Ransomware Attack: What It Is and How to Prevent It
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Cybersecurity continues to be a challenge as adversaries come up with new and innovative ways to penetrate computer networks and steal data. One of the more popular attack methods is ransomware. There are tools to defend yourself against potential attack and techniques to strengthen your computer security posture.
Ransomware is a type of cyberattack that gives an attacker the ability to extort money from someone after a data breach. Typically, an attacker encrypts data on your hard drive or network servers, and they make copies of your data and threaten to make this publicly available. The payment demands are why this type of cyberattack is called ransomware. The payment doesn’t necessarily guarantee that the attacker is going to decrypt or maintain your files’ privacy. Payments are usually payable in cryptocurrencies such as Bitcoin to hide the attacker’s identity.
Ransomware attacks are made possible usually through phishing emails or text messages that deposit malware on your machine. All it takes for a ransom attack to begin is for a single employee to click on a phishing email or respond to a social networking message. These attacks aren’t going away anytime soon, and they have increased during the COVID pandemic. Philip Reiner, the CEO of the Institute for Security and Technology, was quoted in this New Yorker article, “It’s way too easy to get into this. You or I could do it — you just hire it out. There’s been an incredible commoditization of the entire process.” The attacker can infiltrate any network with relative ease, leveraging that one initial access point to plant additional malware and take control of critical servers.
Ransomware attacks are becoming more numerous and dangerous. Perhaps the most infamous attack in 2021 was the shutdown of Colonial Pipeline’s gas transmission facilities for several days. According to a recent conference of European law enforcement agencies, ransomware activities have generated $350 million in 2020, a 311% increase from 2019. The crowdsourced site, Ransomwhere, tracks ransomware payments and shows more than $45 million in payouts for 2021. This data is based on public records of various ransom blockchain transactions and victim reports. One strain of ransomware, SamSam, collected more than $1M several years ago. Phishing-protection provider INKY reports that the average payment organizations made to escape ransomware rose to $312,493 in 2020, up 171% from $115,123 in 2019.
As remote work continues and expands, better ways are needed to secure workers’ connections to and from the organization’s data, both on the cloud and on-premises. The risks are further compounded by the too-human inclinations of remote workers to give priority to completing tasks over best-security practices. It is possible for an employee, for example, to use the same password when shopping online and to gain access to critical corporate data from a home office connection. More tech-savvy users, like developers, can introduce vulnerabilities in code if they bypass proper security checks before pushing application code into production.
For these remote data-access risks, VPNs don’t cut it anymore. They are based on the incorrect assumption that both sides of the VPN tunnel are secure. Since the pandemic began, more corporate workflows traverse the general Internet where they are more easily compromised. Anyone in an organization can become a target because attackers are looking for weak points in IT infrastructure.
Added to these trends, ransomware-as-a-service (RaaS) organizations are becoming popular. They make ransomware easier to deploy and more lucrative to operate. And it isn’t just business networks that attract attackers, either. Internet-of-Things devices (such as Nest thermostats and connected TVs) and industrial-control systems are targets, too.
Attackers have gone a step further by compromising supply chains. This is what happened to software from SolarWinds and, more recently, with Kaseya VSA. Ransomware attackers now combine the initial encryption attack with follow-up threats to post stolen data from their targets. Security-services provider Emisoft reports in a survey that 11% of ransomware attacks involved data theft during the first half of 2020, a number that continued to rise in 2021 and is forecast to continue to rise into 2022.
The ability of intruders to access the network, and then wait undetected, before orchestrating a lateral ransomware attack was exemplified in June, 2021. In that instance, thanks to an inattentive customer service agent, Microsoft became the latest victim of Nobelium, the Russia-based hacker group behind the SolarWinds attack in 2020, according to Microsoft and other sources. A single point of entry on the agent’s computer opened the door for a sequence of RaaS attacks that eventually spread to victims across dozens of countries. If Microsoft can be hacked, so can any organization. Anyone can fall victim to a single phishing email that can initiate a ransomware chain of events.
A Twitter thread by security researcher Ming Zhao shows the depth of the ransomware marketplace and the variety of actors. The flow of funds from victims to criminals, how their attacks have grown, and how the price of cryptocurrency influences their actions, are also revealed in this thread.
Ransomware criminals count on several weak links in an IT department’s governance that often leave entry points easily exposed. For example, there are numerous open network ports that aren’t carefully monitored, or infrastructure that isn’t consistently managed or maintained with delays in patching and deploying system updates. The role of backups has completely changed in the ransomware era. Attackers are more adept at penetrating networks which forces backup strategies to become more sophisticated and cover a wider variety of circumstances, threat models, and conditions. As more of us use our smartphones for work purposes, this means that we store data on our phones, making corporate backup solutions ineffective if our phones are lost or stolen. Backup tools also weren’t initially designed for heavily virtualized and cloud computing environments, which makes them difficult to scale as virtual and cloud servers are brought online.
There are a variety of delivery systems for ransomware. Phished email is most common, but there are other mechanisms that involve malware-infected smartphone apps that masquerade as innocent tools or games, infected software injected into supply chains, or websites that contain malware that can be inadvertently downloaded. Phishing can also come from a poisoned SMS text (Smishing), a voicemail message (vishing) or an instant message.
IT managers have several options to help prevent attacks. These suggest methods fall under four categories: Having better backups, ensuring a solid patching regimen, creating playbooks to organize remediation, and using specialized security tools. Enterprises must get better at defending themselves from the start. Backups, patching, and playbooks are global security best practices that can influence ransomware effects and responses. None of these require large capital costs, but all necessitate careful assessment of processes, policies, and procedures.
