomware from spreading:
Implementing MFA (multi-factor authentication) to protect against password guessing and unauthorized access on your applications and SaaS
- Using SSO (single sign-on) tied to a centralized Identity Management Platform to manage, track, and audit a user’s system access to easily follow principles of least privilege access.
- Installing an Endpoint Protection Platform that leverages AI and machine learning (ML) to identify suspicious activity and to immediately enforce protection countermeasures against identified bad actors.
- Aggregating all server, network access, and application logs into a Security Incident and Event Management (SIEM) platform so security analysts have immediate access to critical forensic data to investigate anomalies in real time.
Hedging Your Risk
It is vital to be prepared for the possibility of an attack at all times too should a ransomware attack occur, which is why there are several key steps to take in order to minimize your risk:
- Document where all of your critical data is stored and how that data is accessed.
- Create offline backups that are kept separate from the main systems/networks on external hard drives, USBs, or a cloud service.
- Identify critical assets and determine the business operational impact of a ransomware attack.
- Develop internal and external communication strategies. During an attack, normal communication methods, like email, Slack, or MS Teams, may not be available to the team. Also, consider any legally required notification that you may be under.
- Create an incident management plan that documents “first line of defense” steps and additional resources such as outside consultants and law enforcement whom you can bring in during an incident.
- Clarify roles and responsibilities of all staff including executive management and legal counsel.
- Conduct dry run exercises and war games so people can practice their incident procedures and gain the situational awareness needed to perform under pressure in the event of a live incident.
Responding to an Incident
Finally, and perhaps the most important to remember, are the four steps to take when responding to a ransomware attack that happened before prevention could occur:
- Isolate: Immediately disconnect your infected computers, laptops, or other devices from all network connections. In a critical situation, consider turning off LAN switching and disabling all WAN network connections.
- Mitigate: Work with your in-house security analysts, outside consultants, and law enforcement to identify which systems are infected, the method they were infected with, and if any back-up data has been compromised. Take needed steps to prevent reinfection once systems have been restored.
- Inform: Use the previously identified legal obligations to report the incident to regulators and communicate the situation to staff, customers, and business partners as required.
- Restore: Wipe infected devices thoroughly of all malware and restore systems and data from available clean backups. It is critical that before restoring files from backups, verify that they are completely clean, often ransomware will delay activation until a period of time after inflection to ensure backups are also infected and will be re-locked once restored. Finally, once you are confident the ransomware has been eliminated and normal data states have been restored, reconnect your systems to your LAN and WAN.
Ransomware attacks are becoming a common occurrence, but that doesn’t mean they are impossible to avoid. Through proper planning and preparation, prevention is possible. However, even with preventative measures, always having a response plan is the best way to ensure your company is prepared for any attacks a bad actor may throw your way. By implementing cohesive security services to inspect traffic and endpoints, as well as following industry standard security controls and policies, minimizing the likelihood of future attacks is more achievable now than ever before.