Having better backups isn’t so easy to accomplish. Most organizations only find out their backups aren’t adequate when they are hit with a ransomware attack and discover that some critical (but not backed up) server has been taken offline. Part of the problem is that many IT departments still don’t verify that their backups were completed properly or don’t have any automated procedures to test their data recovery.
Others keep backup copies on the same networks as their primary servers. When a hacker penetrates the network, they can encrypt or destroy both copies. Organizations need to be careful to partition their networks; segregating contractors and third parties from other lines of business. This seems self-evident, but the attack on Target in 2013 happened for precisely this lack of network segregation.
Backups are also the last bastion of the old ways of doing on-premises computing, so many backup tools aren’t specifically designed for today’s highly virtualized and containerized environments. The results are unreliable backups and challenges in meeting compliance requirements in many cases. And because many businesses now depend on online accessibility to customers, recovery periods of several days are no longer adequate as they might have previously been. IT management is thus often under additional pressure to pay ransoms rather than take systems offline for lengthy periods.
Data-management products must be able to do granular restoration by application, by a point in time, or by a particular state of the infrastructure and include role-based backups. Vendors in this space include Veeam, Kasten, Dell, and Veritas. Linode also offers a managed service that includes automatic data protection.
Once backup and restoration processes are addressed, the next step is to keep up with patching systems. Many ransomware attacks focus on systems that are running older OS versions, or systems that haven’t applied the latest patches. The WannaCry 2017 attacks exploited systems that didn’t apply a two-month-old patch from Microsoft. One security vendor recently wrote, “The current state of patch management programs is pretty bad: Your vulnerable systems will be the first to be targeted, if not actively monitored and updated.” An important part of patching is to take accurate inventories of software and systems to ascertain what is outdated and what systems aren’t part of the inventory. This inventory is more complex now that more workers are using remote PCs that may not be accounted for by the central IT organization. Vendors in the patch-management space include Automox, Atera, Ivanti, and Acronis.
Procedures and policies are useful, but organizations should consider several types of tools to increase their chances of surviving a ransomware attack. The first includes vendors that have released a variety of preparation products to help focus IT efforts on better ransomware preparedness. Examples include offerings from Palo Alto Networks, Kroll, Varonis, and FireEye. The U.S. Cybersecurity Infrastructure and Security Agency (CISA) also provides tools and support. In general, these tools perform automated assessments across IT infrastructure. They show how the malware enters and moves across a company’s network to find specific weak spots that hackers can exploit. For example, the U.S government’s open source CSET contains a tiered series of questions about infrastructure that result in best-practice recommendations. CISA has other useful options, such as one that detects signs of hacking activities linked to the SolarWinds breach, and another option that detects common Microsoft Azure compromises. The U.S. government tools are free. The others can be quite pricey depending on the size of a network and what needs to be accomplished.
There are general security tools that can be used to block, or at least make the ransomware attacker’s job, more difficult. These are general infosec products that need to be a part of an overall IT portfolio, purchased not only to defend against ransomware, but to guard against many different kinds of intrusions and stolen-data attacks. There is no single type of product that can do everything, which is one of the reasons why the infosec market is so large and vibrant today. These include MFA and single sign-on products to protect users’ logins. Adding an additional authentication factor, makes it harder for hackers to impersonate users. This is especially important to protect remote-access products, as the city of Atlanta found out several years ago when they didn’t have MFA enabled (Rendition Infosec documented these issues).
In addition to these products, organizations should deploy cloud native security, both for access to data and to monitor behavior, and other tools that can help detect and filter out phishing malware and screen instant messages. This latter product category could have helped prevent a 2020 ransomware attack on Canon that brought down its Microsoft Teams installation. The attack wasn’t directly related to the security of Teams, but rather shows the need for securing this channel and having a contingency plan in post-attack playbooks for how to communicate if Teams or other instant-messaging services cannot be accessed.
Next, IT managers need to take time to find and eliminate open file shares both on-premises and on cloud servers. Security literature is filled with hackers finding these open shares and making trouble for their owners by downloading the data or infecting the servers with malware. These shares exist because of a simple lack of attention, or laziness, and can have dire consequences. One way to stop these leaks is to install products specifically designed to spot open file sharing.
Even if you do nothing else to prepare for an attack, you must create a solid ransomware playbook. This needs to include all operational elements necessary for an organization to survive an attack. It serves as a ready reference so that DevOps teams and business stakeholders aren’t scrambling to assemble this information in real time under duress. The playbook covers things such as how staffers communicate (when normal email or phone service is interrupted because of the attack), how to access an offsite data repository, contact information for the managed services provider, and retainer contracts for a ransom negotiator who can step in when needed. Some organizations include specifics on incident-response plans for a variety of situations, of which ransomware is only one. Samples of various playbooks can be found from Red Canary and Ayehu’s Resolve.
Part of your playbook also needs to describe under what circumstances, if any, you should pay out the ransom. Most experts agree that you shouldn’t pay (because it just keeps feeding the criminal ecosystem and because the attacker may not be honorable), but you may not be able to recover your files any other way.
Protecting a business from ransomware attacks isn’t a one-and-done situation. It requires a wide collection of tools, techniques, policies, and procedures. Some of these are easier and less costly to implement than others. All require careful attention to all details across the entire organization and the entire network. As so many attacks have shown, hackers only need to find one weak link.
This page was originally published on